Android App security Android app generic denial of service vulnerability

0xr0ot and Xbalien A common local denial of service vulnerability was found when all of the exception types that could lead to the application denial of service were shared. This general-purpose local denial of service can result in a large area of app denial of service.

The denial of service for serialized objects is mainly due to the use of Getserializableextra () API in the application, because the application developer does not judge the incoming data, malicious applications can pass through malformed data, resulting in the application of local denial of service.
Vulnerability Application code snippet:

Intent i = getintent (); if (I.getaction (). Equals ("Serializable_action")) {    I.getserializableextra (// No exception is determined }

Attack application code Snippet:

New Intent (); I.setaction ("serializable_action"); I.setclassname ("com.exp.serializable", " Com.exp.serializable.MainActivity "); I.putextra (// Here is the incoming malformation data startactivity (i);

For example, XXX at the incoming biginteger.valueof (1) is very likely to be transformed abnormal error java.lang.ClassCastException.

But later the communication found that when passing in a custom serialized object serializable or Getparcelable object, the target component receiving intent was in Getserializableextra (), getparcelable () Class undefined exception Java.lang.NoClassDefFoundError will be thrown. This is because when you apply a serialized class object to a vulnerability that is not in the application itself, it must not be found in the context of the application.
The custom serialization class is simple:

 Public class Implements Serializable {    privatestaticfinallong serialversionuid =- 3601187837704976264L;      Public Dataschema () {        Super();    }}

The corresponding attack code in the XXX place in the new Dataschema (), we found that the incoming key regardless of whether the same as the vulnerability application, will throw the class undefined exception.

As the test progresses, we discover through Logcat that the error log is not necessarily caused by Getserializableextra (), getparcelable (). Then we stretched out and tried to pass in our custom serialized class object to Getxxxextra () and found that the class was thrown out of the undefined exception.

To test the app code snippet:

protected void onCreate (Bundle savedinstancestate) {    = getintent ();    Intent.getstringextra (/// here will still be due to noclassdeffounderror crash}

We then tested a number of mainstream applications on the market, including bat. Found that this method can kill. We started to think that this was the problem with Android itself and began to turn over the source code.

/frameworks/base/core/java/android/content/Intent.java

 Publicstring Getstringextra (string name) {returnMextras = =NULL?NULL: mextras.getstring (name);}/frameworks/base/core/java/android/os/Bundle.java Publicstring getString (String key) {Unparcel ();//working with Data    ...}/* Package*/ synchronized voidUnparcel () {... mparcelleddata.readmapinternal (MMap, N, Mclassloader); ...}

/frameworks/base/core/java/android/os/parcel.java

readMapInternal解析传递进来的数据


/* Package*/ voidReadmapinternal (Map OutVal,intN,classloader Loader) {     while(N > 0) {Object key=readvalue (loader); Object value=readvalue (loader);        Outval.put (key, value); N--; }} When parsing to a serializable object, throwing an exception because the class was not loaded Public FinalSerializable readserializable () {...Try{ObjectInputStream Ois=NewObjectInputStream (Bais); return(Serializable) ois.readobject (); } Catch(IOException IoE) {Throw NewRuntimeException ("Parcelable encountered" + "IOException reading a Serializable object (name =" + name + ")", IoE); } Catch(ClassNotFoundException cnfe) {Throw NewRuntimeException ("Parcelable encountered" + "ClassNotFoundException reading a Serializable object (name =" + name + ")", CNFE); }}

But looking back, Google certainly doesn't think it's an Android bug, and developers just need to add a try catch to catch the exception.

Bug fixes:
Whatever extra is get, as long as it is Getxxxextra (), plus the try catch catches the exception.

Vulnerability Detection:
To make it easy for everyone to test, we wrote a simple verification program.
How to use:
ADB shell am start-n com.qihoo.checkextracrash/. Mainactivity-e package_name packagename-e class_name componentname

Http://yunpan.cn/cyxmpwnk3MMT3 (Extract code: 7A7D)

Reference:

Http://androidxref.com/4.2.2_r1/xref/frameworks/base/core/java/android/os/Parcel.java

Reprinted from: Http://blogs.360.cn/360mobile/0xr0ot & Xbalien

Android App security Android app generic denial of service vulnerability