背景
伴随着HarmonyOS NEXT的发布,华为实现了计算机领域三座大山的跨越:操作系统、处理器、编译器。其中HarmonyOS NEXT的编译器名叫arkcompiler,它的发布引起了编译、安全、程序分析等领域人员的广泛关注,我们阅读了arkcompiler的源码,进行了关键步骤的梳理,并绘制了相关流程图,供大家学习参考,如有错误还望批评指正。
伴随着HarmonyOS NEXT的发布,华为实现了计算机领域三座大山的跨越:操作系统、处理器、编译器。其中HarmonyOS NEXT的编译器名叫arkcompiler,它的发布引起了编译、安全、程序分析等领域人员的广泛关注,我们阅读了arkcompiler的源码,进行了关键步骤的梳理,并绘制了相关流程图,供大家学习参考,如有错误还望批评指正。
This article analyzes the cause of CVE-2024-31317, an Android user-mode universal vulnerability, and shares our exploitation research and methods. Through this vulnerability, we can obtain code-execution for any uid, similar to breaking through the Android sandbox to gain permissions for any app. This vulnerability has effects similar to the Mystique vulnerability discovered by the author years ago (which won the Pwnie Award for Best Privilege Escalation Bug), but each has its own merits.
A few months ago, Meta X Red Team published two very interesting Android Framework vulnerabilities that could be used to escalate privileges to any UID. Among them, CVE-2024-0044, due to its simplicity and directness, has already been widely analyzed in the technical community with public exploits available (it's worth mentioning that people were later surprised to find that the first fix for this vulnerability was actually ineffective). Meanwhile, CVE-2024-31317 still lacks a public detailed analysis and exploit, although the latter has greater power than the former (able to obtain system-uid privileges). This vulnerability is also quite surprising, because it's already 2024, and we can still find command injection in Android's core component (Zygote).
This reminds us of the Mystique vulnerability we discovered years ago, which similarly allowed attackers to obtain privileges for any uid. It's worth noting that both vulnerabilities have certain prerequisites. For example, CVE-2024-31317 requires the WRITE_SECURE_SETTINGS
permission. Although this permission is not particularly difficult to obtain, it theoretically still requires an additional vulnerability, as ordinary untrusted_app
s cannot obtain this permission (however, it seems that on some branded phones, regular apps may have some methods to directly obtain this permission). ADB shell natively has this permission, and similarly, some special pre-installed signed apps also have this permission.
However, the exploitation effect and universality of this logical vulnerability are still sufficient to make us believe that it is the most valuable Android user-mode vulnerability in recent years since Mystique. Meta's original article provides an excellent analysis of the cause of this vulnerability, but it only briefly touches on the exploitation process and methods, and is overall rather concise. This article will provide a detailed analysis and introduction to this vulnerability, and introduce some new exploitation methods, which, to our knowledge, are the first of their kind.
Attached is an image demonstrating the exploit effect, successfully obtaining system privilege on major phone brand’s June patch version:
Although the core of this vulnerability is command injection, exploiting it requires a considerable understanding of the Android system, especially how Android's cornerstone—the Zygote fork mechanism—works, and how it interacts with the system_server.
Every Android developer knows that Zygote forks all processes in Android's Java world, and system_server is no exception, as shown in the figure below.
The Zygote process actually receives instructions from system_server and spawns child processes based on these instructions. This is implemented through the poll mechanism in ZygoteServer.java:
1 | Runnable runSelectLoop(String abiList) { |
Then it enters the processCommand
function, which is the core function for parsing the command buffer and extracting parameters. The specific format is defined in ZygoteArguments
, and much of our subsequent work will need to revolve around this format.
1 | Runnable processCommand(ZygoteServer zygoteServer, boolean multipleOK) { |
This is the top-level entry point for Zygote command processing, but the devil is in the details. After Android 12, Google implemented a fast-path C++ parser in ZygoteCommandBuffer
, namely com_android_internal_os_ZygoteCommandBuffer.cpp. The main idea is that Zygote maintains a new inner loop in nativeForkRepeatly
outside the outer loop in processCommand
, to improve the efficiency of launching apps.
nativeForkRepeatly
also polls on the Command Socket and repeatedly processes what is called a SimpleFork
format parsed from the byte stream. This SimpleFork
actually only processes simple zygote parameters such as runtime-args
, setuid
, setgid
, etc. The discovery of other parameters during the reading process will cause an exit from this loop and return to the outer loop in processCommand
, where a new ZygoteCommandBuffer
will be constructed, the loop will restart, and unrecognized commands will be read and parsed again in the outer loop.
