Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could you give me your email address? #2

Closed
ele7enxxh opened this issue Nov 10, 2017 · 13 comments
Closed

Could you give me your email address? #2

ele7enxxh opened this issue Nov 10, 2017 · 13 comments

Comments

@ele7enxxh
Copy link

Hi,

I have some other questions that need you help, but I do not have your email so I just submitted this issue. And my email is ele7enxxh@gmail.com.

Thanks!
@michalbednarski
Copy link
Owner

I guess issue is okay for asking questions here (or at least it was already used once that way in this repository)

@ele7enxxh
Copy link
Author

Thank for you reply.

I am interested in CVE-2017-0806, but I have no idea how to reproduce this vulnerability. Could you share POC or more details about it?

@michalbednarski
Copy link
Owner

Below is some context on why above behavior is vulnerability, which will be helpful if you're trying to reproduce this

For reference for everybody else, here's commit fixing that CVE.

Code diff doesn't make issue clear, commit message say a bit more, but to understand what the issue is we must step back to an old bug fixed in 2013 (not found by me)

Android bug 7699048 (LaunchAnyWhere)

Links (none of them by me):

Basically, above bug was that Account Authenticator could provide Intent in AccountManager.KEY_INTENT and that Intent was started.

As you can see in patch above, it was fixed by adding validation of KEY_INTENT in AccountManagerService in system_server and now flow is (more or less):

  1. Application starts system Activity to show account chooser (e.g. ChooseTypeAndAccountActivity)
  2. System Activity requests AccountManagerService to perform operation using Account Authenticator
  3. AccountManagerService in system_server binds to authenticator
  4. AccountManagerService invokes method on Account Authenticator and gets response from it
  5. AccountManagerService checks Bundle returned by Authenticator, if it has KEY_INTENT specified that points to Activity that doesn't belong to Authenticator, result is rejected.
  6. If everything was ok, AccountManagerService sends result Bundle back to system Activity
  7. If result Bundle has KEY_INTENT, system Activity launches Activity described by it

Now, in steps above there's an assumption that this bug can violate: that result Bundle won't spuriously change it's contents while it's being sent in step 6

"Self changing" Bundles

Now, to understand how we could cause Bundle to change it's contents while it's being sent, we need to understand how Bundles are sent between processes using Parcel.

Relevant code fragments:

Relevant characteristics of Parcel are:

  • Parcel doesn't remember types of data written to it (with the exception of "Active Objects", such as Binder and ParcelFileDescriptor, but these are not important here)
  • Above means that you can use writeString and later user readInt to read raw binary data that was put in Parcel
  • Preferred way of putting Objects to Parcel is by implementing Parcelable interface
  • When Parcelable is read from Parcel, Parcel uses ClassLoader to find class by name, any class present in system that implements Parcelable interface can be put in Bundle
  • It is responsibility of Parcelable implementation to always read same amount of data it has written, if it won't do so, next values from Parcel will be loaded from wrong offset

Now, that last point is what can be violated using this bug. This means, that using this bug it is possible to cause data written after GateKeeperResponse into Parcel can be read differently than it was written. By carefully constructing Bundle it's possible to create one that will contain different Intent when it's verified whenever target Activity belongs to Authenticator and different Intent when it's about to be passed to startActivity()

What to do with arbitrary startActivity() with system privileges

@ele7enxxh
Copy link
Author

Thank you so much for your help.

I have reproduced this issue on pixel device and bypass android-bug-7699048.

@Bany1 Bany1 mentioned this issue Apr 4, 2018
Closed
@ScottyBauer
Copy link

Sorry to dig up an old topic. I'm trying to wrap my head around the actual flow of how the combination of the gatekeeper response bug combined with launch anywhere primitive allows us to run any activity. At a high level it looks like we're able to hide intents inside of a malformed gatekeeper response. When the malformed gatekeeper response is un-seralized it ends up making the rest of the bundle look like there is an Intent? Is that high level overview correct?

@michalbednarski
Copy link
Owner

hide intents inside of a malformed gatekeeper response.

Well, GateKeeperResponse doesn't contain Intent at any point here, it just stays aside in same Bundle to throw serialization off, but key under which it sits is not accessed by code verifying nor launching Intent, those read KEY_INTENT which is relevant for them and serialization grabs all values which stay in Bundle.

The point is that Bundle has to be deserialized correctly and present one Intent (or possibly no Intent at all depending on which place in system is used to finally launch activity) and then that Bundle needs to be serialized by system and after second deserialization present different Intent.

I'll clean up and post tomorrow PoC.

@michalbednarski
Copy link
Owner

PoC is now posted at https://github.com/michalbednarski/ReparcelBug

@heeeeen
Copy link

heeeeen commented Jul 3, 2018
edited
Loading

Thank you for the information! I've been studying this topic since a series of this kind of vulnerabilities acknowledged in Android Security Bulletin. Now I find this original source! From other clues, I've already written a detailed writeup on this in http://www.ms509.com/2018/07/03/bundle-mismatch/ (Chinese)

@bagipro
Copy link

bagipro commented Nov 9, 2018

@michalbednarski
Hi, do you have any examples how CVE-2018-9522 could be exploited? I don't really see any danger in the changed code
https://android.googlesource.com/platform/frameworks/base/+/181dc252ddec574464882970d3fab290e8b625b5%5E%21/#F0

@michalbednarski
Copy link
Owner

CVE-2018-9522 is bug in same family of Parcelable mismatch bugs as CVE-2017-0806 this thread was originally about, has same impact and similar exploitation technique. Everything in this thread (except PoC which needs minor changes to actually target this bug) applies to CVE-2018-9522 as well.

@pwnipc
Copy link

pwnipc commented Oct 8, 2023

Hello @michalbednarski , couldn't find a way to reach out so I'll use this Issue. Uhmm, is it possible to spawn an activity that would inherit the system privileges or maybe launch an app with uid 1000 using this vulnerability or even change ADB's shell process uid to 1000?

@michalbednarski
Copy link
Owner

In general by "start Activity as system" I mean having system perform startActivity(attackerControlledIntent), not that launched Activity will be running as anything other than it'd usually run

In general case Parcel mismatch doesn't lead to code execution, although there were some specific cases where it did, for example on Android 12 Beta

For testing impact of issues on development builds of Android you can use su 1000 in adb or attach debugger to application running under that uid

@pwnipc
Copy link

pwnipc commented Oct 15, 2023

Thank you.

@michalbednarski michalbednarski mentioned this issue May 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@heeeeen @michalbednarski @ScottyBauer @ele7enxxh @bagipro @pwnipc