ReparcelBug2 icon indicating copy to clipboard operation
ReparcelBug2 copied to clipboard

Published 20 hours ago verified publisher icon michalbednarski

looking for your suggestions

Open cxxsheng opened this issue 2 years ago • 2 comments

Hello, recently I developed a tool to detect parcel mismatch bugs, and I found that many applications have such vulnerablities. I hope my research can be more convincing. Are there any attack surfaces for some applications ? How can I find these risk points? I look forward to your valuable suggestions.

cxxsheng avatar Apr 19 '23 19:04 cxxsheng

So far Parcelable mismatches that were researched belonged to BOOTCLASSPATH and involved passing them through system_server, so if you're trying to find app-specific vulnerabilities that would be new territory

Things ultimately will be app-specific, but I could imagine following path (at least with Android < 13, where mismatches in Bundle could affect other keys within same Bundle)

  1. Initial input could be Intent extra (which is or contains List which can contain arbitrary Parcelables)
  2. Data from that extra would be stored in onSaveInstanceState(Bundle)
  3. savedInstanceState is used to restore fragments (This happens automatically when restoring Activity that supports embedding Fragments, either because it uses support library provided Activity base or always if we're talking about built-in Android Fragments
  4. Now we've got arbitrary Fragment injection, impact again is app specific

Alternate path could be forwarding Intent extra to another (not exported this time) Activity within app, similarly to above we get to pass unexpected argument to component which other apps cannot directly start. Whenever that argument is in Intent extra of unexported Activity or Fragment Arguments, apps might trust those and that could open further attacks, such as auth token disclosure to wrong server

Another interesting vulnerability related to Parcelable is write-in-createFromParcel. Depending on specific circumstances, that could lead to:

  • Overwriting type/length of neighbour LazyValue and therefore affecting values under other keys within Bundle on Android 13
  • (Possibly misaligned) overwriting data within flat_binder_object structure, leading to premature releasing/closing binder handles or file descriptors (after which we could put different binder handle or file descriptor in their place), or overwriting pointers within that structure leading to memory corruption

Also it is interesting to see other Parcelable analysis tools. Haven't looked closely how does yours work yet

Mine attempted recovering flow of operations on Parcel happening in writeToParcel and createFromParcel and comparing those

It ignored logic between these operations though, so for example CVE-2023-20963 (bulletin, patch) was completely invisible to it, as both writeToParcel, broken createFromParcel and fixed createFromParcel looked to it like:

--- android.os.WorkSource
INT
INT_ARRAY
STRING_ARRAY_OR_LIST
INT
if {
    PARCELABLE_LIST
} // else empty

If your tool doesn't have this flaw (or even if it also does, various analysis tools might find different things), it might be worth running it against system

Nowadays I keep using that my tool, comparing list of fields in Parcelables across versions and looking for possible capability leaks introduced in new Android versions (such as CVE-2021-0749 (patch))

I don't look for Parcelable write/read mismatches anymore, these do exist in Android 13, but without way to exploit them I don't consider them to be vulnerabilities

I haven't looked for Parcelable mismatches in apps. I guess in case of apps it'd be more important to find way to exploit such mismatch than finding mismatch itself (but that is unresearched area, maybe things I described in first section are present somewhere and maybe that is only theoretical path)

michalbednarski avatar Apr 20 '23 15:04 michalbednarski

Actually, I developed a lightweight symbolic execution engine based on Antlr. I detect the inconsistency of the two through simulated execution. I will build a state-machine of the graph through writeToParcel and then execute createFromParcel to detect inconsistencies. I delegated the logic part to z3. I spent a lot of time on basic syntax parsing, which resulted in it not being very complete now, especially in the logical reasoning part. Moreover, I can only do some intuitive logical deduction. For some complex logic, I have not implemented it and instead used some pattern matching methods in it.

I will look for the possibility of exploit the app next, and if there is any progress, I will share it with you. Thank you for your guidance.

cxxsheng avatar Apr 20 '23 19:04 cxxsheng