Android Bug 1 7 3 5 6 8 2 4 BroadcastAnywhere vulnerability analysis-vulnerability warning-the black bar safety net

2014-11-17T00:00:00
ID MYHACK58:62201455933
Type myhack58
Reporter 佚名
Modified 2014-11-17T00:00:00

Description

2 0 1 4 year 8 month, retme analysis of Android to fix a vulnerability, and the name for the launchAnyWhere1

In debugging this vulnerability, I found the Settings Application there is also a similar vulnerability, and 9 reported to the Android Security Team, title, Privilege escalation vulnerability in the settings app of android 4.0 to 4.4 (leads to phishing sms), and soon been confirmed, the Android official also gave Acknowledgements 2: The

! enter image description here

This vulnerability of Android ID is 1 7 3 5 6 8 2 4, impact of 4. 0. 1 to 4. 4. Between the 4 of version, the time span from 2 0 to 1 1 to 2 0 to 1 4 years, it should be said that influence is very wide, according to this year 1 1 on Google's statistics, this range of Android devices in the world accounted for approximately 9 0 per cent.

! a

retme to the vulnerability of a great name broadcastAnywhere with launchAnywhere compared to the two vulnerabilities of the same point is that:

  1. Use the addAccount this mechanism, a malicious app by registering for an account authenticator and deal with a certain account type, and then send the intent to the settings app, let it add the specific type of account.

  2. Is the use of settings this application has SYSTEM privileges, and convincing settings to send a higher authority of the intent to.

A different point is that:

  1. The essence of the principle is different: A is a malicious app return one intent is settings launch, the other one is a settings issue a pendingintent to malicious apps, and malicious apps using the pendingintent of the features to modify the pendingitent the action with the extras, and settings of the identity issue.

  2. Vulnerability code position is different: one is accountmanger, A is settings.

  3. The consequences are different: launchAnywhere is based on the system permissions to start the activity, and broadcastAnywhere is a system permission to send broadcast to. The former often requires the interface, while the latter does not need to interface.

This article is to retme analysis of a Supplement, but also to share with you in digging the vulnerability of some experience, of course, for the sake of completeness, I also try to systematically describe the relevant content. Due to the time rush, it is inevitable that there are omissions and improper, please feel free to correct me.

0x01 PendingIntent risk


On the PendingIntent, simple to understand is an asynchronous sending of the intent, usually be used in the notification Notification of the callback, the short message SmsManager callbacks and alarms the AlarmManager to perform, and so on, is a very widespread mechanism. The PendingIntent in-depth analysis, you can refer to the below【4】:

[1] [2] [3] [4] [5] next