目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CVE-2017-13253 PoC — Android 权限许可和访问控制漏洞

来源
https://github.com/tamirzb/CVE-2017-13253
关联漏洞
标题:Android 权限许可和访问控制漏洞 (CVE-2017-13253)
Description:Android是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套以Linux为基础的开源操作系统。 Android 8.0版本和8.1版本中的CryptoPlugin.cpp文件的CryptoPlugin::decrypt存在提权漏洞,该漏洞源于程序缺少边界检测。远程攻击者可利用该漏洞执行任意代码或造成拒绝服务(越边界写入)。
Description
PoC code for CVE-2017-13253
介绍
# CVE-2017-13253

PoC code for CVE-2017-13253.

The full write-up is available [here](https://blog.zimperium.com/cve-2017-13253-buffer-overflow-multiple-android-drm-services). Note that the numbers are a little bit different from the blog post, as I've found that there's a higher chance for a crash with a heap of 0x2000 (of course if you run it enough times it should crash anyway).

For questions/issues/comments you're welcome to contact me on Twitter ([@tamir_zb](https://twitter.com/tamir_zb)).

## Build

In order to build this:

1. [Download the Android source code](https://source.android.com/setup/downloading).
2. Put this repository in `AOSP/external`.
3. Run the following commands:

```
    cd AOSP
    source build/envsetup.sh
    make icrypto_overflow
```

## Result

Running this against an unpatched version of Android (8.0-8.1 before March 2018) should result in an overflow. This might result in a crash, depending on whether the overwritten data is writable or not.

The code should print the output of the `decrypt` method, which may vary:

* In case it is being ran against a patched version of Android (March 2018 or later) then `decrypt` should return `BAD_VALUE` (-22).
* In case no crash happens (the overwritten data is writable) then `decrypt` should return the amount of data it copied.
* In case the vendor implements the HAL as a seperate process (e.g.  Pixel 2) then `decrypt` should return `UNKNOWN_ERROR` (-32).
* In case the vendor implements the HAL in the same process (e.g.  Nexus 5X) then `decrypt` should return 0.

Here's a partial crash dump resulted from running this PoC:

```
Build fingerprint: 'google/walleye/walleye:8.1.0/OPM1.171019.011/4448085:user/release-keys'
Revision: 'MP1'
ABI: 'arm'
pid: 761, tid: 5232, name: HwBinder:761_1  >>> /vendor/bin/hw/android.hardware.drm@1.0-service <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xee20f000
    r0 ee20f000  r1 ee20d021  r2 00001eff  r3 00000001
    r4 00000001  r5 00000000  r6 ed117008  r7 00000000
    r8 00000000  r9 fffff82a  sl ee20d000  fp ee20efff
    ip 08000000  sp ed2893c8  lr ed369e6b  pc edda7f0c  cpsr 20070010

backtrace:
    #00 pc 00018f0c  /system/lib/libc.so (__memcpy_base+244)
    #01 pc 00004e67  /vendor/lib/mediadrm/libdrmclearkeyplugin.so (clearkeydrm::CryptoPlugin::decrypt(bool, unsigned char const*, unsigned char const*, android::CryptoPlugin::Mode, android::CryptoPlugin::Pattern const&, void const*, android::CryptoPlugin::SubSample const*, unsigned int, void*, android::AString*)+82)
    ...

memory map (205 entries):
(fault address prefixed with --->)
    ...
    ee20d000-ee20efff rw-         0      2000  /dev/ashmem/MemoryHeapBase (deleted)
--->ee20f000-ee20ffff ---         0      1000  [anon:thread signal stack guard page]
    ...
```

As you can see, the fault address is the memory just after the shared memory. Since this memory is write-protected, the overflow resulted in a segmentation fault.
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →