Google Android - WifiNative::setHotlist Stack Overflow

EDB-ID:

40945

CVE:

2016-6772

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Android

Date:

2016-12-20

Vulnerable App: 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=958

The following code in frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp doesn't validate the parameter params.num_bssid, and then copies that number of elements into a stack-allocated wifi_bssid_hotlist_params structure. I don't think this can be reached from an untrusted_app context; but it can be reached from a context with system_api_service access; so a compromised platform app or one of several lower privileged system services (bluetooth, nfc etc.).

static jboolean android_net_wifi_setHotlist(
        JNIEnv *env, jclass cls, jint iface, jint id, jobject ap)  {

    JNIHelper helper(env);
    wifi_interface_handle handle = getIfaceHandle(helper, cls, iface);
    ALOGD("setting hotlist on interface[%d] = %p", iface, handle);

    wifi_bssid_hotlist_params params;
    memset(&params, 0, sizeof(params));

    params.lost_ap_sample_size = helper.getIntField(ap, "apLostThreshold");

    JNIObject<jobjectArray> array = helper.getArrayField(
            ap, "bssidInfos", "[Landroid/net/wifi/WifiScanner$BssidInfo;");
    params.num_bssid = helper.getArrayLength(array);

    if (params.num_bssid == 0) {
        ALOGE("setHotlist array length was 0");
        return false;
    }

    for (int i = 0; i < params.num_bssid; i++) { // <--- no validation on num_bssid
        JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);

        JNIObject<jstring> macAddrString = helper.getStringField(objAp, "bssid");
        if (macAddrString == NULL) {
            ALOGE("Error getting bssid field");
            return false;
        }

        ScopedUtfChars chars(env, macAddrString);
        const char *bssid = chars.c_str();
        if (bssid == NULL) {
            ALOGE("Error getting bssid");
            return false;
        }
        parseMacAddress(bssid, params.ap[i].bssid); // <--- params.ap has 128 elements.

        mac_addr addr;
        memcpy(addr, params.ap[i].bssid, sizeof(mac_addr));

        char bssidOut[32];
        snprintf(bssidOut, sizeof(bssidOut), "%0x:%0x:%0x:%0x:%0x:%0x", addr[0],
                 addr[1], addr[2], addr[3], addr[4], addr[5]);

        ALOGD("Added bssid %s", bssidOut);

        params.ap[i].low = helper.getIntField(objAp, "low");
        params.ap[i].high = helper.getIntField(objAp, "high");
    }

See attached for a POC which causes a crash before the function with the corrupted stack frame returns and checks the stack cookie.

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[---------------------------------------------------------------------REGISTERS----------------------------------------------------------------------]
*X0   0x80000000 <-- 0x0
*X1   0x0
*X2   0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
*X3   0x3
*X4   0x709bf05fc0 <-- stp    x28, x27, [sp, #-0x60]!
*X5   0x709c1f07b0 (art::gJniNativeInterface) <-- 0x0
*X6   0x709bf27034 <-- cbz    x2, #0x709bf27040 /* u'b' */
*X7   0x284801ff284800ff
*X8   0xc01d0142c01d0229
*X9   0x1
*X10  0xc01d0142c01d0141
*X11  0x7082dff4e8 <-- 0x41013fb31dc0
 X12  0x0
*X13  0x0
*X14  0x0
*X15  0x33511e057221be
*X16  0x709f0035a0 (pthread_getspecific@got.plt) --> 0x709efaad5c (pthread_getspecific) <-- movz   w8, #0x8000, lsl #16
*X17  0x709efaad5c (pthread_getspecific) <-- movz   w8, #0x8000, lsl #16
*X18  0x0
*X19  0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
*X20  0x7082dfe0a0 --> 0x70833c1470 --> 0x7083381c0c (android::JNIObject<_jobject*>::~JNIObject()) <-- adrp   x2, #0x70833c2000
*X21  0x7082dfe0b8 --> 0x70833c1490 --> 0x7083381c70 (android::JNIObject<_jstring*>::~JNIObject()) <-- adrp   x2, #0x70833c2000
*X22  0x7082dfe078 <-- 0x0
*X23  0xb1da807287fa8cf
*X24  0x709f00e86c (je_tsd_tsd) <-- 0xa880000000
*X25  0x7082dfe8d8 <-- u'c0:1d:b3:3f:1:4...'
*X26  0x200011
*X27  0x7082dfe0d0 <-- 0x100000000001
*X28  0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
*SP   0x70815310f0 <-- 0x0
*PC   0x709efaada8 (pthread_getspecific+76) <-- ldr    x10, [x10, #0xe0]
[------------------------------------------------------------------------CODE------------------------------------------------------------------------]
 => 0x709efaada8L <pthread_getspecific+76>    ldr    x10, [x10, #0xe0]
    0x709efaadacL <pthread_getspecific+80>    cmp    x10, x9
    0x709efaadb0L <pthread_getspecific+84>    b.ne   #pthread_getspecific+56       <0x709efaad94>
...
    0x709efaad94L <pthread_getspecific+56>    mov    x0, xzr
    0x709efaad98L <pthread_getspecific+60>    str    xzr, [x8]
    0x709efaad9cL <pthread_getspecific+64>    ret    

