关闭
关闭
中文   |   English
漏洞简介   ZipperDown

盘古实验室在针对不同客户的iOS应用安全审计过程中,发现了一类通用的安全漏洞。创建漏洞指纹后,我们在Janus平台上进行溯源分析和相似漏洞检索,结果发现约10%的iOS应用可能受此漏洞的影响。经过手工分析,我们确认微博、陌陌、网易云音乐、QQ音乐、快手等流行应用受影响。

漏洞演示视频中,用户在不安全WiFi环境里使用微博;攻击者利用该漏洞获取了微博应用中任意代码执行能力。

漏洞细节   ZipperDown

目前,为保证用户安全,漏洞细节暂不对外公开。由于漏洞影响范围之广,我们无法逐一验证所有疑似受影响的应用,也无法逐一通告给所有疑似受影响的应用开发者。因此,我们通过公布疑似受影响漏洞列表的方式,邀请开发者和我们协同排查此漏洞。

如果你是疑似受影响App的开发者,请与我们联系,我们会告诉你漏洞细节并辅助你进行ZipperDown漏洞的排查。

点击视频查看
Description:

While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps. We created a signature for the issue and performed a large-scale search on our App analysis platform Janus. Surprisingly, we found that round 10% iOS Apps might be affected by the same or similar issues. Among the potentially affected Apps, we manually verified that many popular apps including Weibo, MOMO, NetEase Music, QQ Music and Kwai, are truly affected. These Apps have more than 100 million users.
To avoid leaking the details of the programming error, we named it ZipperDown.

The video demonstrates that the user downloads and uses Weibo apps in an unsafe Wi-Fi environment, and attackers gain code execution in the context of user’s Weibo app by exploiting the ZipperDown issue in Weibo.

Details:

Due to the large amount of potentially affected apps, we cannot verify all the results precisely. To protect the end-users, the detail of ZipperDown is not available to the public for now. We post the potentially affected list. If you were the developer or vender of the apps on the list, you are welcome to contact us. We would share you the detail of ZipperDown, and let us cooperatively fix the potential issue in your app. We would also appreciate if you could notify us in the case that your listed app is not vulnerable. The best way to reach us is the following Email: zipperdown@pwnzen.com.

Check the video
漏洞检测(安卓版) Vulnerability Detector (For Android)
Q&A
1. ZipperDown漏洞影响了多少应用?
通过对收集到的168,951个iOS应用的查询,我们目前发现15,979个应用可能受此漏洞的影响,占比高达10%。疑似受影响的应用见附录。
2. ZipperDown是新漏洞么?
不是。ZipperDown是一种非常经典的安全问题。我们也没有预料到该问题在iOS应用中如此普遍。
3. 我是Android用户,是否受ZipperDown影响?
我们在Android平台同样发现了类似漏洞,并且已经在大量流行应用中确认。Android平台的ZipperDown漏洞分析报告敬请期待。
4. ZipperDown漏洞有什么危害?
ZipperDown漏洞危害与受影响应用功能及权限相关。在某些应用中,攻击者仅能利用ZipperDown漏洞破坏应用数据;但在某些应用中,攻击者也可能获取任意代码执行能力(参考漏洞演示视频)。此外,iOS系统的沙箱等也会限制ZipperDown漏洞的攻击范围。
5. 如何来检测ZipperDown漏洞?
通过指纹匹配可以获取疑似受影响的应用列表。但该漏洞形态灵活、变种类型多样,指纹匹配的漏报率很高。所以我们建议通过人工分析的方式确认漏洞是否存在。
6. ZipperDown漏洞如何触发?
ZipperDown漏洞攻击场景与受影响应用业务场景相关。常见攻击场景包括:在不安全网络环境下使用受影响应用、在攻击者诱导下使用某些应用功能等。
7. ZipperDown漏洞是如何被发现的?
盘古实验室在为客户提供的iOS应用安全审计业务中,注意到不同客户的iOS应用中普遍存在ZipperDown问题;进一步借助Janus平台,发现该漏洞影响iOS和Android平台上大量应用。因此我们把该漏洞认定为一个通用型漏洞,对外公布疑似受影响应用列表。
8. 关于我们
盘古实验室是上海犇众信息技术有限公司组建的以盘古团队为核心的安全实验室。实验室在移动互联网领域开展了广泛的安全研究,深入分析了各种移动设备的硬件、系统、应用和网络各层的安全架构,研究发现移动互联网大量潜在安全问题的同时,在高级防御技术及解决方案等方向上形成了一系列成果和产品。
9. 联系我们
zipperdown#pwnzen.com(把#换成@)
1. How many Apps are affected by this vulnerability?
Our query was carried out on our Janus platform. According to our search, 15,978 out of 168,951 iOS Apps are potentially vulnerable to this vulnerability.
2. Is ZipperDown a new type of vulnerability?
No. ZipperDown is a very typical programming error, and we did not expect that so many iOS apps have the issue.
3. I am an Android user, am I affected?
Yes or no. We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future.
4. What can ZipperDown do?
It depends on the affected app and its privileges. In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app. Note that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.
5. How to detect ZipperDown?
There is no All-In-One detection for this vulnerability. Although we have built signatures for this vulnerability, it may suffer from high false negative. We highly recommend manual inspection to confirm it.
6. How to exploit ZipperDown?
It also depends on the affected apps. The most typical scenario is via traffic hijacking and spoofing.
7. About Us:
In 2014, Pangu Team (@panguteam) founded PWNZEN InfoTech Co., LTD, a startup company at Shanghai, China, and expended its research team to Pangu Lab, with more general research interests from iOS jailbreaking, to IoT security, App security auditing, Android security, etc.
8. Contact us
zipperdown#pwnzen.com ('#' -> '@')
疑似受影响应用列表(持续更新中): App list:
应用名称App Name 包名Bundle ID
应用名称App Name 包名Bundle ID
Copyright © 2014-2017 犇众信息 All rights reserved.   沪ICP备15051915号-1       沪公网安备 31011202002804号