HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID presented at BlackHatAsia 2016

by Qidan He,

Summary : Binder is the heart of Android IPC and parcel is its blood. Most things in Android can and are intended to be parceled/unparceled from one process to another. Starting an activity? An intent will be parceled at caller side and eventually unparceled at receiver side. Calling an service? Same, except the receiver side is usually system_server or other privileged service process. Playing a video? Parcels are silently constructed and sent crossed /dev/binder to mediaserver.
Wait, what if the parcel is bad? Evil attacking process can craft malformed marshalled byte stream, thus triggering vulnerability in the receiver side's processing function, corrupting some memory and achieving privilege escalation. We call it "BadParcel." By fuzzing and code auditing, we have managed to find such high-severity vulnerabilities, most of which are also effective for current Android 6.0, enabling zero-permission attacking application to execute code in target high-privilege process like mediaserver and system_server. We will introduce how we write and run our custom fuzzers to effectively generate crashes and identify those bugs, including discussion and work on integration with ASAN and AFL. Besides, we will also present how to exploit one of those bugs, turning it from a simple benign-looking info-leak like index-out-of-bound, to reliable full PC control and shell code execution in mediaserver. We will elaborate the heap spray and memory fengshui technique we use, which we believe could shed some light on exploiting these kind of bugs.