System_server may send various commands to zygote, not only commands to start processes, but also commands to modify some global environment values, such as denylistexemptions
which contains the vulnerable code, which we will explain in more detail later.
As for system_server itself, its startup process is not complicated, as launched by hardcoded parameters in Zygote—obviously because Zygote cannot receive commands from a process that does not yet exist, this is a "chicken or egg" problem, and the solution is to start system_server through hardcoding.
The command parameters accepted by Zygote are in a format similar to Length-Value pairs, separated by line breaks, as shown below
1 | 8 [command #1 arg count] |
Roughly, the protocol parsing process first reads the number of lines, then reads the content of each line one by one according to the number of lines. However, after Android 12, the exploitation method gets much more complicated due to some buffer pre-reading optimizations, which also led to a significant increase in the length of this article and the difficulty of vulnerability exploitation.
From the previous analysis, we can see that Zygote simply parses the buffer it receives from system_server blindly - without performing any additional secondary checks. This leaves room for command injection: if we can somehow manipulate system_server to write attacker-controlled content into the command socket.
denylistexemptions
provides such a method
1 | private void update() { |
"Regardless of the reason why hidden_api_blacklist_exemptions
is modified, the ContentObserver
's callback will be triggered. The newly written value will be read and, after parsing (mainly based on splitting the string by commas), directly written into the zygote command socket. A typical command injection."
The attacker's initial idea was to directly inject new commands that would trigger the process startup, as shown below:
1 | settings put global hidden_api_blacklist_exemptions "LClass1;->method1( |
In Android 11 or earlier versions, this type of payload was simple and effective because in these versions, Zygote reads each line directly through Java's readLine
without any buffer implementation affecting it. However, in Android 12, the situation becomes much more complex. Command parsing is now handled by NativeCommandBuffer
, introducing a key difference: after the content is examined for once, this parser discards all trailing unrecognized content in the buffer and exits, rather than saving it for the next parsing attempt. This means that injected commands will be directly discarded!
1 | NO_STACK_PROTECTOR |
"The nativeForkRepeatedly
function operates roughly as follows: After the socket initialization setup is completed, n_buffer->readLines
will pre-read and buffer all the lines—i.e., all the content that can currently be read from the socket. The subsequent reset
will move the buffer's current read pointer back to the initial position—meaning the subsequent operations on n_buffer
will start parsing this buffer from the beginning, without re-triggering a socket read. After a child process is forked, it will consume this buffer to extract its uid
and gid
and set them by itself. The parent process will continue execution and enter the for
loop below. This for
loop continuously listens to the corresponding socket's file descriptor (fd), receiving and reconstructing incoming connections if they are unexpectedly interrupted.
graph TD A[Socket Initialization and Setup] --> B[n_buffer->readLines Reads and Buffers All Lines] B --> C[reset Moves Buffer Pointer Back to Initial Position] C --> D[n_buffer Re-parses the Buffer] D --> E{Fork Child Process} E --> F[Child Process Consumes Buffer to Extract UID and GID] E --> G[Parent Process Continues Execution] G --> H[Enters for Loop] H --> I[n_buffer->clear Clears Buffer] I --> J[Continuously Listens on Socket FD] J --> K[Receives and Rebuilds Incoming Connections] K --> L[n_buffer->getCount] L --> |Valid Input| O[Check if it is a simpleForkCommand] L --> |Invalid Input| I O --> |Is SimpleFork| B O --> |Not SimpleFork| ZygoteConnection::ProcessCommand
1 | for (;;) { |
But this is where things start to get complex and tricky. The call to n_buffer->clear();
discards all the remaining content in the current buffer (the buffer size is 12,200 on Android 12 and HarmonyOS 4, and 32,768 in later versions). This leads to the previously mentioned issue: the injected content will essentially be discarded and will not enter the next round of parsing.
