Android ASLR Vulnerability Fixed

Monday, November 24, 2014 @ 07:11 PM gHale


A vulnerability in Android versions below 5.0 could allow an attacker to bypass the ASLR defense and execute code of their choice.

The issue touches on deserialization of input data and refers to java.io.ObjectInputStream’s unsuccessful check if an object is serializable before reverting the process.

RELATED STORIES
Smartphones Lose in Hacking Competition
Android Browser UXSS Vulnerability
Android Malware Tough to Remove
Images can Attack in Android Apps

In the context of data storage, all objects convert into a series of bytes (serialization) in order to save their current state to a persistent storage medium; the procedure can end up reversed (deserialization) so it is possible to obtain a clone of the object.

A technical description of the bug came from Jann Horn, the security researcher who discovered the flaw. He said the apps can communicate with system_service, which runs with admin privileges (UID 1000), using Intents with attached Bundles; these “are transferred as arraymap Parcels and arraymap Parcels can contain serialized data. This means that any app can attack the system_service this way,” the advisory said.

Horn thought about serialization in other contexts, such as Android, after hearing a talk about a vulnerability in a PHP web app involving deserialization of attacker-provided input data.

Based on the assumption Java ensured the classes used end up serialized and ObjectInputStream may receive untrusted inputs, he checked if the Android developers took the precaution to verify for deserialization possibility under this scenario. “Went home, checked, the vuln was there,” he said in a blog on Reddit.

The researcher also developed a proof-of-concept that crashes system_service in order to demonstrate the issue. A full exploit has not occurred and the test not finished on a Google Nexus 5 running Android 4.4.4. As such, Horn is not sure about how exploiting the weakness on vulnerable devices can happen.

Turning this method into a full root exploit cannot occur without leveraging another vulnerability, because the system UID has restrictions from gaining root privileges.

Horn disclosed his finding to the Android development team June 22 and during the following week he also produced the proof-of-concept and received an answer acknowledging the problem.

On November 3, a patch came out in Android Lollipop as part of the AOSP (Android Open Source Project) code release.

The researcher said the checks implemented by the developers are quite efficient and other glitches should not be possible.



Leave a Reply

You must be logged in to post a comment.