Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)

发布时间:2017-2-26 6:52:20 编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921) ",主要涉及到Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921) 方面的内容,对于Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921) 感兴趣的同学可以参考一下。

Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)

墙外通道:http://bits-please.blogspot.com/2016/01/android-privilege-escalation-to.html

In this blog post we'll go over two vulnerabilities I discovered which, when combined, enable arbitrary code execution within the "mediaserver" process from any context, requiring no permissions whatsoever.

HOW BAD IS IT?

The first vulnerability (CVE-2014-7921) was present in all Android version from 4.0.3 onwards. The second vulnerability (CVE-2014-7920) was present in all Android versions from 2.2 (!). Also, these vulnerabilities are not vendor specific and were present in all Android devices. Since the first vulnerability is only needed to bypass ASLR, and ASLR is only present (in a meaningful form) from Android 4.1 onwards, this means that these vulnerabilities allow code execution within "mediaserver" on any Android device starting from version 2.2.

Although I reported both vulnerabilities in mid October 2014, they were unfortunately only fixed much later (see "Timeline" for full description, below) - in Android version 5.1!  This means that there are many devices out there which are still vulnerable to these issues, so please take care.
  
You can find the actual patches here. The patches were pushed to AOSP five months after the vulnerabilities were reported. 

That said, the Android security team was very pleasant to work with, and with other vulnerabilities I reported later on, were much more responsive and managed to solve the issues within a shorter time-frame.

WHERE ARE WE AT?

Continuing our journey of getting from zero permissions to TrustZone code execution; after recently completing the task of getting to TrustZone from the Linux kernel, and after finding a way to gain code execution within the Linux kernel, we are left with the final step of gaining the privileges needed in order to execute our kernel exploit.

As mentioned in the previous blog post in the series, in order to exploit the kernel vulnerability in the "qseecom" driver, an attacker must only satisfy one of the following conditions:

  • Gain execution within one of "mediaserver", "drmserver", "surfaceflinger" or "keystore"
  • Run within a process with the "system", "drm" or "keystore" user-ID
  • Run within a process with the "drmrpc" group-ID

上一篇:正则表达式
下一篇:Oracle卸载

相关文章

相关评论

本站评论功能暂时取消,后续此功能例行通知。

一、不得利用本站危害国家安全、泄露国家秘密,不得侵犯国家社会集体的和公民的合法权益,不得利用本站制作、复制和传播不法有害信息!

二、互相尊重,对自己的言论和行为负责。