The Guardian, 2015/03/20 returned
0 x00 preface
There are some vulnerabilities in the Android system that can cause the system to restart. Of course, restarting the system is just a phenomenon. Some of these vulnerabilities can also cause permission promotion, code execution, etc. This article takes the reboot phenomenon as the classification basis and puts these vulnerabilities together. The causes and nature of these vulnerabilities are briefly analyzed below, and the compiled POC and exploit demonstration videos are attached as far as possible.
0x01 Nexus 5 <=4.4.2 Local DOS
https://labs.mwrinfosecurity.com/advisories/2014/11/05/nexus-5-4-4-2-local-dos/ description of vulnerability:
The Nexus 5 comes with a hidden system application for testing network connectivity. Prior to version 4.4.3, the app had a large number of exported activities that could be invoked externally without any permissions. One of the exported activities can expose the phone to DOS attacks, and external calls can restart the phone directly.
Vulnerability hazards:
In addition to calling this component to restart the system, if a malicious application registers a BOOT_COMPLETED broadcast in response and sends an appropriate intent to the vulnerability activity component, the phone will be restarted in a loop.
Vulnerability details:
Application package with vulnerability: com.lge.SprintHiddenMenu
Loophole components: com. Lge. SprintHiddenMenu. Sprintspec. SCRTN, this component is derived, and didn’t do any access restrictions. You can restart the Nexus 5 by running the following command:
#! Bash the adb shell am start - n com. Lge. SprintHiddenMenu/com. Lge. SprintHiddenMenu. Sprintspec. SCRTNCopy the codeBug fix:
4.4.3 and above made permissions for this component in the system, only applied for com application. Lge. Permission. SPRINTHIDDEN this permission to adjust the com. Lge. SprintHiddenMenu. Sprintspec. SCRTN components.
0x02 exception androidmanifest.xml caused by DOS:
http://blog.trendmicro.com/trendlabs-security-intelligence/malformed-androidmanifest-xml-in-apps-can-crash-mobile-device s/
Two methods:
Strings. XML file tags (such as Permission name,label,activity name) that contain excessively long strings are parsed by Package Parser. A large amount of memory is required for XML files, causing memory overflow and PackageParser crash. All services that depend on PackageParser to run will stop, causing the system to restart again.
Here is a compiled POC application that does not claim any permissions or malicious code, but uses an extremely long string in the label tag of strings.xml. Once installed, run to restart the system.
Cloud disk download address:
http://yunpan.cn/cZK5pQRasVrAr (Numbers: f256)
If a large number of activities or services in an APK file contain the following specific intent-filter, the application will generate the same number of ICONS after installation. If the number of such activities or services exceeds 10,000, the system restarts, and if the number exceeds 100,000, the device restarts repeatedly.
#! html <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter>Copy the code0x03 Nexus 6 Restarts Abnormally
Run the following command to restart the Nexus6.
#! bash $ adb shell cat /d/pc_debug_counterCopy the codeThe exact cause is unknown, but some people on Twitter said it was caused by the scnprintf() function called in the msm_pc_debug_Counters_copy () kernel driver file of ARCH/ARM/Mach-msm/mSM-pm. c.
See 1 for a description of the SCnprintf () API. The buffer returns the number of characters written to the buffer.
Two versions of this file can be found online. The old version 2 is as follows:
The vulnerability may be caused by the fact that the MSM_PC_NUM_COUNTERS value is 4 and the length of counter_name is 3. The maximum value of j in the loop is 3, and the index of counter_name[j] is out of bounds.
The new version 3 is shown below, and the new file is found to be processed in the loop.
0x04 CVE-2014-7911
http://seclists.org/fulldisclosure/2014/Nov/51
Vulnerability Overview:
Android < 5.0, Java. IO. ObjectInputStream has not check the deserialized objects are legal.
Vulnerability details:
Java. IO. ObjectInputStream don’t check the authenticity of the object being deserialization, this means that the attacker can construct an arbitrary serialized object, the object attribute value can be specified by an attacker. However, this malicious object is useless and will eventually be collected by GC, which will call the Finalize method of the object.
In Android, system_service runs as root. Other applications can communicate with an Intent by passing a Bundle object to the Intent. The Bundle can put a serialized object in the Intent. Any other application can attack system_service in this way.
BinderProxy class contains a finalize method, which calls android_os_BinderProxy_destroy()4 of the native layer. And passes those two values to the pointer.
If an attacker can insert data at a known memory address of system_server, then arbitrary code can be executed. Android does address space randomization of ASLR, but all apps fork from Zygote process, they all have the same basic memory layout, so it is possible to bypass the SYSTEM_server ASLR.
Exploit:
The POC forged an aadroid.os. BinderProxy class object that was passed to the SYSTEM_server JVM to trigger a GC collection, Instead, it treats it as android.os.BinderProxy and triggers android_os_BinderProxy_destroy to get the code executed.
