Redirect vulnerability analysis of network security vulnerability analysis

background

At the beginning of this month, a famous American security company kryptowire Posted an article on its website Blog, Their security engineers found a high-risk vulnerability in an application of an intelligent terminal .

Through this vulnerability , Malicious applications installed on the terminal can successfully raise rights to system jurisdiction , Enable startup of any Activity(LaunchAnywhere), And then execute local call to any number , Restore factory settings , Install and uninstall applications and install certificates .

In this paper, the vulnerability is deeply analyzed and reproduced , Confirm that the vulnerability model is Intent Redirect , At the same time, we quickly checked the relevant applications of our company , The same vulnerability is eliminated . Because the vulnerability model is typical , No matter what Google AOSP Similar vulnerabilities are found in the code in the applications developed by major manufacturers every year , Such loopholes are often extremely harmful .

The vulnerabilities involved in this article have been fixed .

Principle introduction

Intent Redirect , That is, the application is never trusted Intent Extract data from , Take out the Intent, Or encapsulate the extracted data to generate a new Intent, Call again startActivity、startActivityForResult、startService、sendBroadcast And so on Intent.

because Android Of Intent Class implements the Parcelable,

So you can put Intent Class as an object of Intent Of extra The data object is passed to another component .

Attackers could not directly access non exported components , But by Intent Redirect , You can use the exported components as a springboard to access non exported components , achieve launchanywhere perhaps broadcastanywhere Purpose .

Intent Redirection violates Android Security design of , Lead to Android Secure access restrictions for （ Sandbox mechanism of application ） invalid , Cause the following safety problems ：

1） Common application and system application Intent Redirect ：

If it is a general application , You can start any component in the application, including non exported components ;

chart 1 In general application Intent Redirection principle

If it is system This vulnerability exists in the application , More harm , You can start any component in your phone ( Including export and non export components );

【 Help safe learning , Get all resources one by one 】
① Network Security Learning Route
②20 Penetration test ebook
③ Safe attack and defense 357 Page notes
④50 A security attack and defense interview guide
⑤ Safety red team penetration Kit
⑥ information gathering 80 Search syntax
⑦100 Three actual cases of vulnerability

chart 2 In system application Intent Redirection principle

2） Through non exported contentprovider In the component content://URI To steal sensitive files .
3） adopt IntentScheme URL The vulnerability model accesses arbitrary components .
4） adopt PendingIntent Ultra vires vulnerability model , Hijacking and modification Intent To achieve the purpose of raising rights .

Detailed analysis

Next, we will introduce in detail the common applications and the system applications in the report Intent Examples of redirection .

• In common applications Intent Redirect vulnerability analysis

There is an exported... In an application HomeActivity Components , Exists in this component Intent Redirection vulnerability , Refer to the comments in the code .

There is also a non export component in this application WebViewActivity, Malicious applications installed on the terminal cannot be accessed directly .

The component WebViewActivity There are the following codes in , Use webview To load the URL.

An attacker can use the exported HomeActivity Access any unexported... In the application Activity, obviously WebViewActivity Among them .

We write a malicious application that embeds a component that points to an unexported component Intent And given a HomeActivity, So that WebViewActivity Load its incoming malicious website links , And then achieve stealing applications token Etc .

System application in the report Intent Redirect vulnerability analysis

Next , Analyze the... In the report Intent Redirection vulnerability . The application AndroidManifest.xml There are... In the configuration file android:sharedUserId=“android.uid.system”, The system used is signed and installed on priv-app Directory , Therefore, the application is system application , have system jurisdiction . The application testUsaWpsManager Class , Dynamically registered a broadcast ,action by USER_SELECT_WIFI_SERVICE_CALL:

So it's time to receiver This is the exported , Its onReceive Method can receive Intent. Then without any verification , obtain Intent Medium extra_call_intent, Construct a new Intent, Then pass in as a parameter setCallIntent In the method .

setCallIntent For the sake of Intent add to FLAG_ACTIVITY_NEW_TASK, And then Intent As mtestTelecomManagerAdapter Of makeCall The second argument to the method .

makeCall Method will eventually call startActivityAsUser Method , As the first parameter of the method . And the second parameter is UserHandle.CURRENT.

In this vulnerability Intent The flow of is shown in the figure below :

chart 3 Intent The flow process

A malicious application with zero permissions installed and running on the terminal , It can be realized locally through the above Intent Redirection vulnerability , When the user is not aware of it, the user can system Permission implementation pulls up any on any terminal Activity, Such as calling any number , Restore factory settings , Install and uninstall apps , Installation certificate and other high-risk operations , Almost completely control the user's terminal .

• Intent How to fix redirection vulnerability

Method 1： Set the pulled application component as a special component , That is, not to expose to the outside world . If the pulled application component does not need to receive from other applications Intent, You can set this application component as a special component , Just set... In the list android:exported=“false” that will do .

Method 2： Ensure that the extracted Intent From a trusted source . have access to getCallingActivity And other methods to verify the source Activity Is it believable , Applicable only startActivityForResult.

Method 3： Make sure that you want to redirect Intent Security . The redirected should be verified Intent, Ensure that Intent Will not be sent to any dedicated component of the application , And will not URI The permission is granted to a specific application contentprovider. In redirection Intent Before , The application can use resolveActivity And so on to check which component will be used to handle the Intent.

The application can use getFlags And so on Intent Whether to grant URI jurisdiction . for example ：

summary

The attacker combines the dynamic broadcast registration vulnerability model and Intent Redirect vulnerability model , It poses a great threat to the terminal .Android The normality of application vulnerability exploitation , The attacker will combine several vulnerabilities , Form a complete attack chain , Cause greater harm . Guard against Android Application vulnerabilities in the terminal , Put forward higher requirements for security practitioners and developers , You need to be familiar with common vulnerability models and preventive measures .