来源

关联漏洞

描述

Exploit for CVE-2019-2215 (bad binder) for Huawei P20 Lite

介绍

# Port CVE-2019-2215 (bad binder) to Huawei P20lite (Android 8.0.0)

## Description

This project is an exploit for CVE-2019-2215 on Huawei P20lite in version Android 8.0.0. Kernel is
in version 4.4.23.

This vulnerability is probably the most documented one (tutorials, real port on physical phone) on
this topic and I have a vulnerable phone so this is a good starting point for learning Android
kernel exploitation.

Warning: The exploit makes all SELinux types permissive so it might allow other apps to bypass
SELinux. 

## Install

Clone the repo first :

```bash
git clone https://github.com/willboka/CVE-2019-2215-HuaweiP20Lite.git
cd CVE-2019-2215-HuaweiP20Lite
```

Clone [setools-android](https://github.com/xmikos/setools-android.git) in the folder
CVE-2019-2215-HuaweiP20Lite and compile **libsepol (libsepol.a)**. Use the following command to do
that :

```bash
make libsepol
```

It is required to bypass SELinux.

Build the project using the command :

```bash
make # or do: NDK_PROJECT_PATH=. ndk-build NDK_APPLICATION_MK=./Application.mk
```

Binary is in folder **libs/arm64-v8a**.

Build and push in `/data/local/tmp` using :

```bash
make push
```

## Usage

Launch the binary **cve-2019-2215** from CLI (tested with Termux and ADB) :

```bash
/data/local/tmp/cve-2019-2215 # from adb
```

Reboot to reset SELinux policies.

## Demo

![Exploit demo - mp4](demo.mp4)

## Links

Links I used to learn about exploiting this vulnerability.

### Test on virtual devices

- [Project Zero bad binder explanation](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html):
  Explanation of the vulnerability plus how to make it a arbitrary read / write primitive in the
  PoC.
- [Android Kernel Exploitation](https://cloudfuzz.github.io/android-kernel-exploitation/):
  Explains more in depth the vulnerability and setup for the vulnerability and there are added-value
  on debugging (GDB scripts, use of sanitizer).
- [Tailoring CVE-2019-2215 to Achieve Root](https://hernan.de/blog/tailoring-cve-2019-2215-to-achieve-root/):
  Method about bypassing Linux Kernel security features.

### Dev on real device

- [s8_2019_2215_poc](https://github.com/chompie1337/s8_2019_2215_poc/tree/master): Real case of
  porting the exploit - I use the avc cache bypass from this one but unfortunately I could not use
  the same technique to get symbol entries as I experience kernel crashes when reading some kernel
  pages. Instead I guess Kaslr offset from the first Kaslr affected symbol in the leaked
  task_struct (fair_sched_class).
- [cve2019-2215-3.18](https://github.com/enceka/cve-2019-2215-3.18): This exploit is actually the
  closest as the offset of wait field in binder_struct is 0xa8 in this case (0x98 in his case).

文件快照

 [4.0K]  /data/pocs/1fe96b1af83aaeed49bbd2935215e2044e866ae9
├── [ 588]  Android.mk
├── [  79]  Application.mk
├── [1.3M]  demo.mp4
├── [4.0K]  exploit
│   ├── [ 17K]  cve_2019_2215.c
│   ├── [1.9K]  dac.c
│   ├── [4.0K]  include
│   │   ├── [2.6K]  cve_2019_2215.h
│   │   ├── [ 846]  dac.h
│   │   ├── [ 782]  kernel_rw.h
│   │   ├── [ 789]  kernel_specific.h
│   │   ├── [ 446]  seccomp.h
│   │   └── [2.9K]  selinux.h
│   ├── [2.6K]  kernel_rw.c
│   ├── [ 855]  seccomp.c
│   └── [5.0K]  selinux.c
├── [1.0K]  LICENSE
├── [ 519]  Makefile
└── [2.7K]  README.md

2 directories, 17 files

备注