AndroidNative layer file parsing vulnerability mining guide-vulnerability warning-the black bar safety net

ID MYHACK58:62201681546
Type myhack58
Reporter 腾讯御安全团队
Modified 2016-11-26T00:00:00


This article to hand Q A file parsing class vulnerability discovery, for example, describes the Android Native layer file parsing type of the vulnerability discovery process

Hand Q this application from the function is very large, if the use similar to the MFFA framework to dig the file parsing class vulnerability, low efficiency, and a file entry where and how to use the script for automation is a very big problem. In this paper, a hand Q the file parsing class vulnerability discovery process, we propose a possible solutions to the problem, pretend that guide feel free to enlighten me on.


1, problem analysis

2, a flow chart

3, so screening

4, The test program written

5, the test case generation

6, the test results crash

7, the future of work

0x01 problem analysis

Currently facing the problem is, not knowing the hand Q-file entry where(refer to the code level, and according to the hand Q user analysis, hand Q is likely not to provide code entry not code entry is not automated, relying on the UI to trigger the conduct test is that the brain crazy. So the primary problem was to provide their own file entry, now seems to have their own cutout so, write your own test program, their load test cases, your own collection of crash, digging a vulnerability is really a lonely road.

0x02 flowchart


The first thing to first analyze the hand Q the lib file, find the test of so, then write to be able to call the so of the test program, the test cases in automated testing, and finally collected native crash, a manual analysis after to get to the vulnerability. The process is very simple, the big problem is split into the following problems were overcome after which you can into the overall goal:

l what so? This so used to do what? When will be called?

l test the program how in the absence of source code invoked so?

l test case with what to generate?

0x03 so screening

The screening programme is actually generally there are two types: to guess a so is what to do, and then dynamic debug authentication; dynamic debugging call a function after watching the hand Q call which so. The two programs use the technology are similar, mainly is the use of dynamic debugging finalized so.

First to take to the so, the the apk as a zip decompression on the line, there is a lib Library, get it good. Then I follow the keyword to filter these so, for example, I have a pre-goal and want to test the file format as follows: GIF, WAV, JPG, PNG, etc., so I found this file libGIFEngine. so, it looks like a parsing GIF so, the added alternative.

Authentication scheme: how to verify? Dynamic debugging of the hand Q, the breakpoint in the call so the correlation function, if the Send GIF, can be interrupted, it shows that the so selected right. As for how to build a set of dynamic debugging of the hand Q the environment, it is not the coverage of content.

In the Debug process, I found there is a function called NativeOpenFile function, do not hesitate to the next breakpoint, which turns in to send a GIF, the program is interrupted here. This phase of the work is completed. Selected so: libGIFEngine. so

0x04 test program preparation

First a little mention of JNI invocation specification, so have to conform to JNI calling Convention can be called, as the specification details what is not understood, only by understanding one thing: how to call so the function?

All can be directly Java layer code calls the SOS function, the function name has a fixed format, following is libEngine.a so the seven can be called the function:


At the same time, in the Java layer code also to so declare these Native functions can be called. But there is one problem, the test program to meet this named path, i.e., the lower shown in Fig. So you need to put yourself to the test program package name write com. tencent. image, the test of the class name written nativegifimage.

Java_com_tencent_image_nativegifimage. Function name

Prior to the Declaration of the call so, with the System. the loadLibrary or System. load call a so you can. The calling process will not repeat them, then you can start to write the test function.

As I walked through the pit, here I want to plug in a few words: Android Studio1. After 5 got a new function, can be in the build. gradle specified in the jniLibs path, remember to put the test classes and the main Activity separately.

To start the test before, you need to calm down a little thinking here what to do: to test the seven functions, call the GIF file to produce Native Crash, then representative testing of the process will be hang, how can make the test program automatically continued indefinitely? This is a write test procedures need to consider the issue.

Based on this, I gave the test program model, for information purposes only.


Because the test Task more in line with the Service characteristics, so the last selected Service registration is a new process for testing. Then in the main Activity process of creating a new thread to monitor Service to the running state, once detected, no run, automatically restart Service, and the record crash of the file name, good for recording, reproducing, storage and so on. So I'm the Test Case number, and then Service each test by a sends a broadcast packet, and after the interrupt to restart the Service, send an Intent synchronization about the test progress.

Then follow the above logic to write a program on the line. There's a problem, it is the hand Q defines its own Exceptions, so our test program also requires a corresponding exception defined, due to the abnormal processing of the roots is to send an Error Code, so as long as you can find hand-Q Error Code definition can be. Note the hand Q the various constants to turn into the appropriate Error Code as shown below.

[1] [2] next