My First CVE-2021-25461
Posted on September 13th, 2022 by Blas
Discussion
I did research with the Florida Institute for Cybersecurity Research for a couple of years and within that time I managed to get a second author paper out titled SAUSAGE. This paper was an analysis of how SELinux policy permissions could be modified on a vendor-to-vendor basis considering manufacturers like Samsung would likely add their own apps into a device which required adding their MAC permissions to the SELinux policies file. Within this time, I was on a mission to get my first zero-day. Additionally, the advisors on this paper also thought it would be a great idea to also find some real-world impact to our research considering it will only solidify the paper as sound work in the space of systems security.
I focused in more on the infrastructure and investigation side of things while my friend Mounir focused more on the actual vulnerability discovery. Mounir is the one that eventually found out how to get all of this up and running, however he has given me permission to talk about this and share the code that he used on his end to discover the vulnerability. Being able to reproduce this work for a live audience and show off what we have been able to find as a team at EuroS&P 2022 was an amazing experience that I will never forget. I am happy I was able to get work out like this into the community and am excited for the other research that is to come.
Below is an abridged version of the bash file that just contains the comments and the expected output. The entire Proof of Concept can be found here
Created by Mounir Elgharabawy
Date: 1/7/2021
APAService Stack overflow PoC on socket @dev/socket/jack/set.priority
Tested on Samsung Galaxy S6 device running Android 7.0 (NRD90M)
Build fingerprint: samsung/zerofltexx/zeroflte:7.0/NRD90M/G920FXXU5EQJ1:user/release-keys
What this script does:
1. Create the "socat" binary executable needed to communicate to Unix
domain sockets in the abstract namespace
Note: If you prefer, you can download and build socat yourself and place it in /data/local/tmp/
If you choose to do so, you do not need the first command and you can comment it out
2. Make it executable
3. Call IAPAService::startJackd() using service call
4. Send message to @dev/socket/jack/set.priority
starting with *4 (preamble) followed by a random string of length 25.
In the message, I indicated where the base pointer is overwritten with <PC>
5. Buffer overflow is triggered. The logs show that the return value was overwritten
with <PC>
Expected Output:
07-01 22:35:54.757 29097 29100 I JAM : APAService, start jack
07-01 22:35:54.758 29097 29355 I JAM : APAService priority thread running...
07-01 22:35:54.760 29097 29100 I JAM : APAService startJackd : already started
07-01 22:35:59.275 29097 29355 E JAM : Failed to get SCHED_FIFO priority pid[0] tid[0]; error -1
07-01 22:35:59.290 29374 29374 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-01 22:35:59.291 29374 29374 F DEBUG : Build fingerprint: 'samsung/zerofltexx/zeroflte:7.0/NRD90M/G920FXXU5EQJ1:user/release-keys'
07-01 22:35:59.291 29374 29374 F DEBUG : Revision: '11'
07-01 22:35:59.291 29374 29374 F DEBUG : ABI: 'arm'
07-01 22:35:59.291 29374 29374 F DEBUG : pid: 29097, tid: 29355, name: priority >>> /system/bin/apaservice <<<
07-01 22:35:59.291 29374 29374 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
07-01 22:35:59.292 29374 29374 F DEBUG : Abort message: 'stack corruption detected'
07-01 22:35:59.292 29374 29374 F DEBUG : r0 00000000 r1 000072ab r2 00000006 r3 00000008
07-01 22:35:59.292 29374 29374 F DEBUG : r4 f3b00978 r5 00000006 r6 f3b00920 r7 0000010c
07-01 22:35:59.292 29374 29374 F DEBUG : r8 f3ea5088 r9 f3ea5070 sl f41e9ac1 fp 00000016
07-01 22:35:59.293 29374 29374 F DEBUG : ip 00000002 sp f3b002d0 lr f42529c7 pc f4255230 cpsr 60070010
