Fuzzing Android System Services by Binder Call to Escalate Privilege

Presented at Black Hat USA 2015, Aug. 6, 2015, 5 p.m. (25 minutes).

Binder is the IPC Mechanism in Android. It's used in Communication not only between processes with the same privilege but also between low privileged Apps and high privileged system services. The system services is a juicy attack surface to escalate privileges because parameters passed to it through binder call lack sanitization, but until now there are little disclosed vulnerabilities of this type.

In this presentation, I'll first introduce this attack surface and then demonstrate the first fuzzing tools to find this kind of vulnerabilities. The tool take the binder interfaces exported from system services as attacked targets. This tool is simple but efficient. Through this tool I've found 8 vulnerabilities with CVE-IDs got from Android Security Team and dozens of crashes of system services. At last, I'll detail how to exploit this type of vulnerability to get Android's system_server permission by an unpublicized vulnerability.


Presenters:

  • Guang Gong - Qihoo 360
    Guang Gong is a security researcher at Qihoo 360 and a former employee of VMware.

Links:

Similar Presentations: