Menu

Improved exploit search engine. Try it out

"Android - binder Use-After-Free via fdget() Optimization"

Author

"Google Security Research"

Platform

android

Release date

2019-02-12

Release Date Title Type Platform Author
2019-05-16 "WeChat for Android 7.0.4 - 'vcodec2_hls_filter' Denial of Service" dos android "Hong Nhat Pham"
2019-03-06 "Android - getpidcon() Usage in Hardware binder ServiceManager Permits ACL Bypass" dos android "Google Security Research"
2019-03-06 "Android - binder Use-After-Free via racy Initialization of ->allow_user_free" dos android "Google Security Research"
2019-02-28 "FTP Server 1.32 - Denial of Service" dos android s4vitar
2019-02-21 "AirDrop 2.0 - Denial of Service (DoS)" dos android s4vitar
2019-02-21 "ScreenStream 3.0.15 - Denial of Service" dos android s4vitar
2019-02-20 "Android Kernel < 4.8 - ptrace seccomp Filter Bypass" dos android "Google Security Research"
2019-02-15 "AirMore 1.6.1 - Denial of Service (PoC)" dos android s4vitar
2019-02-14 "ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)" dos android s4vitar
2019-02-12 "Android - binder Use-After-Free of VMA via race Between reclaim and munmap" dos android "Google Security Research"
2019-02-12 "Android - binder Use-After-Free via fdget() Optimization" dos android "Google Security Research"
2019-02-11 "AirDroid 4.2.1.6 - Denial of Service" dos android s4vitar
2019-01-15 "1Password < 7.0 - Denial of Service" dos android "Valerio Brussani"
2015-07-06 "AirDroid - Arbitrary File Upload" webapps android "Parsa Adib"
2011-11-28 "Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities" webapps android "Thomas Cannon"
2017-09-20 "Android Bluetooth - 'Blueborne' Information Leak (2)" remote android "Kert Ojasoo"
2017-08-09 "Android Bluetooth - 'Blueborne' Information Leak (1)" remote android "Kert Ojasoo"
2018-04-06 "LineageOS 14.1 Blueborne - Remote Code Execution" remote android "Marcin Kozlowski"
2018-02-25 "Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record" remote android iamrastating
2017-07-20 "Virtual Postage (VPA) - Man In The Middle Remote Code Execution" remote android intern0t
2017-07-20 "SKILLS.com.au Industry App - Man In The Middle Remote Code Execution" remote android intern0t
2017-06-30 "Australian Education App - Remote Code Execution" remote android intern0t
2017-06-30 "BestSafe Browser - Man In The Middle Remote Code Execution" remote android intern0t
2017-06-14 "Google Chrome - V8 Private Property Arbitrary Code Execution" remote android Qihoo360
2017-06-30 "eVestigator Forensic PenTester - Man In The Middle Remote Code Execution" remote android intern0t
2017-12-20 "Samsung Internet Browser - SOP Bypass (Metasploit)" remote android "Dhiraj Mishra"
2017-12-18 "Outlook for Android - Attachment Download Directory Traversal" remote android "Google Security Research"
2016-09-27 "Google Android 5.0 < 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)" remote android Metasploit
2016-11-28 "Google Android - 'BadKernel' Remote Code Execution" remote android "Guang Gong"
2016-03-30 "Google Android 5.0.1 - Metaphor Stagefright (ASLR Bypass)" remote android NorthBit
Release Date Title Type Platform Author
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-24 "VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation" local windows "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "WebKitGTK+ - 'ThreadedCompositor' Race Condition" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46356/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46356/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46356/40800/android-binder-use-after-free-via-fdget-optimization/download/", "exploit_id": "46356", "exploit_description": "\"Android - binder Use-After-Free via fdget() Optimization\"", "exploit_date": "2019-02-12", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "android", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
This bug report describes *two* different issues in different branches of the
binder kernel code.
The first issue is in the upstream Linux kernel,
commit 7f3dc0088b98 ("binder: fix proc->files use-after-free");
the second issue is in the wahoo kernel (and maybe elsewhere? but at least the
android common kernel for 4.4 doesn't seem to contain this code...),
commit 1b652c7c29b7 ("FROMLIST: binder: fix proc->files use-after-free")
(WARNING: NOT the same as "UPSTREAM: binder: fix proc->files use-after-free" in
the android common kernel!).

