Introduction to Android Vulnerability Research
Preparing the Android Research Environment
The environment for conducting Android vulnerability research can be categorized into emulator environments and physical device environments. There are notable differences between research conducted on emulators and physical devices. For instance, emulator environments cannot replicate hardware interactions, and different manufacturers implement their applications and protection mechanisms. Therefore, for research purposes, the primary focus will be on physical devices.
It is advisable to choose a physical phone that is more convenient for rooting, such as devices from Google or Xiaomi. Rooting is intended to provide researchers with more convenient usage and minimize the impact of the SELinux security mechanism.
High-Level Attack Surface
The attack surface at the Android application level is extensive, including misconfigurations in protected components that allow the app to access arbitrary system files. Additionally, if app developers dynamically load libraries from system paths, with path traversal vulnerabilities, attackers can load malicious shared object files, enabling persistence in local devices or remote code execution (RCE).
- Android Deep Linking: In Android, a deep link is a specific type of URL that allows an application to navigate directly to specific content or pages. At Pwn2Own 2022, a participant exploited a deep link vulnerability in the Samsung Galaxy Store, achieving code execution that allowed for the installation and launch of any app.
- Dynamic Code Loading: Android apps often utilize shared object files. For instance, CVE-2021-40724 was a vulnerability found in the Adobe PDF Reader app, where the app allowed users to provide the expected PDF path via a URL. However, the implementations did not validate the content of this path, resulting in a path traversal vulnerability. Attackers could exploit this flaw to create arbitrary files. A proof of concept (PoC) for this vulnerability demonstrated how to create a shared object file that the app would load by default, with content controlled by the attacker, thereby achieving RCE.
- Protected Components: In the Android system, an
intent
is a serializable (Parcelable) object. However, developers may inadvertently use incorrect calling methods or fail to conduct rigorous checks, resulting in attackers accessing sensitive information from the target app using third-party applications.
Low-level Attack surface
- Android Kernel: Since the Android kernel is based on the Linux kernel, vulnerabilities present in the Linux kernel can also manifest in the Android system. For example, vulnerabilities such as Dirty COW and Dirty Pipe can be reproduced in Android. However, due to differences in the operating system environment, the reproduction process may need to navigate issues such as SELinux.
- Android Kernel Driver: The Android kernel driver is responsible for communication with hardware devices. If vulnerabilities exist within these drivers, attackers may be able to escalate privileges and gain root access to the target device. For instance, multiple vulnerabilities have been identified in the ARM Mali GPU driver.
- Android TEE: The Android system primarily utilizes the Trusted Execution Environment (TEE) to enhance device security. Different manufacturers determine which TEE architecture to implement based on the CPU chipset. For example, Samsung Exynos employs the TEEGRIS environment, while the Pixel 4 XL uses Qualcomm’s QSEE. The attack surface of the TEE includes TEEOS and Trusted Applications (TAs).
Vulnerability reproduction
We reproduced vulnerabilities in the Android system environment to help researchers understand the causes and differences in system architecture. At HITCON 2022, we successfully ported the Dirty-Pipe (CVE-2022-0847) vulnerability to Android 12 Pixel6 phones.
The ultimate goal of this research is to use the Dirty-Pipe vulnerability in the Android system and bypass SELinux to gain the reverse root shell.
Dirty-Pipe Vulnerability Introduction
When a pipe is in operation, it employs zero-copy techniques to minimize resource wastage. Page operations are conducted using page references. When the
PIPE_BUF_FLAG_CAN_MERGE
flag is set, data is written to the current page without reallocating a new page.The Dirty-Pipe vulnerability occurs during pipe operations when the
PIPE_BUF_FLAG_CAN_MERGE
is not properly initialized. This oversight prevents the allocation of a new page, allowing data to be written directly to the acquired page. By utilizing the splice system call, an attacker can obtain the page to overwrite. Subsequently, by exploiting the Dirty-Pipe vulnerability, it can perform almost arbitrary writes to files.Dirty-Pipe itself has some limitations on arbitrary writing:
- The file must have read and open permissions
- Each write operation can only write 1 page size
- The first byte of the page cannot be written.
- None-regular files cannot be written
Privilege escalation in the Linux system
Using the vulnerability we can almost achieve arbitrary writing on read-only files, it can write to any file that can be open-read. The privilege escalation method in the Linux system is simpler than in the Android system.
- Find the program with SUID flag as the target, such as
/usr/bin/sudo
. Overwrite the entry point of the SUID binary to the address of the shellcode after that it will spawn the shell with root privileges.
Reference
TeamT5 specializes in cyber threat research and provides an endpoint detection and response (EDR) solution - ThreatSonar, which effectively detects and prevents enterprise system vulnerabilities from being abused by malicious parties and encountering cybersecurity attacks.TeamT5 consists of top cyber threat analysts. Leveraging our geographic and cultural advantages, we have the best understanding of cyber attackers in Asia Pacific. TeamT5 is frequently invited to share insights at top cybersecurity conferences.For vulnerability research and endpoint protection inquiries, please contact us at https://teamt5.org/en/contact-us/
Related Post
Products & Services
2023.10.16
What is Vulnerability Research?
vulnerability research