Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-13286 PoC — Android 权限许可和访问控制问题漏洞

Source
https://github.com/UmVfX1BvaW50/CVE-2017-13286
Associated Vulnerability
Title:Android 权限许可和访问控制问题漏洞 (CVE-2017-13286)
Description:Android是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套以Linux为基础的开源操作系统。 Android 8.0版本和8.1版本中的OutputConfiguration.java文件的writeToParcel和readFromParcel存在提权漏洞。本地攻击者可利用该漏洞以系统权限执行操作。
Description
CVE-2017-13286 Poc(can not use)
Readme
# CVE-2017-13286
CVE-2017-13286 Poc(can not use)

All resources are sourced from this article
https://bbs.kanxue.com/thread-268506.htm

- 引起这个漏洞的主要原因是parcel对象读写不一致,具体可以追溯到如下代码
```java
public void writeToParcel(Parcel dest, int flags) {
        if (dest == null) {
            throw new IllegalArgumentException("dest must not be null");
        }
        dest.writeInt(mRotation);
        dest.writeInt(mSurfaceGroupId);
        dest.writeInt(mSurfaceType);
        dest.writeInt(mConfiguredSize.getWidth());
        dest.writeInt(mConfiguredSize.getHeight());
        dest.writeInt(mIsDeferredConfig ? 1 : 0);
        dest.writeInt(mIsShared ? 1 : 0);
        dest.writeTypedList(mSurfaces);
}
 
private OutputConfiguration(@NonNull Parcel source) {
        int rotation = source.readInt();
        int surfaceSetId = source.readInt();
        int surfaceType = source.readInt();
        int width = source.readInt();
        int height = source.readInt();
        boolean isDeferred = source.readInt() == 1;
        // missing write mIsShared
        ArrayList<Surface> surfaces = new ArrayList<Surface>();
        source.readTypedList(surfaces, Surface.CREATOR);
 
        checkArgumentInRange(rotation, ROTATION_0, ROTATION_270, "Rotation constant");
        ...
        ...
        ...
}
```
- 可以看到在AOSP的这个版本里,mIsShared并未读取,却被写了
- 利用这个我们可以构造恶意的parcel序列化数据,让系统执行一些东西

- 漏洞代码在AOSP的目录为:frameworks/base/core/java/android/hardware/camera2/params/OutputConfiguration.java
- 这个不仅被修复了,现在的序列化对象添加了更多的默认元素
File Snapshot

 [4.0K]  /data/pocs/dda59b6385f6f43370a4707f9a978d390a556d25
├── [4.0K]  app
│   ├── [1.0K]  build.gradle
│   ├── [ 750]  proguard-rules.pro
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [1.4K]  AndroidManifest.xml
│           ├── [4.0K]  java
│           │   └── [4.0K]  com
│           │       └── [4.0K]  cve
│           │           └── [4.0K]  poc201713286
│           │               ├── [1.3K]  AuthenticatorService.java
│           │               ├── [ 551]  MainActivity.java
│           │               └── [4.6K]  MyAuthenticator.java
│           └── [4.0K]  res
│               ├── [4.0K]  drawable
│               │   └── [5.5K]  ic_launcher_background.xml
│               ├── [4.0K]  drawable-v24
│               │   └── [1.7K]  ic_launcher_foreground.xml
│               ├── [4.0K]  layout
│               │   └── [ 778]  activity_main.xml
│               ├── [4.0K]  mipmap-anydpi-v26
│               │   ├── [ 272]  ic_launcher_round.xml
│               │   └── [ 272]  ic_launcher.xml
│               ├── [4.0K]  mipmap-anydpi-v33
│               │   └── [ 343]  ic_launcher.xml
│               ├── [4.0K]  mipmap-hdpi
│               │   ├── [2.8K]  ic_launcher_round.webp
│               │   └── [1.4K]  ic_launcher.webp
│               ├── [4.0K]  mipmap-mdpi
│               │   ├── [1.7K]  ic_launcher_round.webp
│               │   └── [ 982]  ic_launcher.webp
│               ├── [4.0K]  mipmap-xhdpi
│               │   ├── [3.8K]  ic_launcher_round.webp
│               │   └── [1.9K]  ic_launcher.webp
│               ├── [4.0K]  mipmap-xxhdpi
│               │   ├── [5.8K]  ic_launcher_round.webp
│               │   └── [2.8K]  ic_launcher.webp
│               ├── [4.0K]  mipmap-xxxhdpi
│               │   ├── [7.6K]  ic_launcher_round.webp
│               │   └── [3.8K]  ic_launcher.webp
│               ├── [4.0K]  values
│               │   ├── [ 378]  colors.xml
│               │   ├── [  74]  strings.xml
│               │   └── [ 814]  themes.xml
│               ├── [4.0K]  values-night
│               │   └── [ 814]  themes.xml
│               └── [4.0K]  xml
│                   ├── [ 275]  authenticator.xml
│                   ├── [ 478]  backup_rules.xml
│                   └── [ 551]  data_extraction_rules.xml
├── [ 229]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 230]  gradle-wrapper.properties
├── [1.2K]  gradle.properties
├── [5.6K]  gradlew
├── [2.6K]  gradlew.bat
├── [1.7K]  README.md
└── [ 329]  settings.gradle

23 directories, 37 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.