Some background: In the Linux kernel, normally, when a `struct file *` is read
from the file descriptor table, the reference counter of the `struct file` is
bumped to account for the extra reference; this happens in fget(). Later, if the
extra reference is not needed anymore, the refcount is dropped via fput().
A negative effect of this is that, if the `struct file` is frequently accessed,
the cacheline containing the reference count is constantly dirty; and if the
`struct file` is used by multiple tasks in parallel, cache line bouncing occurs.

Linux provides the helpers fdget() and fdput() to avoid this overhead.
fdget() checks whether the reference count of the file descriptor table is 1,
implying that the current task has sole ownership of the file descriptor table
and no concurrent modifications of the file descriptor table can occur. If this
check succeeds, fdget() then omits the reference count increment on the
`struct file`. fdget() sets a flag in its return value that signals to fdput()
whether a reference count has been taken. If so, fdput() uses the normal fput()
logic; if not, fdput() does nothing.

This optimization relies on a few rules, including:

A) A reference taken via fdget() must be dropped with fdput() before the end of
   the syscall.
B) A task's reference to its file descriptor table may only be duplicated for
   writing if that task is known to not be between fdget() and fdput().
C) A task that might be between an elided fdget() and fdput() must not
   use ksys_close() on the same file descriptor number as used for fdget().



The current upstream code violates rule C. The following sequence of events can
cause fput() to drop the reference count of an in-use binder file to drop to
zero:

Task A and task B are connected via binder; task A has /dev/binder open at
file descriptor number X. Both tasks are single-threaded.

 - task B sends a binder message with a file descriptor array (BINDER_TYPE_FDA)
   containing one file descriptor to task A
 - task A reads the binder message with the translated file descriptor number Y
 - task A uses dup2(X, Y) to overwrite file descriptor Y with the /dev/binder
   file
 - task A unmaps the userspace binder memory mapping; the reference count on
   task A's /dev/binder is now 2
 - task A closes file descriptor X; the reference count on task A's /dev/binder
   is now 1
 - task A invokes the BC_FREE_BUFFER command on file descriptor X to release the
   incoming binder message
 - fdget() elides the reference count increment, since the file descriptor
   table is not shared
 - the BC_FREE_BUFFER handler removes the file descriptor table entry for X and
   decrements the reference count of task A's /dev/binder file to zero

Because fput() uses the task work mechanism to actually free the file, this
doesn't immediately cause a use-after-free that KASAN can detect; for that, the
following sequence of events works:

[...]
 - task A closes file descriptor X; the reference count on task A's /dev/binder
   is now 1
 - task A forks off a child, task C, duplicating the file descriptor table; the
   reference count on task A's /dev/binder is now 2
 - task A invokes the BC_FREE_BUFFER command on file descriptor X to release the
   incoming binder message
 - fdget() in ksys_ioctl() elides the reference count increment, since the file
   descriptor table is not shared
 - the BC_FREE_BUFFER handler removes the file descriptor table entry for X and
   decrements the reference count of task A's /dev/binder file to 1
 - task C calls close(X), which drops the reference count of task A's
   /dev/binder to 0 and frees it
 - task A continues processing of the ioctl and accesses some property of e.g.
   the binder_proc => KASAN-detectable UAF

To reproduce this on an upstream git master kernel on a normal machine, unpack
the attached binder_fdget.tar, apply the patch
0001-binder-upstream-repro-aid.patch to the kernel (adds some logging and an
msleep() call), make sure that the kernel is configured with Binder and KASAN,
build and boot into the kernel, then build the PoC with ./compile.sh.
Invoke "./exploit_manager" in one terminal and "./exploit_client" in another
terminal. You should see a splat like this in dmesg:

=================
[   90.900693] BUG: KASAN: use-after-free in mutex_lock+0x77/0xd0
[   90.903933] Write of size 8 at addr ffff8881da262720 by task exploit_client/1222

