Wednesday, 5 August 2015

HB Blog 87: Android Root Equivalent Vulnerabilities Detected And Fixed.

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Many root equivalent vulnerabilities are found in Android which could exploit an application. This means vulnerabilities which allow an application (malicious or compromised) to either directly gain root or gain privileges which can then be used to obtain root. Below, I have listed few android vulnerabilities that are detected and fixed with there basic descriptions,

Name:- dhcpd buffer overrun.
Root Category:- Network.
Description:- The specific flaw exists within the parsing of the DHCP options in a DHCP ACK packet. The vulnerability is triggered when the LENGTH of an option, when added to the current read position, exceeds the actual length of the DHCP options buffer. An attacker can leverage this vulnerability to execute code on the device. This remote code execution vulnerability executes code as the dhcp user which limit's its severity.

Name:- TowelRoot.
Root Category:- Network.
Description:- The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.

Name:- Defy republic init_runit.
Root Category:- Permissions.
Description:- A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/init_runit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object. Stack-based buffer overflow in the sub_E110 function in init in a certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless allows local users to gain privileges or cause a denial of service (memory corruption) by writing a long string to the /dev/socket/init_runit socket that is inconsistent with a certain length value that was previously written to this socket.

Name:- Qualcomm chown init scripts.
Root Category:- Permissions.
Description:- Insecure owner/permission changes in init shell scripts: During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to, e.g., change the owner of the sensor settings file to the system user. As these commands follow symbolic links (symlinks), an attacker with write access to these resources is able to conduct symlink attacks and thus change for example the owner of an arbitrary file to system. This flaw can be used to, e.g., elevate privileges.

Name:- APK duplicate file.
Root Category:- Signature.
Description:- Android does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature.

Name:- Fake ID.
Root Category:- Signature.
Description:- The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. The vulnerability resides in the createChain() and findCert() functions of the Android JarUtils class.
Name:- RageAgainstTheCage adb.
Root Category:- System.
Description:- adb fails to check setuid return code and this can be caused to fail by the shell user already having RLIMIT_NPROC processes.

Name:- keystore buffer.
Root Category:- System.
Description:- Stack-based buffer overflow in the encode_key function in /system/bin/keystore in the KeyStore service in Android 4.3 allows attackers to execute arbitrary code, and consequently obtain sensitive key information or bypass intended restrictions on cryptographic operations, via a long key name.

Name:- Qualcomm Gandalf camera driver..
Root Category:- Kernel.
Description:- The camera driver provides several interfaces to user space clients. The user space clients communicate to the kernel via syscalls such as ioctl or mmap. The camera driver provides an uncontrolled mmap interface that allows an application with access to the device file to map physical memory exceeding the camera driver's memory into user space. A locally installed, unprivileged application can use this flaw to escalate privileges.

Name:- Qualcomm out of bounds camera.
Root Category:- Kernel.
Description:- The camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_ioctl_server, msm_server_send_ctrl, and msm_ctrl_cmd_done functions use a user-supplied value as an index to the server_queue array for read and write operations without any boundary checks. A local application with access to the camera device nodes can use this flaw to, e.g., elevate privileges.

No comments:

Post a Comment