mardi 3 mars 2015

Evaluating CVE-2015-1474 to escalate to system privileges topic






I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.

To begin with I try to write down what I have found. This is just a compilation of information so they might look mixed up.

The class GraphicBuffer is utilized by the system service SurfaceFlinger. My current understanding is that the vulnerable method "unflatten" is used to create a GraphicBuffer object from raw data that is sent to the service by IPC using Binder. A forged message might be easiest supplied via adb shell using this commando

Code:


shell@thor:/ $ service call SurfaceFlinger ...

I am not sure yet how the parcel get's eventually to the GraphicBuffer. It is a lot of code and I do not understand the low level graphics system of Android yet. The IGraphicBufferConsumer interface has a sub class BufferItem which has also an unflatten method which will call unflatten on GraphicBuffer. My gut tells me that the Parcel class is also involved in that process, but I'm not sure how yet.

One important piece of information that I'm still missing is how the unflattened data is used in the further processing of SurfaceFlinger. I don't think it is possible to freely write in the memory of SurfaceFlinger with this bug. There are still a lot of sanity checks to come by.

This could also effect on how we have to implement the communication with SurfaceFlinger. Maybe it's also possible with some forged objects and a SurfaceView.

Maybe together we are able to bring some light into this. A little bump in the right direction might help.






Aucun commentaire:

Enregistrer un commentaire