赞~~
0x01 漏洞简介
Android 6月的安全公告,同时还修复了我们发现的一个蓝牙App提权中危漏洞,该漏洞允许手机本地无权限的恶意程序构造一个仿冒的Provider,并获取Provider所指向文件的读写权限,可用于写SD卡或者蓝牙共享数据库,漏洞详情如下:
- CVE: CVE-2017-0645
- BugID: A-35310991
- 严重性: 中危
- 漏洞类型: 提权
- Updated AOSP versions: 6.0.1, 7.0, 7.1.1, 7.1.2
0x02 漏洞分析
该漏洞其实是一个常规的Android组件暴露漏洞,跟我们上一个分析的蓝牙漏洞一样,我们知道在蓝牙App中BluetoothOppLauncherActivity是可以被第三方应用启动的。这一次,我们来看onCreate函数中传入Intent action为android.btopp.intent.action.OPEN的处理流程。
} else if (action.equals(Constants.ACTION_OPEN)) {
Uri uri = getIntent().getData();
if (V) Log.v(TAG, "Get ACTION_OPEN intent: Uri = " + uri);
Intent intent1 = new Intent();
intent1.setAction(action);
intent1.setClassName(Constants.THIS_PACKAGE_NAME, BluetoothOppReceiver.class.getName());
intent1.setDataAndNormalize(uri);
this.sendBroadcast(intent1);
finish();
转到BluetoothOppReceiver进行处理。接着查看BluetoothOppReceiver的onReceive函数,由于Intent可控,这里蓝牙App将会取出intent中的Data进行数据库查询,然后取出transInfo,最后进入BluetoothOppUtility.openReceivedFile函数。
} else if (action.equals(Constants.ACTION_OPEN) || action.equals(Constants.ACTION_LIST)) {
if (V) {
if (action.equals(Constants.ACTION_OPEN)) {
Log.v(TAG, "Receiver open for " + intent.getData());
} else {
Log.v(TAG, "Receiver list for " + intent.getData());
}
}
BluetoothOppTransferInfo transInfo = new BluetoothOppTransferInfo();
Uri uri = intent.getData(); //Intent可控!
transInfo = BluetoothOppUtility.queryRecord(context, uri);
if (transInfo == null) {
Log.e(TAG, "Error: Can not get data from db");
return;
}
if (transInfo.mDirection == BluetoothShare.DIRECTION_INBOUND
&& BluetoothShare.isStatusSuccess(transInfo.mStatus)) {
// if received file successfully, open this file
// transInfo可控!
BluetoothOppUtility.openReceivedFile(context, transInfo.mFileName,
transInfo.mFileType, transInfo.mTimeStamp, uri);
BluetoothOppUtility.updateVisibilityToHidden(context, uri);
} else {
Intent in = new Intent(context, BluetoothOppTransferActivity.class);
in.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
in.setDataAndNormalize(uri);
context.startActivity(in);
}
在openReceivedFile函数中,我们看到蓝牙App最终将在授予读写权限后,启动能够处理transInfo.mFileType文件类型的某外部App的Activity,对transInfo.mFileName进行处理。
public static void openReceivedFile(Context context, String fileName, String mimetype,
Long timeStamp, Uri uri) {
if (fileName == null || mimetype == null) {
Log.e(TAG, "ERROR: Para fileName ==null, or mimetype == null");
点击收藏 | 0
关注 | 1