远程intent注入实现案例: Dropbox SDK for Android (CVE-

原文链接:
http://securityintelligence.com/droppedin-remotely-exploitable-vulnerability-in-the-dropbox-sdk-for-android#.VQAOAYGUfEF

漏洞代码:

protected void onCreate(Bundle savedInstanceState) {
   ...
   Intent intent = getIntent();
   ...
   webHost = intent.getStringExtra(EXTRA_INTERNAL_WEB_HOST);
   if (null == webHost) {
      webHost = DEFAULT_WEB_HOST;
   }
   ...
}
protected void onResume() {
   ...
   String state = createStateNonce();
   ...
   if (hasDropboxApp(officialIntent)) {
      startActivity(officialIntent);
   }
   else {
      startWebAuth(state);
   }
   ...
   authStateNonce = state;
}

private void startWebAuth(String state)
{
   String path = "/connect";
   Locale locale = Locale.getDefault();
   String[] params = {
      "locale", locale.getLanguage()+"_"+locale.getCountry(),
      "k", appKey,
      "s", getConsumerSig(),
      "api", apiType,
      "state", state};
   String url = RESTUtility.buildURL(webHost, DropboxAPI.VERSION, path, params);
   Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
   startActivity(intent);
}

攻击流程:

Activity intent 注入看这里:

http://drops.wooyun.org/tips/3936

通过浏览器实现方法:

http://drops.wooyun.org/papers/2893