- Exploring SE for Android
- William Confer William Roberts
- 530字
- 2021-07-23 20:37:34
Glancing at Android vulnerabilities
With our newly found understanding of the DAC permission model and some of its limitations, let's look at some Android exploits against it. We will cover only a few exploits to understand how the DAC model failed.
Skype vulnerability
CVE-2011-1717 was released in 2011. In this exploit, the Skype application left a SQLite3 database world readable (something analogous to 0666 permissions). This database contained usernames and chat logs, and personal data such as name and e-mail. An application called Skypwned was able to demonstrate this capability. This is an example of how being able to change the permissions on your objects could be bad, especially when the case opens READ to OTHERS.
GingerBreak
CVE-2011-1823 showcases a root attack on Android. The volume management daemon (vold) on Android is responsible for the mounting and unmounting of the external SD card. The daemon listens for messages over a NETLINK socket. The daemon never checked where the messages were sourced from, and any application could open and create a NETLINK socket to send messages to vold. Once the attacker opened the NETLINK socket, they sent a very carefully crafted message to bypass a sanity check. The check tested a signed integer for a maximum bound, but never checked it for negativity. It was then used to index an array. This negative access would lead to memory corruption and, with a proper message, could result in the execution of arbitrary code. The GingerBreak implementation resulted in an arbitrary user gaining root privileges, a textbook privilege execution attack. Once rooted, the device's sandboxes were no longer valid.
Rage against the cage
CVE-2010-EASY is a setuid exhaustion via fork bomb attack. It successfully attacks the adb daemon on Android, which starts life as root and downgrades its permissions if root is not needed. This attack keeps adb as root and returns a root shell to the user. In Linux kernel 2.6, the setuid system call returns an error when the number of running processes RLIMIT_NPROC is met. The adb daemon code does not check the return of setuid, which leaves a small race window open for the attacker. The attacker needs to fork enough processes to reach RLIMIT_NPROC and then kill the daemon. The adb daemon downgrades to shell UID and the attacker runs the program as shell USER, thus the kill will work. At this point, the adb service is respawned, and if RLIMIT_NPROC is maxed out, setuid will fail and adb will stay running as root. Then, running adb shell from a host returns a nice root shell to the user.
MotoChopper
CVE-2013-2596 is a vulnerability in the mmap functionality of a Qualcomm video driver. Access to the GPU is provided by apps to do advanced graphics rendering such as in the case of OpenGL calls. The vulnerability in mmap allows the attacker to mmap kernel address space, at which point the attacker is able to directly change their kernel credential structure. This exploit is an example where the DAC model was not at fault. In reality, outside of patching the code or removing direct graphics access, nothing but programming checks of the mmap bounds could have prevented this attack.
- AWS Serverless架構:使用AWS從傳統部署方式向Serverless架構遷移
- Vue.js 3.0源碼解析(微課視頻版)
- Mastering JBoss Enterprise Application Platform 7
- Learning Vaadin 7(Second Edition)
- Citrix XenServer企業運維實戰
- Java編程從入門到精通
- Advanced UFT 12 for Test Engineers Cookbook
- PostgreSQL Developer's Guide
- C語言程序設計教程
- Bitcoin Essentials
- HikariCP數據庫連接池實戰
- Azure for Architects
- Qt編程快速入門
- PyTorch生成對抗網絡編程
- Spark for Data Science