Android - Insufficient Binder Message Verification Pointer Leak

2016.10.04
Credit: Google Security Research
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time. One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip(). A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk). Its logcat output looks like this: =============== [...] 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71 01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" == type: BINDER_TYPE_BINDER object: 0x000000712967e260 == service "package" == type: BINDER_TYPE_BINDER object: 0x000000712963cfc0 == service "clipboard" == type: BINDER_TYPE_BINDER object: 0x00000071367bfd80 =============== PoC: https://bugs.chromium.org/p/project-zero/issues/detail?id=860

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=860


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top