Calling getpidcon for One Way Binder Transactions Returns Wrong Security Context

The servicemanager, keystore and drmserver all use getpidcon function to get the security context of the caller from a binder. When combined with a one way binder transaction this results in getting the security context of the current process which might allow a selinux mac bypass. Recent...

Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass Exploit

Android - getpidcon Usage in Hardware binder ServiceManager Permits ACL Bypass Exploit We already reported four bugs in Android that are caused by the use of getpidcon, which is fundamentally unsafe: https://bugs.chromium.org/p/project-zero/issues/detail?id=727 AndroidID-27111481; unexploitable...

Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass

We already reported four bugs in Android that are caused by the use of getpidcon, which is fundamentally unsafe: https://bugs.chromium.org/p/project-zero/issues/detail?id=727 AndroidID-27111481; unexploitable https://bugs.chromium.org/p/project-zero/issues/detail?id=851 AndroidID-29431260;...

Android - getpidcon Permission Bypass in KeyStore Service

Android - getpidcon Permission Bypass in KeyStore Service The keystore binder service "android.security.IKeystoreService" allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many...

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services...

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon Exploit

Exploit for Android platform in category dos / poc This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services are used by the vendor domain...

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon

This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services are used by the vendor domain and other core processes, including systemserver,...