Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-13286 PoC — Android 权限许可和访问控制问题漏洞

Source
https://github.com/UmVfX1BvaW50/CVE-2017-13286
Associated Vulnerability
Title:Android 权限许可和访问控制问题漏洞 (CVE-2017-13286)
Description:In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251.
Description
CVE-2017-13286 Poc(can not use)
Readme
# CVE-2017-13286
CVE-2017-13286 Poc(can not use)

All resources are sourced from this article
https://bbs.kanxue.com/thread-268506.htm

- 引起这个漏洞的主要原因是parcel对象读写不一致,具体可以追溯到如下代码
```java
public void writeToParcel(Parcel dest, int flags) {
        if (dest == null) {
            throw new IllegalArgumentException("dest must not be null");
        }
        dest.writeInt(mRotation);
        dest.writeInt(mSurfaceGroupId);
        dest.writeInt(mSurfaceType);
        dest.writeInt(mConfiguredSize.getWidth());
        dest.writeInt(mConfiguredSize.getHeight());
        dest.writeInt(mIsDeferredConfig ? 1 : 0);
        dest.writeInt(mIsShared ? 1 : 0);
        dest.writeTypedList(mSurfaces);
}
 
private OutputConfiguration(@NonNull Parcel source) {
        int rotation = source.readInt();
        int surfaceSetId = source.readInt();
        int surfaceType = source.readInt();
        int width = source.readInt();
        int height = source.readInt();
        boolean isDeferred = source.readInt() == 1;
        // missing write mIsShared
        ArrayList<Surface> surfaces = new ArrayList<Surface>();
        source.readTypedList(surfaces, Surface.CREATOR);
 
        checkArgumentInRange(rotation, ROTATION_0, ROTATION_270, "Rotation constant");
        ...
        ...
        ...
}
```
- 可以看到在AOSP的这个版本里,mIsShared并未读取,却被写了
- 利用这个我们可以构造恶意的parcel序列化数据,让系统执行一些东西

- 漏洞代码在AOSP的目录为:frameworks/base/core/java/android/hardware/camera2/params/OutputConfiguration.java
- 这个不仅被修复了,现在的序列化对象添加了更多的默认元素
File Snapshot

 [4.0K]  /data/pocs/dda59b6385f6f43370a4707f9a978d390a556d25
├── [4.0K]  app
│   ├── [1.0K]  build.gradle
│   ├── [ 750]  proguard-rules.pro
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [1.4K]  AndroidManifest.xml
│           ├── [4.0K]  java
│           │   └── [4.0K]  com
│           │       └── [4.0K]  cve
│           │           └── [4.0K]  poc201713286
│           │               ├── [1.3K]  AuthenticatorService.java
│           │               ├── [ 551]  MainActivity.java
│           │               └── [4.6K]  MyAuthenticator.java
│           └── [4.0K]  res
│               ├── [4.0K]  drawable
│               │   └── [5.5K]  ic_launcher_background.xml
│               ├── [4.0K]  drawable-v24
│               │   └── [1.7K]  ic_launcher_foreground.xml
│               ├── [4.0K]  layout
│               │   └── [ 778]  activity_main.xml
│               ├── [4.0K]  mipmap-anydpi-v26
│               │   ├── [ 272]  ic_launcher_round.xml
│               │   └── [ 272]  ic_launcher.xml
│               ├── [4.0K]  mipmap-anydpi-v33
│               │   └── [ 343]  ic_launcher.xml
│               ├── [4.0K]  mipmap-hdpi
│               │   ├── [2.8K]  ic_launcher_round.webp
│               │   └── [1.4K]  ic_launcher.webp
│               ├── [4.0K]  mipmap-mdpi
│               │   ├── [1.7K]  ic_launcher_round.webp
│               │   └── [ 982]  ic_launcher.webp
│               ├── [4.0K]  mipmap-xhdpi
│               │   ├── [3.8K]  ic_launcher_round.webp
│               │   └── [1.9K]  ic_launcher.webp
│               ├── [4.0K]  mipmap-xxhdpi
│               │   ├── [5.8K]  ic_launcher_round.webp
│               │   └── [2.8K]  ic_launcher.webp
│               ├── [4.0K]  mipmap-xxxhdpi
│               │   ├── [7.6K]  ic_launcher_round.webp
│               │   └── [3.8K]  ic_launcher.webp
│               ├── [4.0K]  values
│               │   ├── [ 378]  colors.xml
│               │   ├── [  74]  strings.xml
│               │   └── [ 814]  themes.xml
│               ├── [4.0K]  values-night
│               │   └── [ 814]  themes.xml
│               └── [4.0K]  xml
│                   ├── [ 275]  authenticator.xml
│                   ├── [ 478]  backup_rules.xml
│                   └── [ 551]  data_extraction_rules.xml
├── [ 229]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 230]  gradle-wrapper.properties
├── [1.2K]  gradle.properties
├── [5.6K]  gradlew
├── [2.6K]  gradlew.bat
├── [1.7K]  README.md
└── [ 329]  settings.gradle

23 directories, 37 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →