Android Debugger vulnerability exists, you can get the device memory data-vulnerability warning-the black bar safety net

2015-06-29T00:00:00
ID MYHACK58:62201564134
Type myhack58
Reporter 佚名
Modified 2015-06-29T00:00:00

Description

A structure of delicate ELF(Executable and Linkable Format)file can cause the debugger to crash, and then through the tombstone file and the corresponding logd log files exposure of memory contents. This can be used for denial of service attacks, can help bypass ASLR to execute malicious code. Only make use of this vulnerability is not for code execution. But by the vulnerability of the exposed information can be and other vulnerabilities combined for code execution. This vulnerability can be malicious application or re-package the application use. The vulnerabilities affect the system versions including Android 4.0 Ice Cream Sandwich to Lollipop(5. x, the next generation of Android M have already fixed this vulnerability. Vulnerability details Lead to the vulnerability of the reason is in the implementation of string copy command, Debuggerd will use the sym->st_name as the offset, without error checking. This value can easily be malicious ELF file control, it may be the offset value points to unreadable memory, Debuggerd will collapse. If it keeps crashing it will cause a denial of service attack. If carefully constructed offset will make the Debuggerd is exposed corresponding to the memory content, Debuggerd, they will be stored in the dump and log file. For Android 5.0-5.1, the vulnerability appears in the external/libunwind/src/elfxx. c: 1 2 6 for (sym = symtab; 1 2 7 sym symtab_end; 1 2 8 sym = (Elf_W (Sym) ) ((char ) sym + syment_size)) 1 2 9 { 1 3 0 if (ELF_W (ST_TYPE) (sym->st_info) == STT_FUNC 1 3 1 && sym->st_shndx != SHN_UNDEF) 1 3 2 { 1 3 3 if (tdep_get_func_addr (as, sym->st_value, &val) 0) 1 3 4 continue; 1 3 5 if (sym->st_shndx != SHN_ABS) 1 3 6 val += load_offset; 1 3 7 Debug (1 6, "0x%016lx info=0x%02x %s\n", 1 3 8 (long) val, sym->st_info, strtab + sym->st_name); 1 3 9 1 4 0 / ANDROID support update / 1 4 1 if ((Elf_W (Addr)) (ip - val) min_dist 1 4 2 && (Elf_W (Addr)) (ip - val) sym->st_size) 1 4 3 / End of ANDROID update / 1 4 4 { 1 4 5 min_dist = (Elf_W (Addr)) (ip - val); 1 4 6 strncpy (buf, strtab + sym->st_name, buf_len); //st_name address may be malicious ELF easily control 1 4 7 buf[buf_len - 1] = "; 1 4 8 ret = (strlen (strtab + sym->st_name) >= buf_len 1 4 9 ? -UNW_ENOMEM : 0); 1 5 0 } 1 5 1 } 1 5 2 } Want to reproduce the vulnerability, it is necessary to use one can lead to the collapse of the ELF file. We can modify the symbol offset do. ELF is put into the APK, it will be the cycle execution. After it will trigger the vulnerability, see the following figure: ! In Android older versions can also be found in similar question(especially 4. x version, such as Ice Cream Sandwich, Jelly Bean and KitKat). the In these versions, not libunwind third-party library. In Android 4.0, the vulnerability exists in system/core/debuggerd/symbol_table. c: 1 5 5 int j = 0; 1 5 6 if (dynsym_idx != -1) { 1 5 7 // ...and populate them

[1] [2] [3] next