Apsara Android client remote code execution to remote reading of any user's system Address Book + chat information (earlier version is required)

Apsara Android client remote code execution to remote reading of any user's system Address Book + chat information (earlier version is required)

As a comprehensive communication service of China Mobile, Feixin integrates voice (IVR), GPRS, SMS, and other communication methods, it covers customer communication requirements in three different forms (completely real-time voice service, quasi-real-time text and small data volume communication service, and non-real-time communication service, implement seamless communication between the Internet, mobile Internet, and mobile network. Currently, the number of users reaches 10 million.

Anti-encoding: The addjavascriptinterface () method of multiple webviews is not removed from the latest Android version (v5.1.1), and targetsdk = 11. Therefore, the webview remote code execution vulnerability exists. For detailed analysis, see: login/

Example 1 of the vulnerability code:
 

Cn.com. fetion. activity. private void setWebViewSettings () {this. mWebView. getSettings (). setCacheMode (2); this. mWebView. getSettings (). setJavaScriptEnabled (true); this. mWebView. getSettings (). setsuppzoom zoom (true); this. mWebView. getSettings (). setBuiltInZoomControls (true); this. mWebView. getSettings (). setJavaScriptCanOpenWindowsAutomatically (true); this. mWebView. getSettings (). setAllowFileAccess (true); this. mWebView. getSettings (). setPluginState (WebSettings $ PluginState. ON); this. mWebView. getSettings (). setBlockNetworkImage (false); this. mWebView. getSettings (). setUseWideViewPort (true); this. mWebView. getSettings (). setLoadWithOverviewMode (true); this. mWebView. getSettings (). setAppCacheEnabled (false); this. mWebView. setInitialScale (100); this. mWebView. getSettings (). setDomStorageEnabled (true); this. mWebView. addJavascriptInterface (new InJavaScriptInterface (this), "local_method"); this. chromeClient = new FetionChromeClient () {public void onReachedMaxAppCacheSize (long arg2, long arg4, WebStorage $ QuotaUpdater arg6) {super. onReachedMaxAppCacheSize (arg2, arg4, arg6 );}};

 

At the same time, because the Apsara app will read the system address book and save the address book and chat information in plaintext to the private directory of the local APP (/data/cn.com. fetion/databases/fetion. db)
 

 

By combining the two, you only need to send a link to remotely attack any app user (the android version must be earlier than 4.2) to obtain the user's address book, chat information, and other privacy information.

Method:

1. send any message containing this link (http://www.droidsec.cn/fetionpoc.html)

2. When a user receives a message and accesses this link in the app, the user can remotely obtain the address book and all chat information.

The following is the address book information.
 

The following is a chat record
 

 

Solution:

Remove the vulnerability interface mentioned above to encrypt and store user data.