The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Google Android Inter-process munmap in android.util.MemoryIntArrayThe MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, it can be passed within a Parcel or a Bundle and transferred via binder to remote processes.
The implementation of MemoryIntArray keeps track of the "owner" of each instance by recording the pid of the creating process within the constructor and serializing it to the Parcel whenever the instance is marshalled.
Moreover, each MemoryIntArray instance keeps an additional field, mMemoryAddr, denoting the address at which the array is mapped in memory. This field is also written to a Parcel whenever the instance is marshalled (therefore transferring instances of MemoryIntArray between processes automatically reveals information about the address-space of the sharing process, constituting an information-leak).
When MemoryIntArray instances are deserialized, they perform a check to see whether or not the current process is the "owner" process of the deserialized instance. If so, the transferred memory address in the parcel is used as the memory address of the shared buffer (as the address space in which the array was created is the same as the current address space).
Since all of the fields above are simply written to a Parcel, they can be easily spoofed by an attacker to contain any value. Specifically, this means an attacker may and set the mPid field to the pid of a remote process to which the MemoryIntArray is being sent, and may also set the mMemoryAddr field to point to any wanted memory address. Placing such an instance within a Bundle means that any function the unparcels the Bundle will deserialize the embedded instance, creating a new fully controlled instance in the remote process.
Here is a short snippet of the constructor which creates new instances from a given Parcel:
private MemoryIntArray(Parcel parcel) throws IOException {
mOwnerPid = parcel.readInt();
mClientWritable = (parcel.readInt() == 1);
mFd = parcel.readParcelable(null);
if (mFd == null) {
throw new IOException("No backing file descriptor");
}
final long memoryAddress = parcel.readLong();
if (isOwner()) { //mOwnerPid == Process.myPid()
mMemoryAddr = memoryAddress;
} else {
mMemoryAddr = nativeOpen(mFd.getFd(), false, mClientWritable);
}
}
Lastly, once the MemoryIntArray instance is garbage collected, its finalizer is called in order to unmap the shared buffer:
static void android_util_MemoryIntArray_close(JNIEnv* env, jobject clazz, jint fd,
jlong ashmemAddr, jboolean owner)
{
if (fd < 0) {
jniThrowException(env, "java/io/IOException", "bad file descriptor");
return;
}
int ashmemSize = ashmem_get_size_region(fd);
if (ashmemSize <= 0) {
jniThrowException(env, "java/io/IOException", "bad ashmem size");
return;
}
int unmapResult = munmap(reinterpret_cast<void *>(ashmemAddr), ashmemSize);
if (unmapResult < 0) {
jniThrowException(env, "java/io/IOException", "munmap failed");
return;
}
...
}
Putting this together, an attacker may serialize a MemoryIntArray instance with a controlled memory address and ashmem file descriptor in order to cause any remote process which deserializes it to call munmap with a controlled memory address and size. This can then be leveraged by an attacker to replace key memory regions in the remote process with attack-controlled data, achieving code execution.
I've attached a small PoC which uses this bug in order to unmap libc.so from the address-space of system_server.
################################################################################
Attaching another version of the PoC, adjusted for Android 7.1 (since MemoryIntArray's fields have slightly changed). This version also finds the specific PID of system_server (via /proc/locks) to avoid flooding the process with too many file descriptors.
Note that the PoC needs to be executed several times in order to trigger the vulnerability, since the MemoryIntArray instances are sometimes not finalized immediately (I'm unsure why - this leaks file descriptors in system_server).
Here is a sample crash from a successful execution of the PoC:
11-22 11:51:58.574 28893 28893 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
11-22 11:51:58.575 28893 28893 F DEBUG : Build fingerprint: 'Android/sdk_google_phone_x86_64/generic_x86_64:7.1.1/NPF10D/3354678:userdebug/test-keys'
11-22 11:51:58.575 28893 28893 F DEBUG : Revision: '0'
11-22 11:51:58.575 28893 28893 F DEBUG : ABI: 'x86_64'
11-22 11:51:58.575 28893 28893 F DEBUG : pid: 26559, tid: 26574, name: Binder:26559_2 >>> system_server <<<
11-22 11:51:58.575 28893 28893 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ffef7482000
11-22 11:51:58.575 28893 28893 F DEBUG : rax 0000000000000000 rbx 0000000013526e20 rcx 000000006f45a0b0 rdx 00000000000001d0
11-22 11:51:58.575 28893 28893 F DEBUG : rsi 00007ffef7482000 rdi 0000000013526e2c
11-22 11:51:58.575 28893 28893 F DEBUG : r8 00007ffef7482000 r9 00000000000001d0 r10 00000000fffffff0 r11 00007ffef42ed8b8
11-22 11:51:58.576 28893 28893 F DEBUG : r12 00000000000001d0 r13 00007ffedf71470c r14 00007ffef7482000 r15 0000000000000000
11-22 11:51:58.576 28893 28893 F DEBUG : cs 0000000000000033 ss 000000000000002b
11-22 11:51:58.576 28893 28893 F DEBUG : rip 00007ffef423ed31 rbp 00007ffeea5b3dc0 rsp 00007ffedf7144d0 eflags 0000000000000283
11-22 11:51:58.577 28893 28893 F DEBUG :
11-22 11:51:58.577 28893 28893 F DEBUG : backtrace:
11-22 11:51:58.577 28893 28893 F DEBUG : #00 pc 000000000001cd31 /system/lib64/libc.so (memcpy+33)
11-22 11:51:58.577 28893 28893 F DEBUG : #01 pc 0000000000925e1f /dev/ashmem/dalvik-main space (deleted) (offset 0x1000)
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum