Activity component exposure causes local denial of service

These days the team is going to learn about the Android App Vulnerability Mining, and then took an app as a test example to try to find a loophole. In the learning process found that Android four components of the security or occupy a larger proportion, but also more concerned about the security of data. Data leakage, clear-text storage, and data correlation are more important. But one of the vulnerabilities found today is a local denial of service vulnerability to the activity component .

At the same time learn how to use drozer , using Drozer to help find loopholes.

Here is a summary of some common Drozer commands:

Run App.package.info-f XXX

XXX is part of the package name, and the full package name is displayed after running this command

Run App.package.info-a < package name >

Running this command will print out the package-related information, including version, path, permissions, UID, GID, etc.

Run App.package.attacksurface < package name >　

Running this command will print out the attack surface of the application's four components, Activity, Service, Content Provider, broadcast if there is a risk of exposure.

Run App.activity.info-a < package name >

Running this command prints out the activity of the exported and shows whether the appropriate permissions are required

Run App.activity.start--component < package name > <activity>

If the activity is exported and does not require permission, then running this command will activate the activity.

(The activity component is currently only tested, so commands about other components are not used yet)

Let's start by explaining the approximate rationale for this local denial of service vulnerability:

Exported activity can be found through drozer, and many activity calls do not require permission, that is, permission=null. means that other apps can invoke these activity without permission. At the same time, if the call to the activity requires a parameter, the application crashes when the call is not taken with the argument because of an input exception, which results in a local denial of service.

The vulnerability patching method is also simple and can be done from the following three aspects:

1. Android:exported= "False" is not required for externally invoked activity settings;

2. If external calls are required, customize the signature or signatureorsystem level of permissions;

3. Registered components Please check the input parameters strictly, pay attention to the null value and type conversion judgment

Simple POC:

Intent Intent = new Intent ();

Intent.setcomponent (New ComponentName (<, <activity>));

Intent.putextra ("," "");

StartActivity (Intent);

Activity component exposure causes local denial of service