QR code vulnerability attacks on Android platforms

QR code vulnerability attacks on Android platforms
0x00 Preface

Currently, almost all Android apps have the QR code scanning function. If you do not consider the possible security problems of the QR code, scanning the QR code will be vulnerable to attacks, and serious problems may lead to mobile phone control, information Leakage and other risks.

0x01 DoS

In earlier versions of zxing, the QR code library contains arrays out of bounds when processing malformed QR codes, resulting in DOS. Scanning the following QR code may cause the main program to crash:

The program crash log shows that the array is out of bounds:

11-23 10:39:02.535: E/AndroidRuntime(1888): FATAL EXCEPTION: Thread-14396 11-23 10:39:02.535: E/AndroidRuntime(1888): Process: com.xxx, PID: 1888 11-23 10:39:02.535: E/AndroidRuntime(1888): java.lang.ArrayIndexOutOfBoundsException: length=9; index=9 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.common.BitSource.readBits(Unknown Source) 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.qrcode.decoder.DecodedBitStreamParser.decodeAlphanumericSegment(Unknown Source) 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.qrcode.decoder.DecodedBitStreamParser.decode(Unknown Source) 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.qrcode.decoder.Decoder.decode(Unknown Source) 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.qrcode.QRCodeReader.decode(Unknown Source) 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.MultiFormatReader.decodeInternal(Unknown Source) 11-23 10:39:02.535: E/AndroidRuntime(1888):   at com.google.zxing.MultiFormatReader.decodeWithState(Unknown Source) 

0x02 local file reading

Previously, Wooyun cracked a vulnerability that exploited malicious QR code to attack the snapshot. The identified QR code is displayed in html format by default (Android + Iphone) and can be executed in html and js. Use the following js Code to generate a QR code on the cli. im Website:

<script>x=new XMLHttpRequest(); if(x.overrideMimeType) x.overrideMimeType('text/xml'); x.open("GET", "file://///default.prop", false); x.send(null); alert(x.responseText); </script>

<Script> x = new XMLHttpRequest (); if (x. overrideMimeType) x. overrideMimeType ('text/xml'); x. open ("GET", "file: // default. prop ", false); x. send (null); alert (x. responseText); </script>
 

You can read the content of a local file after scanning it with a snapshot:

0x03 UXSS

Last year, the Webview UXSS vulnerability on the Android platform was stirred up. Due to the use of Webkit as the kernel for Webview components in earlier versions of Android systems, Webkit's historical vulnerabilities existed in Webview, this includes UXSS vulnerabilities that are harmful.

Almost all Android apps use the Webview component to render webpages. If the result of scanning the QR code is a URL, most apps use Webview directly. Due to the UXSS vulnerability in Webview, it is easy to cause theft of funds, account theft, or privacy leakage. For vulnerability introduction, see TSRC blog: Android Webview UXSS vulnerability Attack and Defense

0x04 Remote Command Execution

After most Android apps scan QR codes, Webview is directly called for display if the content of the QR codes is a URL. If Webview exports the js interface and the targetSDK is earlier than 17, it is vulnerable to remote command execution vulnerability attacks.

Suning Tesco Android scans the QR code and uses Webview to open the webpage. as Suning Tesco exports multiple js interfaces, scanning the QR code is vulnerable to Remote Command Execution Vulnerabilities (the latest version has been fixed ).

Com. suning. mobile. ebuy. host. webview. WebViewActivity:

this.b(this.a);            this.s = this.findViewById(2131494713);            this.d = this.findViewById(2131494100);            this.d.a(((BaseFragmentActivity)this));            this.l = new SNNativeClientJsApi(this);            this.d.addJavascriptInterface(this.l, "client");            this.d.addJavascriptInterface(this.l, "SNNativeClient");            this.d.addJavascriptInterface(new YifubaoJSBridge(this), "YifubaoJSBridge");

Because targetSDKversion is 14, all Android versions are affected:

<uses-sdkandroid:minSdkVersion="8"android:targetSdkVersion="14"></uses-sdk>

Suning Tesco Android homepage has a QR code scanning function:

When scanning a QR code, if the QR code is a webpage link, the above Webview component will be called to open a malicious webpage:

The malicious QR code is as follows:

0x05 Summary

The two-dimensional codes may attack more than just the ones listed above. There are also the remote code execution vulnerability caused by zip directory traversal, the SQL injection vulnerability, and the buffer overflow vulnerability. How far is the idea, How wide is the attack surface! Have Fun!