Introduction to Android Vulnerability Research

Introduction to Android Vulnerability Research

Preparing the Android Research Environment

High-Level Attack Surface

• Android Deep Linking: In Android, a deep link is a specific type of URL that allows an application to navigate directly to specific content or pages. At Pwn2Own 2022, a participant exploited a deep link vulnerability in the Samsung Galaxy Store, achieving code execution that allowed for the installation and launch of any app.
• Dynamic Code Loading: Android apps often utilize shared object files. For instance, CVE-2021-40724 was a vulnerability found in the Adobe PDF Reader app, where the app allowed users to provide the expected PDF path via a URL. However, the implementations did not validate the content of this path, resulting in a path traversal vulnerability. Attackers could exploit this flaw to create arbitrary files. A proof of concept (PoC) for this vulnerability demonstrated how to create a shared object file that the app would load by default, with content controlled by the attacker, thereby achieving RCE.
• Protected Components: In the Android system, an intent is a serializable (Parcelable) object. However, developers may inadvertently use incorrect calling methods or fail to conduct rigorous checks, resulting in attackers accessing sensitive information from the target app using third-party applications.

Low-level Attack surface

• Android Kernel: Since the Android kernel is based on the Linux kernel, vulnerabilities present in the Linux kernel can also manifest in the Android system. For example, vulnerabilities such as Dirty COW and Dirty Pipe can be reproduced in Android. However, due to differences in the operating system environment, the reproduction process may need to navigate issues such as SELinux.
• Android Kernel Driver: The Android kernel driver is responsible for communication with hardware devices. If vulnerabilities exist within these drivers, attackers may be able to escalate privileges and gain root access to the target device. For instance, multiple vulnerabilities have been identified in the ARM Mali GPU driver.
• Android TEE: The Android system primarily utilizes the Trusted Execution Environment (TEE) to enhance device security. Different manufacturers determine which TEE architecture to implement based on the CPU chipset. For example, Samsung Exynos employs the TEEGRIS environment, while the Pixel 4 XL uses Qualcomm’s QSEE. The attack surface of the TEE includes TEEOS and Trusted Applications (TAs).

Vulnerability reproduction

Dirty-Pipe Vulnerability Introduction

1. The file must have read and open permissions
2. Each write operation can only write 1 page size
3. The first byte of the page cannot be written.
4. None-regular files cannot be written

Privilege escalation in the Linux system

• Find the program with SUID flag as the target, such as /usr/bin/sudo. Overwrite the entry point of the SUID binary to the address of the shellcode after that it will spawn the shell with root privileges.

Reference

• https://starlabs.sg/blog/2023/06-the-old-the-new-and-the-bypass-one-clickopen-redirect-to-own-samsung-s22-at-pwn2own-2022/
• https://hulkvision.github.io/blog/post1/
• https://dirtypipe.cm4all.com/

TeamT5 specializes in cyber threat research and provides an endpoint detection and response (EDR) solution - ThreatSonar, which effectively detects and prevents enterprise system vulnerabilities from being abused by malicious parties and encountering cybersecurity attacks.

TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences.

For vulnerability research and endpoint protection inquiries, please contact us at https://teamt5.org/en/request-information/