[   90.908991] CPU: 4 PID: 1222 Comm: exploit_client Tainted: G        W         4.20.0-rc3+ #214
[   90.911524] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   90.913989] Call Trace:
[   90.914768]  dump_stack+0x71/0xab
[   90.915782]  print_address_description+0x6a/0x270
[   90.917199]  kasan_report+0x260/0x380
[   90.918307]  ? mutex_lock+0x77/0xd0
[   90.919387]  mutex_lock+0x77/0xd0
[...]
[   90.925971]  binder_alloc_prepare_to_free+0x22/0x130
[   90.927429]  binder_thread_write+0x7c1/0x1b20
[...]
[   90.944008]  binder_ioctl+0x916/0xe80
[...]
[   90.955530]  do_vfs_ioctl+0x134/0x8f0
[...]
[   90.961135]  ksys_ioctl+0x70/0x80
[   90.962070]  __x64_sys_ioctl+0x3d/0x50
[   90.963125]  do_syscall_64+0x73/0x160
[   90.964162]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[...]

[   90.984647] Allocated by task 1222:
[   90.985614]  kasan_kmalloc+0xa0/0xd0
[   90.986602]  kmem_cache_alloc_trace+0x6e/0x1e0
[   90.987818]  binder_open+0x93/0x3d0
[   90.988806]  misc_open+0x18f/0x230
[   90.989744]  chrdev_open+0x14d/0x2d0
[   90.990725]  do_dentry_open+0x455/0x6b0
[   90.991809]  path_openat+0x52e/0x20d0
[   90.992822]  do_filp_open+0x124/0x1d0
[   90.993824]  do_sys_open+0x213/0x2c0
[   90.994802]  do_syscall_64+0x73/0x160
[   90.995804]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[   90.997605] Freed by task 12:
[   90.998420]  __kasan_slab_free+0x130/0x180
[   90.999538]  kfree+0x90/0x1d0
[   91.000361]  binder_deferred_func+0x7b1/0x890
[   91.001564]  process_one_work+0x42b/0x790
[   91.002651]  worker_thread+0x69/0x690
[   91.003647]  kthread+0x1ae/0x1d0
[   91.004530]  ret_from_fork+0x35/0x40

[   91.005919] The buggy address belongs to the object at ffff8881da2625a8
                which belongs to the cache kmalloc-1k of size 1024
[   91.009267] The buggy address is located 376 bytes inside of
                1024-byte region [ffff8881da2625a8, ffff8881da2629a8)
[...]
=================



The code in the msm kernel (at least branches android-msm-wahoo-4.4-pie and
android-msm-wahoo-4.4-pie-qpr1) contains a different bug. In this version of the
code, the binder driver does not hold a long-lived reference to the files_struct
of each task, as it used to, but instead uses
binder_get_files_struct()->get_files_struct() to grab the file descriptor table
of the target task for short-lived operations. Apart from the problems in
interaction with non-bounded privilege transitions, this is also problematic
because it violates rule B: In particular task_close_fd() can close a file
descriptor in another process while that other process is potentially in the
middle of a filesystem operation that uses an elided fdget().

The bug triggers in the following scenario (not quite what my PoC does, but
should give you the basic idea):

 - task B opens some file as file descriptor number Y
 - task A starts sending a transaction to task B
 - the kernel transfers one file descriptor to task B, creating file descriptor
   number X in task B
 - task B uses dup2(Y, X) to override file descriptor number X with file F
 - task B closes file descriptor number Y
 - task B enters a syscall such as read()/write()/... on file descriptor number
   X
 - the kernel continues transferring the transaction from A, but encounters an
   error (e.g. invalid fd number) and has to bail out, triggering cleanup of
   already-transferred file descriptors
 - while task B is in the middle of a syscall, task A closes task B's file
   descriptor number X

