search

michalbednarski / LeakValue

Exploit for CVE-2022-20452, privilege escalation on Android from installed app to system app (or another app) via LazyValue using Parcel after recycle()
268 stars 50 forks source link

No leakedBinders #5

Open MikBely opened 1 month ago

MikBely commented 1 month ago

So, I tried to run this app. I have issue, in which I can't receive any leaked binders from doAllStuff(). I got an empty array list leakedBinders. I think this happens, because Parcel parcel = leaker.doLeak(); creates a null parcel. How can I fix this error?

michalbednarski commented 1 month ago

First of all, are you running this on affected Android version? In theory this exploit should work on Android 13 with patch level earlier than November 2022. If you're running on patched version LazyValue won't be created when reading Bundle while Parcel.hasReadWriteHelper() is true

Second, try checking logcat and inspecting reply from setQueueBinder, there might be Exception message there

Third, it might be possible that RemoteView-s or other object layout differs on tested device, for that you'd need to grab debugger and manually inspect created object(s), the "Manual testing" button allows launching testing ValueLeaker primitive against simulated system process to which you can attach a debugger even on non-rooted device (simulated system will appear in process list as com.example.leakvalue:testservice and will load same MediaSessionService as real system_server does (although will not include Binder objects inside test transactions)