WIKI

8.6 证书弱校验漏洞检测

(1)描述

App在实现X509TrustManager时,默认覆盖google默认的证书检查机制方法:checkClientTrustedcheckServerTrustedgetAcceptedIssuers,会导致中间人攻击漏洞。

(2)风险等级

中危

(3)影响范围

所有Android版本

(4)检测方法

检测类型:静态分析

A.检测X509TrustManager的错误使用:

一般错误的使用如下:

文本框: class InnerUnSafeTrustManager implements X509TrustManager{

		@Override
		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

		@Override
		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

		@Override
		public X509Certificate[] getAcceptedIssuers() {}
	}

或者

文本框: class InnerUnSafeTrustManager implements X509TrustManager{

		@Override
		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

		@Override
		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

		@Override
		public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}

即实现了X509TrustManager接口,覆盖函数缺什么也不验证。则这3个函数对应的smali代码如下:

文本框: .method public checkClientTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
    .locals 0
    .param p1, "chain"    # [Ljava/security/cert/X509Certificate;
    .param p2, "authType"    # Ljava/lang/String;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/security/cert/CertificateException;
        }
    .end annotation

    .prologue
    .line 14
    return-void
.end method

.method public checkServerTrusted([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
    .locals 0
    .param p1, "chain"    # [Ljava/security/cert/X509Certificate;
    .param p2, "authType"    # Ljava/lang/String;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/security/cert/CertificateException;
        }
    .end annotation

    .prologue
    .line 20
    return-void
.end method

.method public getAcceptedIssuers()[Ljava/security/cert/X509Certificate;
    .locals 1

    .prologue
    .line 24
const/4 v0, 0x0
    new-array v0, v0, [Ljava/security/cert/X509Certificate;(对应return new X509Certificate[0];)
    return-object v0
.end method

即以下指令:

即不安全的自定义类(实现了X509TrustManager接口),它checkClientTrusted(X509Certificate[] chain, String authType)checkServerTrusted(X509Certificate[] chain, String authType)getAcceptedIssuers()三个函数的所有指令加起来至少是45)。所以当检测到实现了X509TrustManager接口的自定义类以上3个成员函数的指令加起来小于等于5,则可以判定为不安全的类。

(5)修复建议

ü  如果自己创建X509Certificate,则在覆盖”checkClientTrusted”"checkServerTrusted""getAcceptedIssuers"后要进行校验。

(6)样例分析

www.wooyun.org/bugs/wooyun-2014-079358

(7)参考资料

http://drops.wooyun.org/tips/3296

http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

https://jaq.alibaba.com/blog.htm?id=60