Thus, the core exploitation method here is figuring out how to split the injected content into different reads so that it gets processed. Theoretically, this relies on the Linux kernel's scheduler. Generally speaking, splitting the content into different write
operations on the other side, with a certain time interval between them, can achieve this goal in most cases. Now, let's take a look back at the vulnerable function in system_server
that triggers the writing to the command socket:
1 | private boolean maybeSetApiDenylistExemptions(ZygoteState state, boolean sendIfEmpty) { |
mZygoteOutputWriter
, which inherits from BufferedWriter
, has a buffer size of 8192.
1 | public void write(int c) throws IOException { |
This means that unless flush
is explicitly called, writes to the socket will only be triggered when the size of accumulated content in the BufferedWriter
reaches the defaultCharBufferSize
.
It’s important to note that separate writes do not necessarily guarantee separate reads on the receiving side, as the kernel might merge socket operations. The author of Meta proposed a method to mitigate this: inserting a large number of commas to extend the time consumption in the for
loop, thereby increasing the time interval between the first socket write and the second socket write (flush). Depending on the device configuration, the number of commas may need to be adjusted, but the overall length must not exceed the maximum size of the CommandBuffer
, or it will cause Zygote to abort. The added commas are parsed as empty lines in an array after the string split
and will first be written by system_server
as a corresponding count, represented by 3001
in the diagram below. However, during Zygote parsing, we must ensure that this count matches the corresponding lines before and after the injection.
Thus, the final payload layout is as shown in the diagram below
We want the first part of the payload, which is the content before 13
(the yellow section in the diagram below), to exactly reach the 8192-character limit of the BufferedWriter
, causing it to trigger a flush and ultimately initiate a socket write.
When Zygote receives this request, it should be in com_android_internal_os_ZygoteCommandBuffer_nativeForkRepeatedly
, having just finished processing the previous simpleFork
, and blocked at n_buffer->getCount
(which is used to read the line count from the buffer). After this request arrives, getline
will read all the contents from the socket into the buffer (note: it doesn't read line by line), and upon reading 3001
(line count), it detects that it is not a isSimpleForkCommand
. This causes the function to exit nativeForkRepeatedly
and return to the processCommand
function in ZygoteConnection
.
1 | ZygoteHooks.preFork(); |
The whole procedure is as follows:
graph TD; A[Zygote Receives Request] --> B[Enter com_android_internal_os_ZygoteCommandBuffer_nativeForkRepeatedly]; B --> C[Finish Processing Previous simpleFork]; C --> D[n_buffer->getCount Reads Line Count]; D --> E[getline Reads Buffer]; E --> F[Reads the 3001 Line Count]; F --> G[Detects it is not isSimpleForkCommand]; G --> H[Exit nativeForkRepeatedly]; H --> I[Return to ZygoteConnection's processCommand Function];
This entire 8192-sized block of content is then passed into ZygoteInit.setApiDenylistExemptions
, after which processing of this block is no longer relevant to this vulnerability. Zygote consumes this, and proceed to receive following parts of commands.
At this point, note that we look from the Zygote side back to the system_server side, where system_server is still within the maybeSetApiDenylistExemptions
function's for loop. The 8192 block just processed by Zygote corresponds to the first write
in this for loop.
1 | try { |
The next writer.write
will write the core command injection payload, and then the for loop will continue iterating 3000 (or another specified linecount - 1) times. This is done to ensure that consecutive socket writes do not get merged by the kernel into a single write, which could result in Zygote exceeding the buffer size limit and causing Zygote to abort during its read operation.
These iterations accumulated do not exceed the 8192-byte limit of the BufferedWriter
, will not trigger an actual socket write within the for loop. Instead, the socket write will only be triggered during the flush
. From Zygote's perspective, it will continue parsing the new buffer in ZygoteArguments.getInstance
, corresponding to the section shown in green in the diagram below.
This green section will be read into the buffer in one go. The first thing to be processed is the line count 13
, followed by the fully controlled Zygote parameters injected by the attacker.
