Android - Insufficient Binder Message Verification Pointer Leak Vulnerability

2016-10-03T00:00:00
ID 1337DAY-ID-25250
Type zdt
Reporter Google Security Research
Modified 2016-10-03T00:00:00

Description

Exploit for Android platform in category dos / poc

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860
 
When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time.
 
One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip().
 
A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk).
 
Its logcat output looks like this:
 
===============
[...]
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" ==
                                                                      type:   BINDER_TYPE_BINDER
                                                                      object: 0x000000712967e260
                                                                       
                                                                      == service "package" ==
                                                                      type:   BINDER_TYPE_BINDER
                                                                      object: 0x000000712963cfc0
                                                                       
                                                                      == service "clipboard" ==
                                                                      type:   BINDER_TYPE_BINDER
                                                                      object: 0x00000071367bfd80
===============
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40449.zip

#  0day.today [2018-01-04]  #