michalbednarski
commented
1 year ago So far Parcelable mismatches that were researched belonged to BOOTCLASSPATH and involved passing them through system_server, so if you're trying to find app-specific vulnerabilities that would be new territory
Things ultimately will be app-specific, but I could imagine following path (at least with Android < 13, where mismatches in Bundle could affect other keys within same Bundle)
- Initial input could be
Intentextra (which is or containsListwhich can contain arbitraryParcelables) - Data from that extra would be stored in
onSaveInstanceState(Bundle) savedInstanceStateis used to restore fragments (This happens automatically when restoringActivitythat supports embeddingFragments, either because it uses support library providedActivitybase or always if we're talking about built-in AndroidFragments- Now we've got arbitrary Fragment injection, impact again is app specific
Alternate path could be forwarding Intent extra to another (not exported this time) Activity within app, similarly to above we get to pass unexpected argument to component which other apps cannot directly start. Whenever that argument is in Intent extra of unexported Activity or [Fragment Arguments](https://developer.android.com/reference/androidx/fragment/app/Fragment.html#getArguments()), apps might trust those and that could open further attacks, such as auth token disclosure to wrong server
Another interesting vulnerability related to Parcelable is write-in-createFromParcel. Depending on specific circumstances, that could lead to:
- Overwriting type/length of neighbour
LazyValueand therefore affecting values under other keys withinBundleon Android 13 - (Possibly misaligned) overwriting data within
flat_binder_objectstructure, leading to premature releasing/closing binder handles or file descriptors (after which we could put different binder handle or file descriptor in their place), or overwriting pointers within that structure leading to memory corruption
Also it is interesting to see other Parcelable analysis tools. Haven't looked closely how does yours work yet
Mine attempted recovering flow of operations on Parcel happening in writeToParcel and createFromParcel and comparing those
It ignored logic between these operations though, so for example CVE-2023-20963 (bulletin, patch) was completely invisible to it, as both writeToParcel, broken createFromParcel and fixed createFromParcel looked to it like:
--- android.os.WorkSource
INT
INT_ARRAY
STRING_ARRAY_OR_LIST
INT
if {
PARCELABLE_LIST
} // else emptyIf your tool doesn't have this flaw (or even if it also does, various analysis tools might find different things), it might be worth running it against system
Nowadays I keep using that my tool, comparing list of fields in Parcelables across versions and looking for possible capability leaks introduced in new Android versions (such as CVE-2021-0749 (patch))
I don't look for Parcelable write/read mismatches anymore, these do exist in Android 13, but without way to exploit them I don't consider them to be vulnerabilities
I haven't looked for Parcelable mismatches in apps. I guess in case of apps it'd be more important to find way to exploit such mismatch than finding mismatch itself (but that is unresearched area, maybe things I described in first section are present somewhere and maybe that is only theoretical path)
cxxsheng
Hello, recently I developed a tool to detect parcel mismatch bugs, and I found that many applications have such vulnerablities. I hope my research can be more convincing. Are there any attack surfaces for some applications ? How can I find these risk points? I look forward to your valuable suggestions.