Open cxxsheng opened 1 year ago
So far Parcelable
mismatches that were researched belonged to BOOTCLASSPATH
and involved passing them through system_server
, so if you're trying to find app-specific vulnerabilities that would be new territory
Things ultimately will be app-specific, but I could imagine following path (at least with Android < 13, where mismatches in Bundle
could affect other keys within same Bundle
)
Intent
extra (which is or contains List
which can contain arbitrary Parcelable
s)onSaveInstanceState(Bundle)
savedInstanceState
is used to restore fragments (This happens automatically when restoring Activity
that supports embedding Fragment
s, either because it uses support library provided Activity
base or always if we're talking about built-in Android Fragment
sAlternate path could be forwarding Intent
extra to another (not exported this time) Activity
within app, similarly to above we get to pass unexpected argument to component which other apps cannot directly start. Whenever that argument is in Intent
extra of unexported Activity
or [Fragment
Arguments
](https://developer.android.com/reference/androidx/fragment/app/Fragment.html#getArguments()), apps might trust those and that could open further attacks, such as auth token disclosure to wrong server
Another interesting vulnerability related to Parcelable
is write-in-createFromParcel
. Depending on specific circumstances, that could lead to:
LazyValue
and therefore affecting values under other keys within Bundle
on Android 13flat_binder_object
structure, leading to premature releasing/closing binder handles or file descriptors (after which we could put different binder handle or file descriptor in their place), or overwriting pointers within that structure leading to memory corruptionAlso it is interesting to see other Parcelable
analysis tools. Haven't looked closely how does yours work yet
Mine attempted recovering flow of operations on Parcel
happening in writeToParcel
and createFromParcel
and comparing those
It ignored logic between these operations though, so for example CVE-2023-20963 (bulletin, patch) was completely invisible to it, as both writeToParcel
, broken createFromParcel
and fixed createFromParcel
looked to it like:
--- android.os.WorkSource
INT
INT_ARRAY
STRING_ARRAY_OR_LIST
INT
if {
PARCELABLE_LIST
} // else empty
If your tool doesn't have this flaw (or even if it also does, various analysis tools might find different things), it might be worth running it against system
Nowadays I keep using that my tool, comparing list of fields in Parcelable
s across versions and looking for possible capability leaks introduced in new Android versions (such as CVE-2021-0749 (patch))
I don't look for Parcelable
write/read mismatches anymore, these do exist in Android 13, but without way to exploit them I don't consider them to be vulnerabilities
I haven't looked for Parcelable
mismatches in apps. I guess in case of apps it'd be more important to find way to exploit such mismatch than finding mismatch itself (but that is unresearched area, maybe things I described in first section are present somewhere and maybe that is only theoretical path)
Actually, I developed a lightweight symbolic execution engine based on Antlr. I detect the inconsistency of the two through simulated execution. I will build a state-machine of the graph through writeToParcel
and then execute createFromParcel
to detect inconsistencies. I delegated the logic part to z3
. I spent a lot of time on basic syntax parsing, which resulted in it not being very complete now, especially in the logical reasoning part. Moreover, I can only do some intuitive logical deduction. For some complex logic, I have not implemented it and instead used some pattern matching methods in it.
I will look for the possibility of exploit the app next, and if there is any progress, I will share it with you. Thank you for your guidance.
Hello, recently I developed a tool to detect parcel mismatch bugs, and I found that many applications have such vulnerablities. I hope my research can be more convincing. Are there any attack surfaces for some applications ? How can I find these risk points? I look forward to your valuable suggestions.