Hey Your Parcel Looks Bad - Fuzzing and Exploiting Parcel-ization Vulnerabilities in Android

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration).

Binder is the heart of Android IPC and parcel is its blood. Most things in Android can and are intended to be parceled/unparceled from one process to another. Starting an activity? An intent will be parceled at caller side and eventually unparceled at receiver side. Calling an service? Same, except the receiver side is usually system_server or other privileged service process. Playing a video? Parcels are silently constructed and sent crossed /dev/binder to mediaserver. Wait, what if the parcel is bad? Evil attacking process can craft malformed marshalled byte stream, thus triggering vulnerability in the receiver side's processing function, corrupting some memory and achieving privilege escalation. We call it "BadParcel." By fuzzing and code auditing, we have managed to find such high-severity vulnerabilities, most of which are also effective for current Android 6.0, enabling zero-permission attacking application to execute code in target high-privilege process like mediaserver and system_server. We will introduce how we write and run our custom fuzzers to effectively generate crashes and identify those bugs, including discussion and work on integration with ASAN and AFL. Besides, we will also present how to exploit one of those bugs, turning it from a simple benign-looking info-leak like index-out-of-bound, to reliable full PC control and shell code execution in mediaserver. We will elaborate the heap spray and memory fengshui technique we use, which we believe could shed some light on exploiting these kind of bugs.


Presenters:

  • Qidan He - KeenLab of Tencent
    Qidan He (a.k.a Edward Flanker) is a security researcher focusing on mobile security at KeenLab of Tencent (former known as Keen Team). His major experience includes mobile security and program analysis. He has reported several vulnerabilities in Android system core components, which were confirmed and credited in multiple advisories. He has also reported vulnerabilities in famous apps and SDKs and ROMs used by millions, including those of Twitter, Slack, Shopify, Alibaba and Huawei and many more. Besides, he is a CTF enthusiast of Blue-lotus and participated in DEF CON 21 Final at Las Vegas.

Links:

Similar Presentations: