Google Android – Insufficient Binder Message Verification Pointer Leak

  • 作者: Google Security Research
    日期: 2016-10-03
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/40449/
  • Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860

When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time.

One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip().

A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk).

Its logcat output looks like this:

===============
[...]
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" ==
type: BINDER_TYPE_BINDER
object: 0x000000712967e260

== service "package" ==
type: BINDER_TYPE_BINDER
object: 0x000000712963cfc0

== service "clipboard" ==
type: BINDER_TYPE_BINDER
object: 0x00000071367bfd80
===============


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40449.zip
    Python