This time, the ZygoteArguments
will only contain the 13 lines from this buffer, while the rest of the buffer (empty lines) will be processed in the next call to ZygoteArguments.getInstance
. When the next new ZygoteArguments
instance is created, ZygoteCommandBuffer
will perform another read, effectively ignoring the remaining empty lines.
"After all the complex work outlined above, we have successfully achieved the goal of reliably controlling the Zygote parameters through this vulnerability. However, we still haven’t addressed a critical question: What can be done with these controlled parameters, or how can they be used to escalate privileges?
At first glance, this question seems obvious, but in reality, it requires deeper exploration.
uid
?This might be our first thought: Can we achieve this by controlling the --package-name
and UID?
Unfortunately, the package name is not of much significance to the attacker or to the entire code loading and execution process. Let's recall the Android App loading process:
And let's continue by examining the relevant code inApplicationThread
1 | public static void main(String[] args) { |
As we can see, the APK code loading process actually depends on startSeq
, a parameter maintained by the ActivityManagerService
, which maps ApplicationRecord
to startSeq
. This mapping tracks the corresponding loadApk
, meaning the specific APK file and its path.
So, let’s take a step back:
The answer is yes. By analyzing the parameters in ZygoteArguments
, we discovered that the invokeWith
parameter can be used to achieve this goal:
1 | public static void execApplication(String invokeWith, String niceName, |
This piece of code concatenates mInvokeWith
with the subsequent arguments and executes them via execShell
. We only need to point this parameter to an ELF binary or shell script that the attacker controls, and it must be readable and executable by Zygote.
However, we also need to consider the restrictions imposed by SELinux and the AppData directory permissions. Even if an attacker sets a file in a private directory to be globally readable and executable, Zygote will not be able to access or execute it. To resolve this, we refer to the technique we used in the Mystique vulnerability: using files from the app-lib
directory.
The related method for obtaining a system shell is shown in the figure, with the device running HarmonyOS 4.2.
However, this exploitation method still has a problem: obtaining a shell with a specific UID is not the same as direct in-process code execution. If we want to perform further hooking or code injection, this method would require an additional code execution trampoline, but not every app possesses this characteristic, and Android 14 has further introduced DCL (Dynamic Code Loading) restrictions.
So, is it possible to further achieve this goal?
jdwp
FlagHere, we propose a new approach: the runtime-flags
field in ZygoteArguments
can actually be used to enable an application's debuggable attribute.
1 | static void applyDebuggerSystemProperty(ZygoteArguments args) { |
Building on our analysis in Attempt #1, we can borrow a startSeq
that matches an existing record in system_server
to complete the full app startup process.The key advantage here is that the app's process flags have been modified to enable the debuggable attribute, allowing the attacker to use tools like jdb
to gain execution control within the process.
startSeq
The issue, however, lies in predicting the startSeq
parameter. ActivityManagerService enforces strict validation for this parameter, ensuring that only legitimate values associated with active application startup processes are used.
1 | private void attachApplicationLocked(@NonNull IApplicationThread thread, |
If an unmatched or incorrect startSeq
is used, the process will be immediately killed. The startSeq
is incremented by 1 with each app startup. So how can an attacker retrieve or guess the current startSeq
?
Our solution to this issue is to first install an attacker-controlled application, and by searching the stack frames, the current startSeq
can be found.
The overall exploitation process is as follows (for versions 11 and earlier):
graph TD; A["Attacker Installs a Debuggable Stub Application"] --> B["Search Stack Frames to Obtain the Current startSeq"]; B --> C["startSeq+1, Perform Command Injection; Zygote Hangs, Waiting for Next App Start"]; C --> D["Launch the Target App via Intent; Corresponding ApplicationRecord Appears in ActivityManagerService"]; D --> E["Zygote Executes Injected Parameters and Forks a Debuggable Process"]; E --> F["The New Forked Process Attaches to AMS with the stolen startSeq; AMS Checks startSeq"]; F --> G["startSeq Check Passes, AMS Controls the Target Process to Load Its Corresponding APK and Complete the Activity Startup Process"]; G --> H["The Target App Has a jdwp Thread, and the Attacker Can Attach to Perform Code Injection"];
The attack effect on Android 11 is shown in the following image:
As you can see, we successfully launched the settings
process and made it debuggable for injection (with a jdwp
thread present). Note that the method shown in the screenshot has not been adapted for versions 12 and above, and readers are encouraged to explore this on their own.
