O2 Business for Android 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 2078843 漏洞类型 输入验证错误
发布时间 2020-07-05 更新时间 2020-08-04
CVE编号 CVE-2020-11882 CNNVD-ID CNNVD-202007-230
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020070023
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-230
|漏洞详情
O2 Business for Android是英国O2公司的一款基于Android平台的用于连接O2 Business解决方案的应用程序。 基于Android平台的O2 Business 1.2.0版本中存在安全漏洞,该漏洞源于程序对其他应用程序公开了canvasm.myo2.SplashActivity活动。攻击者可利用该漏洞将用户重定向到任意页面。
|漏洞EXP
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        o2 Business for Android
Vendor URL:     https://play.google.com/store/apps/details?id=telefonica.de.o2business
Type:           Open Redirect [CWE-601]
Date found:     2020-04-16
Date published: 2020-07-01
CVSSv3 Score:   3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE:            CVE-2020-11882


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
o2 Business App for Android 1.2.0


4. INTRODUCTION
===============
Kommunikation ist Ihr tgliches Sprungbrett in die Geschftswelt. Und mit der
neuen O2 Business App haben Sie alle wichtigen Details stets vor Augen.
Verfolgen Sie investierte Gesprchszeiten zurck und sehen Sie verfgbare
Kommunikations-Kapazitten vorher. Vom aktuellen Stand des Inklusiv-Volumens,
ber Einzelverbindungen und Tarifdetails, bis zur lokalen Netz-Qualitt behalten
Sie mit der O2 Business App immer und berall den Durchblick. Erfahren Sie jetzt
mehr ber Ihren informativen Begleiter!

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The "O2 Business App" for Android exposes an activity to other apps called
"canvasm.myo2.SplashActivity". The purpose of this activity is to handle
deeplinks which can be delivered to the app either via links or by directly
calling the activity.

However, the app does not properly validate the format of deeplinks by just
using str.contains() to verify the allowed host:

private boolean isVanityLink(String str) {
       return str.contains("https://o2.de") || str.contains("https://blau.de")
       || str.contains("https://e2e2.o2.de") ||
       str.contains("https://e2e2.blau.de");
   }

private boolean isDeepLink(String str) {
   return str.contains("https://www.o2online.de")
   || str.contains("https://www.blau.de")
   || str.contains("https://e2e2.o2online.de")
   || str.contains("https://e2e2.blau.de")
   || str.contains(BuildConfig.PIRANHA_BASE_E2E2_URL)
   || str.contains("https://login.o2online.de")
   || str.contains("https://login-e2e2.blau.de")
   || str.contains("https://login.blau.de");
}

This can be abused by an attacker (malicious app) to redirect a user to any page
and deliver any content to the user. An exemplary exploit could look like the
following:

Intent i = new Intent();
i.setComponent(new ComponentName("telefonica.de.o2business", "canvasm.myo2.SplashActivity"));
Uri uri = Uri.parse("https://www.rcesecurity.com?dummy=https://o2.de");
i.setData(uri);
startActivity(i);


6. RISK
=======
A malicious app on the same device is able to exploit this vulnerability to lead
the user to any webpage/content. The specific problem here is the assumed trust
boundary between the user having the o2 Business app installed and what the app
is actually doing/displaying to the user. So if the user sees the app being
loaded and automatically redirecting to another page, it can be assumed that the
loaded page is also trusted by the user.


7. SOLUTION
===========
Update the app to version 1.3.0


8. REPORT TIMELINE
==================
2020-04-16: Discovery of the vulnerability
2020-04-16: Although Telefonica runs a VDP on Bugcrowd
(https://bugcrowd.com/telefonicavdp), I did not want to accept their non-
disclosure terms, which is why I have tried to contact them directly via their
official CERT contact.
2020-04-16: Telefonica responds and asks for full vulnerability details
2020-04-16: Send over the full advisory including a full PoC exploit.
2020-04-16: Telefonica acknowledges the issue
2020-04-16: CVE requested from MITRE
2020-04-17: MITRE assigns CVE-2020-11882
2020-06-03: No further communication from Telefonica. Mailed them again about
the status of the fix.
2020-06-03: Telefonica is still working on this issue and the fix is scheduled
to be included in the next release.
2020-06-04: Version 1.3.0 is released
2020-07-01: Public disclosure.


9. REFERENCES
=============
-


|参考资料

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/158302/Android-o2-Business-1.2.0-Open-Redirect.html