Vulnerability Analysis Report of General Dos for Android apps

Vulnerability Analysis Report of General Dos for Android apps

When 0xr0ot communicates with Xbalien about all types of exceptions that may cause application Denial-of-Service (DoS), a common Local Denial-of-Service vulnerability is found. This generic Local Denial-of-Service can cause a large area of app Denial-of-Service.

The denial of service for serialized objects is mainly because the getSerializableExtra () API is used in the application. Because the application developer does not make an exception judgment on the incoming data, malicious applications can pass in malformed data, causing local denial of service.
Vulnerability application code snippet:
 

Intent I = getIntent (); if (I. getAction (). equals ("serializable_action") {I. getSerializableExtra ("serializable_key"); // no exception judgment} attack application code segment: Intent I = new Intent (); I. setAction ("serializable_action"); I. setClassName ("com. exp. serializable "," com. exp. serializable. mainActivity "); I. putExtra ("seriadddlizable_dkey", XXX); // The imported Malformed Data startActivity (I );

For example, if BigInteger. valueOf (1) is input at XXX, a transformation Exception error (java. lang. ClassCastException) is very likely.

However, when a custom serialized object Serializable or getParcelable is passed in, the target components that receive Intent are in getSerializableExtra (), getParcelable () will throw the class undefined exception java. lang. noClassDefFoundError. This is because when you pass in a serialized class object that the application itself does not have, the class cannot be found in the application context.
Custom serialization classes are simple:

 

public class DataSchema implements Serializable {private static final long serialVersionUID = -3601187837704976264L;public DataSchema() {super();}}

The new DataSchema () is input at XXX in the corresponding attack code. We find that the passed key will throw an undefined class exception no matter whether it is the same as the vulnerability application or not.

With the in-depth test, we found through logcat that the error logs do not necessarily result from getSerializableExtra () or getParcelable. Then, we extended and tried to pass in our custom serialized Class Object To getXXXExtra (). All of them will throw an undefined class exception.

Test app code snippet:
 

Protected void onCreate (Bundle savedInstanceState) {Intent intent = getIntent (); intent. getStringExtra ("ROIS"); // NoClassDefFoundError crash}

Then we tested a large number of mainstream applications on the market, including BAT. This method can be used to kill the virus. We started to think that this was a problem with android and started to flip the source code.

 

/Frameworks/base/core/java/android/content/Intent. javapublic String getStringExtra (String name) {return mExtras = null? Null: mExtras. getString (name);}/frameworks/base/core/java/android/OS/Bundle. javapublic String getString (String key) {unparcel (); // process data ...} /* package */synchronized void unparcel (){... mParcelledData. readMapInternal (mMap, N, mClassLoader );...} /frameworks/base/core/java/android/OS/Parcel. javareadMapInternal parse the transmitted data/* package */void readMapInternal (Map outVal, int N, ClassLoader loader) {while (N> 0) {Object key = readValue (loader ); object value = readValue (loader); outVal. put (key, value); N --;}}

When the Serializable object is parsed, an exception is thrown because the class cannot be loaded.

public final Serializable readSerializable() {...try {ObjectInputStream ois = new ObjectInputStream(bais);return (Serializable) ois.readObject();} catch (IOException ioe) {throw new RuntimeException("Parcelable encountered " +"IOException reading a Serializable object (name = " + name +")", ioe);} catch (ClassNotFoundException cnfe) {throw new RuntimeException("Parcelable encountered" +"ClassNotFoundException reading a Serializable object (name = "+ name + ")", cnfe);}}

But if you think about it, Google certainly does not think it is an android vulnerability. Developers only need to add a try catch to catch exceptions.

Vulnerability repair:
No matter what the get extra is, as long as it is getXXXExtra (), add try catch to catch an exception.

Vulnerability Detection:
To facilitate testing, we have written a simple verification program.
Usage:
Adb shell am start-n com. qihoo. checkextracrash/. MainActivity-e package_name packagename-e class_name componentname