Currently, Method 1 provides a simple and direct way to obtain a shell with arbitrary uid
, but it doesn't allow for direct code injection or loading. Method 2 achieves code injection and loading, but requires using the jdwp
protocol. Is there a better approach?
Perhaps we can explore modifying the class name of the injected parameters—specifically, the previous android.app.ActivityThread
—and redirect it to another gadget class, such as WrapperInit.wrapperInit
.
1 | protected static Runnable applicationInit(int targetSdkVersion, long[] disabledCompatChanges, |
It seems that by leveraging WrapperInit
, we can control the classLoader
to inject our custom classes, potentially achieving the desired effect of code injection and execution.
1 | private static Runnable wrapperInit(int targetSdkVersion, String[] argv) { |
The specific exploitation method is left for interested readers to further explore.
This article analyzed the cause of the CVE-2024-31317 vulnerability and shared our research and exploitation methods. This vulnerability has effects similar to the Mystique vulnerability we discovered years ago, though with its own strengths and weaknesses. Through this vulnerability, we can obtain arbitrary UID privileges, which is akin to bypassing the Android sandbox and gaining access to any app's permissions.
Thanks to Tom Hebb from the Meta X Team for the technical discussions—Tom is the discoverer of this vulnerability, and I had the pleasure of meeting him at the Meta Researcher Conference.
poc如下, 与--feedback-normalization
息息相关
1 | const obj = Object; |
漏洞发生时的调用栈如下
1 | [#4] 0x555557944e63 → prototype_or_initial_map() |
问题出现在feedback_normalization
标志相关的代码中
1 | Handle<Map> Map::TransitionToDataProperty(Isolate* isolate, Handle<Map> map, |
我们发现constructor->initial_map()
会尝试获取job(Object)->map->constructor->initial_map
字段.
考虑下面这个例子
job(f)->initial_map
是lazy分配的, 在有对象new之前都是空new f()
之后, 就会创建map并写入job(f)->initial_map
, 作为obj
的隐式类1 | function f() { |
也就是说下面这段获取对象构造方法的代码假设了: 如果一个对象具有JSFunction类型的构造方法, 那么该构造方法一定具有initial_map
换成代码表示就是, 如果job(obj)->map->constructor
为JSFunction
, 那么job(obj)->map->constructor
一定具有initial_map
字段. 不然job(obj)->map
来自于哪里呢?
1 | if (!maybe_map.ToHandle(&result)) { // maybe_map为空的 |
但是在本例子中job(Object)->map->constructor
打破了这个假设. Object
是一个特殊的对象, Object->map->constructor
虽然是一个JSFunction
, 但是这个constructor
中并没有initial_map
字段, 从而打破了这个假设
initial_map()
定义如下, DCEHCK条件为map()->has_prototype_slot()
, 也就是说要求job(Object)->map->constructor->map->has_prototype_slot()
为true, 也就是说要求Object
的构造方法具有一个原型slot
1 | DEF_GETTER(JSFunction, initial_map, Tagged<Map>) { |
JSFunction
的定义如下, 根据注释可知, JSFunction
的prototype_or_initial_map
字段是可能不分配的, map()->has_prototype_slot()
就表示是否分配了该字段
1 | // This class does not use the generated verifier, so if you change anything |
总结:
JSFunction::prototype_or_initial_map
是有可能不分配的, JSFunction::map::has_prototype_slot
就表示该字段是否分配了Object
对象的构造方法打破了这个假设, job(Object)->map->constructor
是一个JSFunction
类型的对象, 但是该对象并没有prototype_or_initial_map
字段, 尽管他是Object
的构造方法针对这个越界读的漏洞, 需要思考下列问题:
Object
与job(Object)->map->constructor
的来源, 也就是他们是怎么被分配的job(Object)->map->constructor
后面的对象如下, 似乎不是随机的, 研究下这个对象是怎么申请出来的, 能否释放掉
后面的对象的地址为0x328a00141e65
, 发现job(Object)->map->constructor
后面就是job(Object)->map->constructor->properties
内存布局如下
1 | ---------------- ------------- |
所以只要修改job(Object)->map->constructor
中的属性, 使得job(Object)->map->constructor->properties
需要重新申请, 那么后面的PropertyArray
对象自然就没用了, 就会被释放掉
POC如下
1 | let obj = Object; |
这样就会使得后面变成表示空闲空间的FreeSpace
对象
1 | extern class FreeSpace extends HeapObject { |
gc()
之后如下
之后通过堆喷就可以在job(Object)->map->constructor
后面放置任意js对象
1 | let obj = Object; |
下面需要思考控制了之后能达到什么效果?
