Fragment Injection vulnerability Miscellaneous

Fragment Injection vulnerability Miscellaneous

13 years ago, IBM's security researchers discovered a Google framework layer vulnerability, Fragment injection, which can reset the Android mobile phone PIN code, you should be familiar with figure 1. This vulnerability has not been further discussed in the industry. This article will further discuss the impact of this vulnerability.

0x01 Fragment injection vulnerability details
The Android Framework provides the android. preference. PreferenceActivity class to display preference. We can inherit this class to display and expand preference. The base class receives Intent data and performs a certain check. Two of them are important:
PreferenceActivity. EXTRA_SHOW_FRAGMENT (': android: show_fragment') and PreferenceActivity. EXTRA_SHOW_FRAGMENT_ARGUMENTS (': android: show_fragment_arguments '). The first extra domain contains the Fragment to be dynamically loaded by the PreferenceActivity, and the second extra domain contains parameters passed to the Fragment. Fragment can also use the Fragment. getActivity function to obtain the passed parameters. PreferenceActivity calls Fragment. instantiate to dynamically load Fragment. This function loads Fragment through reflection and turns it into a Fragment object. 2.

Any component inherited from PreferenceActivity and exported externally will be attacked. Malicious apps can pass the extra value android: show_fragment to specify the class to be dynamically loaded. In the context of PreferenceActivity, use dalvik. system. the PathClassLoader function dynamically loads classes. Because the requested app is not verified, malicious apps can dynamically load any classes (including those not exported) in the vulnerability app ), this allows malicious apps to access the privacy information of vulnerable apps.
0x02 Fragment injection vulnerability Exploitation
1. Dos
This vulnerability can be used to load any class in the app, including the class not exported. If the class is not exported, improper processing of malformed messages will cause a local denial of service vulnerability. The following uses ircc.pdf as an example.
Com. irccces. android. activity. PreferencesActivity component export:

The com. irccces. android. activity. PreferencesActivity component inherits from PreferenceActivity:

Because the Fragment injection vulnerability is not protected, you can use this vulnerability to load any component that is not exported in the app. Select com. irccw.android. fragment. ServerReorderFragment as the attack target:

ServerReorderFragment does not process malformed messages, resulting in DOS. For details, see.

2. Remote Command Execution
Currently, many components are displayed based on Webview, And the Fragment component is more and more widely used. In the future, more and more Webview components will be displayed based on Fragment. Due to the Fragment injection vulnerability, any component not exported in the app can be loaded. If the Fragment-based Webview component has the addJavascriptInterface vulnerability, this vulnerability may cause remote command execution. Find the app on the market and find that many Webview components are based on Fragment, but the components inherited from PreferenceActivity are not exported. Therefore, we will write a demo to verify the feasibility.
MainActivity is exported and inherited from PreferenceActivity.

WebviewFragment exports the js interface and loads the url.

Attackers exploit the Fragment Injection vulnerability to attack WebviewFragment.

Through the Fragment Injection vulnerability, WebviewFragment has loaded malicious html and has a remote code execution vulnerability, as shown in the figure below.

Iv. Summary
The Fragment injection vulnerability has many attack points because it can load any unexported components in the app. This article introduces the Fragment injection vulnerability. We hope that you can further develop the vulnerability.