search

yanus171 / Handy-News-Reader

Handy News Reader is a light and modern Android feed reader, based on Flym News Reader
Other
194 stars 21 forks source link

Found Intent-Based Bug #941

Open Mai-hh opened 1 month ago

Mai-hh commented 1 month ago

Hi! I'm a security researcher currently working on a project in the area of Android app analysis. As a part of the work centered around Intents, I found a bug that resulted in crashes after analyzing logs/execution traces. Below are the relevant activities, traces, and adb commands that triggered the crashes.

This is a bug in an exposed component that another app can trigger. I can help provide more information as needed.

Execution trace:

--------- beginning of crash
07-23 02:10:34.756 22753 22753 E AndroidRuntime: FATAL EXCEPTION: main
07-23 02:10:34.756 22753 22753 E AndroidRuntime: Process: ru.yanus171.feedexfork, PID: 22753
07-23 02:10:34.756 22753 22753 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity}: java.lang.NullPointerException: Attempt to invoke virtual method 'void android.widget.ListView.setChoiceMode(int)' on a null object reference
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3645)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3782)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:101)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2307)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.os.Looper.loopOnce(Looper.java:201)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:288)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:7872)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:936)
07-23 02:10:34.756 22753 22753 E AndroidRuntime: Caused by: java.lang.NullPointerException: Attempt to invoke virtual method 'void android.widget.ListView.setChoiceMode(int)' on a null object reference
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at ru.yanus171.feedexfork.activity.HomeActivity.onCreate(HomeActivity.java:177)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.Activity.performCreate(Activity.java:8305)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.Activity.performCreate(Activity.java:8284)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1417)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3626)
07-23 02:10:34.756 22753 22753 E AndroidRuntime:    ... 12 more

adb command that triggers it:

#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA false 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA false 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA true 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA true 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA true 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA true 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA true  -c "LoadLinkLater"
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity"  -c "LoadLinkLater"
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA false 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA false 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --ez NEW_TASK_EXTRA false  -c "LoadLinkLater"
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity"  -d "www.google.com"
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es LABEL_ID AAA 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es LABEL_ID AAA 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es LABEL_ID AAA  -d "www.google.com"
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 1 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 1 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 1  -d "www.google.com"
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 2 --es Link AAA 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 2 --es Link AAA 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 2 --es Link AAA  -d ""
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es LABEL_ID AAA --es Link AAA 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es LABEL_ID AAA --es Link AAA 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es LABEL_ID AAA --es Link AAA  -d ""
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 2 --es Link L 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 2 --es Link L 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --el LABEL_ID 2 --es Link L  -d ""
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es Link L --es LABEL_ID AAA 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es Link L --es LABEL_ID AAA 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" --es Link L --es LABEL_ID AAA  -d ""
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
#!/bin/bash

adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
echo adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity" 
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
adb shell su 0 am start -n "ru.yanus171.feedexfork/ru.yanus171.feedexfork.activity.HomeActivity"  -d ""
sleep 3.0
adb shell am force-stop ru.yanus171.feedexfork
sleep 2.0
Mai-hh commented 1 month ago

I have updated my original comment and issue title to reflect that this is a bug in an exposed component that another app can easily trigger using Intent.