    0x709efaada0L <pthread_getspecific+68>    add    x10, x10, x8, lsl #4
    0x709efaada4L <pthread_getspecific+72>    add    x8, x10, #0xe8
 => 0x709efaada8L <pthread_getspecific+76>    ldr    x10, [x10, #0xe0]
    0x709efaadacL <pthread_getspecific+80>    cmp    x10, x9
    0x709efaadb0L <pthread_getspecific+84>    b.ne   #pthread_getspecific+56       <0x709efaad94>
[------------------------------------------------------------------------CODE------------------------------------------------------------------------]
155	in bionic/libc/bionic/pthread_key.cpp
[-----------------------------------------------------------------------STACK------------------------------------------------------------------------]
00:0000| sp  0x70815310f0 <-- 0x0
...
04:0020|     0x7081531110 --> 0x3f800000 <-- 0x0
05:0028|     0x7081531118 <-- 0x0
...
[---------------------------------------------------------------------BACKTRACE----------------------------------------------------------------------]
>  f 0       709efaada8 pthread_getspecific+76
   f 1       709efd2394 je_free+68
   f 2       709efd2394 je_free+68
   f 3       709efd2394 je_free+68
   f 4       709efd2394 je_free+68
   f 5       7083387d10
   f 6       7083387d10
   f 7       7083387d10
Program received signal SIGSEGV (fault address 0x1d0142c01d0221)
pwndbg> bt
#0  pthread_getspecific (key=<optimized out>) at bionic/libc/bionic/pthread_key.cpp:160
#1  0x000000709efd2394 in je_tsd_wrapper_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
#2  je_tsd_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
#3  je_tsd_fetch () at external/jemalloc/include/jemalloc/internal/tsd.h:614
#4  je_free (ptr=0x707882c3e0) at external/jemalloc/src/jemalloc.c:1932
#5  0x0000007083387d10 in _JNIEnv::ReleaseStringUTFChars (utf=0x707882c3e0 "c0:1d:b3:3f:01:"..., string=0x200011, this=0x7091fd2b00) at libnativehelper/include/nativehelper/jni.h:851
#6  ScopedUtfChars::~ScopedUtfChars (this=<synthetic pointer>, __in_chrg=<optimized out>) at libnativehelper/include/nativehelper/ScopedUtfChars.h:45
#7  android::android_net_wifi_setHotlist (env=0x7091fd2b00, cls=<optimized out>, iface=<optimized out>, id=0x690a3633, ap=<optimized out>) at frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp:799
#8  0x000000709b1a084c in ?? ()

Fixed in https://source.android.com/security/bulletin/2016-12-01.html


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40945.zip
Tags: Denial of Service (DoS)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services