To test this on-device, I would have to write code to talk to the service
manager and somehow get the service manager to connect two binder files with
each other for me, which seems complicated. Therefore, instead, I took the
following files from the Android wahoo kernel and copied them into an upstream
git master tree, then fixed up the incompatibilities:

drivers/android/Kconfig
drivers/android/Makefile
drivers/android/binder.c
drivers/android/binder_alloc.c
drivers/android/binder_alloc.h
drivers/android/binder_trace.h
include/uapi/linux/android/binder.h

The attached binder_fdget_wahoo.tar contains three patches:

0001-copy-over-binder-files-from-wahoo-4.4.patch: copy the files from wahoo into
        the upstream git master tree
0002-fix-up-for-git-master.patch: make it build
0003-binder-stuff-for-testing.patch: add some sleeps and prints for reproducing
        the bug

Apply these to the upstream kernel and build it (make sure that it is configured
to build with binder and KASAN). Then compile the wahoo PoC with ./compile.sh,
run ./exploit_manager in one terminal, and run ./exploit_client in another
terminal. You should get a splat like this:

=================
[  204.465949] BUG: KASAN: use-after-free in _raw_spin_lock+0x78/0xe0
[  204.469894] Write of size 4 at addr ffff8881db79e84c by task exploit_client/1255

[  204.473958] CPU: 6 PID: 1255 Comm: exploit_client Not tainted 4.20.0-rc3+ #218
[  204.476098] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  204.479413] Call Trace:
[  204.480169]  dump_stack+0x71/0xab
[  204.481187]  print_address_description+0x6a/0x270
[  204.482591]  kasan_report+0x260/0x380
[  204.484156]  ? _raw_spin_lock+0x78/0xe0
[  204.485336]  _raw_spin_lock+0x78/0xe0
[...]
[  204.491337]  binder_update_ref_for_handle+0x34/0x280
[  204.492811]  binder_thread_write+0xab4/0x1b70
[...]
[  204.511627]  binder_ioctl_write_read.isra.55+0x155/0x3e0
[...]
[  204.516826]  binder_ioctl+0x5da/0x880
[...]
[  204.522154]  do_vfs_ioctl+0x134/0x8f0
[...]
[  204.530212]  ksys_ioctl+0x70/0x80
[  204.531142]  __x64_sys_ioctl+0x3d/0x50
[  204.532193]  do_syscall_64+0x73/0x160
[  204.533495]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[...]

[  204.553564] Allocated by task 1255:
[  204.554521]  kasan_kmalloc+0xa0/0xd0
[  204.555507]  kmem_cache_alloc_trace+0x6e/0x1e0
[  204.556729]  binder_open+0x90/0x400
[  204.557681]  misc_open+0x18f/0x230
[  204.558603]  chrdev_open+0x14d/0x2d0
[  204.559573]  do_dentry_open+0x455/0x6b0
[  204.560620]  path_openat+0x52e/0x20d0
[  204.561618]  do_filp_open+0x124/0x1d0
[  204.562617]  do_sys_open+0x213/0x2c0
[  204.563588]  do_syscall_64+0x73/0x160
[  204.564580]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  204.566378] Freed by task 7:
[  204.567156]  __kasan_slab_free+0x130/0x180
[  204.568251]  kfree+0x90/0x1d0
[  204.569059]  binder_deferred_func+0x742/0x7d0
[  204.570229]  process_one_work+0x42b/0x790
[  204.571304]  worker_thread+0x69/0x690
[  204.572289]  kthread+0x1ae/0x1d0
[  204.573265]  ret_from_fork+0x35/0x40

[  204.574643] The buggy address belongs to the object at ffff8881db79e628
                which belongs to the cache kmalloc-1k of size 1024
[  204.578833] The buggy address is located 548 bytes inside of
                1024-byte region [ffff8881db79e628, ffff8881db79ea28)
[...]
=================



I think the robust fix for this might be to change ksys_ioctl() and the compat
ioctl syscall to use fget()/fput() instead of fdget()/fdput(). Unless someone
out there has a workload that very frequently calls ioctl() from concurrent
single-threaded processes that share a struct file, I doubt that this would have
significant performance impact, and I think it should be an appropriate fix for
the upstream kernel, too.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46356.zip