ANDROID-8219321漏洞主要源自Android ZipFile函数漏洞:没有进行校验重名entry逻辑漏洞,逻辑漏洞细节详见Google+文章和Bluebox Security提报Android 绕过应用签名认证漏洞原理。
原代码:
for (int i = 0; i < numEntries; ++i) { ZipEntry newEntry = new ZipEntry(hdrBuf, bin); mEntries.put(newEntry.getName(), newEntry); }
修补后:
for (int i = 0; i < numEntries; ++i) { ZipEntry newEntry = new ZipEntry(hdrBuf, bin); String entryName = newEntry.getName(); if (mEntries.put(entryName, newEntry) != null) { throw new ZipException("Duplicate entry name: " + entryName); } }
重现步骤可参考文章ANDROID-8219321漏洞、POC及其他相关信息汇总。