当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-088677

漏洞标题:Google键盘未知客户导致的拒绝服务

相关厂商:GOOGLE

漏洞作者: elong

提交时间:2015-01-04 10:14

修复时间:2015-04-04 10:16

公开时间:2015-04-04 10:16

漏洞类型:拒绝服务

危害等级:低

自评Rank:2

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Google键盘在特定场景之下,会被拒绝服务攻击,导致用户弃用Google键盘

详细说明:


发生问题的调用栈如下:

12-25 13:29:33.730: E/AndroidRuntime(12478): FATAL EXCEPTION: main
12-25 13:29:33.730: E/AndroidRuntime(12478): Process: com.google.android.inputmethod.latin, PID: 12478
12-25 13:29:33.730: E/AndroidRuntime(12478): java.lang.RuntimeException: Unable to resume activity {com.google.android.inputmethod.latin/com.android.inputmethod.dictionarypack.DictionarySettingsActivity}: java.lang.IllegalArgumentException: the bind value at index 1 is null
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3007)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread.handleResumeActivity(ActivityThread.java:3036)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2334)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread.access$1000(ActivityThread.java:143)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1242)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.os.Handler.dispatchMessage(Handler.java:102)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.os.Looper.loop(Looper.java:136)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread.main(ActivityThread.java:5289)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at java.lang.reflect.Method.invokeNative(Native Method)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at java.lang.reflect.Method.invoke(Method.java:515)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:849)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:665)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at dalvik.system.NativeStart.main(Native Method)
12-25 13:29:33.730: E/AndroidRuntime(12478): Caused by: java.lang.IllegalArgumentException: the bind value at index 1 is null
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteProgram.bindString(SQLiteProgram.java:164)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteProgram.bindAllArgsAsStrings(SQLiteProgram.java:200)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.java:47)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1332)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteDatabase.queryWithFactory(SQLiteDatabase.java:1176)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteDatabase.query(SQLiteDatabase.java:1047)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.database.sqlite.SQLiteDatabase.query(SQLiteDatabase.java:1253)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at com.android.inputmethod.dictionarypack.MetadataDbHelper.getMetadataUriAsString(MetadataDbHelper.java:330)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at com.android.inputmethod.dictionarypack.MetadataDbHelper.isClientKnown(MetadataDbHelper.java:315)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at com.android.inputmethod.dictionarypack.DictionarySettingsFragment.onResume(DictionarySettingsFragment.java:126)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.Fragment.performResume(Fragment.java:1756)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:931)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:1071)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.FragmentManagerImpl.moveToState(FragmentManager.java:1053)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.FragmentManagerImpl.dispatchResume(FragmentManager.java:1872)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.Activity.performResume(Activity.java:5394)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	at android.app.ActivityThread.performResumeActivity(ActivityThread.java:2984)
12-25 13:29:33.730: E/AndroidRuntime(12478): 	... 12 more


问题触发场景this.mClientId = null 导致了这个问题。
代码试图对异常情况进行处理并记录LOG,但不幸的是,异常发生在这段代码之前。

1111.PNG

漏洞证明:

通过以下命令,可以重现问题:

adb shell am start -n com.google.android.inputmethod.latin/com.android.inputmethod.dictionarypack.DictionarySettingsActivity


2014-12-25-21-31-40-972.png

修复方案:

N/A

版权声明:转载请注明来源 elong@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