Compiled poc: http://yunpan.cn/cZK5NuMJspXAc (code: 5962)
Vulnerability demo video: http://v.youku.com/v_show/id_XOTE0MDgxODE2.html
0x05 CVE-2015-1474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1474
Vulnerability Overview:
Google Android platform/frameworks/native/libs/UI/GraphicBuffer GraphicBuffer: in the CPP: unflatten integer overflow error function, An attacker can crash an application or execute arbitrary code by passing excessively long file descriptors or integer values.
Affected systems:
Google Android 5.0
Vulnerability hazards:
A remote attacker can exploit a vulnerability to cause an application to deny service or execute arbitrary code.
Exploit:
Attack system_service using the same method as CVE-2014-7911.
Bug fix:
Google has released patch to judge and limit the maximum value of numFds and numInts.
Before the repair:
https://android.googlesource.com/platform/frameworks/native/+/4aaa39358f538d8e06e026385bb8be8088d78c35/libs/ui/GraphicBu ffer.cpp
After the repair:
https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091/libs/ui/GraphicBu ffer.cpp
If interested, readers can also compile AOSP code for patch by themselves, using the following tutorial. https://gist.github.com/Fuzion24/068fe36bb5b762367921
0x06 CVE-2014-0997 Android wifi Direct Connection DOS Vulnerability
Vulnerability Overview:
Some Android devices can be attacked by DOS by searching for devices that can be directly connected through Wifi. The attacker sends a carefully constructed 802.11 detection response frame, and the compromised device cannot properly process malformed data after receiving this response frame, causing the system to restart.
Devices affected by the vulnerability:
Nexus 5-Android 4.4.4 Nexus 4-Android 4.4.4 LG D806-Android 4.2.2 Samsung SM-T310 - Android 4.2.2 Motorola RAZR HD Android4.1.2Copy the codeOther devices may also be affected.
Bug details:
Android uses a modified WPA_supplicant to provide a communication interface between wireless drivers and the Android Platform Framework. For more information about wPA_supplicant: http://w1.fi/wpa_supplicant/
The following functions are used to handle WPA_supplicant Events. This function finally returns a JString by calling the NewStringUTF method. https://gitorious.org/android-eeepc/base/source/a0332f171e7413f79f156e8685d1147d89bfc5ca:core/jni/android_net_wifi_Wifi. cpp#L127
The WiFi_Direct specification defines the P2P discovery process, so that P2P devices can exchange device information with each other. Device name is a part of device information. WifiP2pDevice class in the/wifi/Java/android/net/wifi/p2p/WifiP2pDevice. Java 5 files, its object can be said a wi-fi p2p devices. The code is as follows, and you can see that its constructor is initialized by the string returned by wPA_supplicant, which is the value returned by android_net_wifi_waitForEvent() mentioned earlier. If the value, wPA_supplicant Event, is an exception, IllegalArgumentException is thrown.
When some Android devices process probe response frames, An IllegalArgumentException is thrown if the Wifi-Direct (P2P) message element contains a device name attribute and a supplicant Event string that generates the exception with specific bytes. The WiFiMonitor system process does not handle this exception, causing the device to restart.
Part of logcat on Nexus 5 reads as follows:
Poc:
The file address: http://downloads.securityfocus.com/vulnerabilities/exploits/72311.py
Two open source libraries Lorcon6 and PyLorcon27 are used in this POC, of which PyLorcon2 is the encapsulation of Lorcon.
These two libraries can obtain wireless card information and enable monitor mode. The detection response frame is constructed by specifying wireless channel, source and target information, and finally responds to the attacked device. The attacked device receives malformed response data and does not process exceptions. As a result, the system restarts.
Here is a demo video of the bug we recorded:
http://v.youku.com/v_show/id_XODgwNzk2Nzk2.html
Summary: The causes of the above vulnerabilities are summarized as follows: (1) The boundary value of data type is not determined, leading to overflow attacks (2) malicious payload is transmitted (3) array subscript is out of bounds (4) Permissions are not restricted (5) Attacks system_service
0x08 References:
1 http://oss.org.cn/ossdocs/gnu_linux/kernel-api/r1980.html
2https://bot.bricked.de/showp1984/zarboz_m8wlv/raw/621cf6bec9f2b2fed94374c8cd949985a740dbbf/arch/arm/mach-msm/msm-pm.c
3https://github.com/dtsinc/DTS-Eagle-Integration_CAF-Android-kernel/blob/master/drivers/power/qcom/msm-pm.c
4https://code.google.com/p/android-source-browsing/source/browse/core/jni/android_util_Binder.cpp?repo=platform–framewo RKS = android – CTS – 4.2 – base&name _r2
5https://android.googlesource.com/platform/frameworks/base/+/refs/heads/master/wifi/java/android/net/wifi/p2p/WifiP2pDev ice.java
6 https://code.google.com/p/lorcon/
7https://code.google.com/p/pylorcon2/