Android App General-purpose denial of service, vulnerability Analysis report

Source: Internet
Author: User

Reviews: Remember there was a time when a lot of SRC platform was brushed a large number of app local denial of service vulnerability, mobile security Team Love Beta (ineice.com) found an Android client generic denial of service vulnerability, to see their detailed analysis it.


0xr0ot and Xbalien A common local denial of service vulnerability was found when all of the exception types that could lead to the application denial of service were shared. This general-purpose local denial of service can result in a large area of app denial of service.


The denial of service for serialized objects is mainly due to the use of Getserializableextra () API in the application, because the application developer does not judge the incoming data, malicious applications can pass through malformed data, resulting in the application of local denial of service.


Vulnerability Application code snippet:
1 Intent i = getintent ();
2 if (I.getaction (). Equals ("Serializable_action")) {
3 I.getserializableextra ("Serializable_key"); No abnormal judgment.
4}


Attack application code Snippet:
1 Intent i = new Intent ();
2 i.setaction ("Serializable_action");
3 I.setclassname ("Com.exp.serializable", "com.exp.serializable.MainActivity");
4 I.putextra ("Seriadddddlizable_dkey", XXX); Here is the incoming malformed data
5 startactivity (i);


For example, XXX at the incoming biginteger.valueof (1) is very likely to be transformed abnormal error java.lang.ClassCastException.


But later the communication found that when passing in a custom serialized object serializable or Getparcelable object, the target component receiving intent was in Getserializableextra (), getparcelable () Class undefined exception Java.lang.NoClassDefFoundError will be thrown. This is because when you apply a serialized class object to a vulnerability that is not in the application itself, it must not be found in the context of the application.


The custom serialization class is simple:
1 public class Dataschema implements Serializable {
2 private static final long serialversionuid = -3601187837704976264l;
3 public Dataschema () {
4 super ();
3;
4?


The corresponding attack code in the XXX place in the new Dataschema (), we found that the incoming key regardless of whether the same as the vulnerability application, will throw the class undefined exception.


As the test progresses, we discover through Logcat that the error log is not necessarily caused by Getserializableextra (), getparcelable (). Then we stretched out and tried to pass in our custom serialized class object to Getxxxextra () and found that the class was thrown out of the undefined exception.


To test the app code snippet:
1 protected void OnCreate (Bundle savedinstancestate) {
2 Intent Intent = Getintent ();
3 Intent.getstringextra ("ROIS"); This will still be due to noclassdeffounderror crash
6?


We then tested a number of mainstream applications on the market, including bat. Found that this method can kill. We started to think that this was the problem with Android itself and began to turn over the source code.
Getstringextra public string (string name) {
Mextras return = = null? Null:mExtras.getString (name);
03}
04/frameworks/base/core/java/android/os/bundle.java
public string getString (string key) {
Unparcel (); Working with Data
07 ...
08}
*/* Package */synchronized void Unparcel () {
10 ...
Mparcelleddata.readmapinternal (MMap, N, Mclassloader);
12 ...
13}
14
15/frameworks/base/core/java/android/os/parcel.java
Readmapinternal parse the data passed in

Android App General-purpose denial of service, vulnerability Analysis report

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.