越界读initial_map
后的相关操作如下
initial_map
进行Normalize()
, 也就是根据initial_map
生成表示dictionary的mapinitial_map
相关的map transition都弃用并进行反优化EquivalentToForNormalization()
, 如果基于initial_map Normalize()的结果与map并不等价, 那么就会基于map进行Normalize, 此时map就相当于失效了1 | Handle<Map> Map::TransitionToDataProperty(Isolate* isolate, Handle<Map> map, |
EquivalentToForNormalization()
的检查下一步就是要绕过EquivalentToForNormalization()
的检查, 否则就不会使用我们堆喷对象的隐式类
判断逻辑如下
1 | bool Map::EquivalentToForNormalization(const Tagged<Map> other, PropertyNormalizationMode mode) const { |
调试发现只需要满足CheckEquivalentModuloProto(*this, other)
即可
1 | CheckEquivalentModuloProto(*this, other): 0 |
CheckEquivalentModuloProto()
的判断逻辑如下
1 | bool CheckEquivalentModuloProto(const Tagged<Map> first, |
调试发现
1 | first->GetConstructorRaw() == second->GetConstructorRaw(): 1 |
对比Normailize(job(o)->map)
的结果和原来的map
, 如下
1 | 0x26ce01e00049: [Map] in OldSpace |
为了让type
都是JS_FUNCTION_TYPE
, 因此需要堆喷JSFunction对象, JSFunction
对象刚好0x20大小, poc如下, 就可以绕过EquivalentToForNormalization()
的判断
1 | let obj = Object; |
对比Normailize(job(o)->map)
的结果和原来的map
, 如下
1 | # Normarlize(job(o)->map)的结果 |
Normalize()
后map中可控的字段现在虽然可以绕过了, 但似乎无事发生, Normalize()
具体是怎么转换的, 怎么利用这个扩大战果?
EquivalentToForNormalization()
中限制的字段都不能改动,Normailze()
看一下哪些可以控制, 从而找到最终的可随意控制的字段EquivalentToForNormalization()
中检查的相关代码如下:
1 | // CLEAR_INOBJECT_PROPERTIES=True, properties为0 |
总结:
result->prototype() == map->prototype() = Function的原型对象
result->bit_field2 == ElementsKindBits::update(map->bit_filed2, result->elements_kind)
. 也就是map->bit_field2
除了elements_kind
字段其余的要和result->bit_field2
一致result->GetInObjectProperties()==0
GetEmbedderFieldCount()
表示内嵌的字段一致result->constructor->map->constructor->...->map->constructor
最终找到的是一致的instance_type
字段完全一致bit_field
字段完全一致bit_field2->is_extensible
一致bit_field2->new_target_is_base
一致Normalize()
的过程如下.
Normailize()
之后就变成了dictionary map, 也就是说对象的proeprties使用字典来表示, 命名属性的key value都保存在这个字段中, map不再使用descriptor array保存属性名1 | // fast_map就是后面伪造的initial_map |
Map
中包含如下字段
1 | bitfield struct MapBitFields2 extends uint8 { |
目标字段筛选
EquivalentToForNormalization
中允许不一致的Normalize()
根据initial_map
设置的字段, 那么就是我们可任意控制的符合这两个条件的只有elements_kind
字段
也就是说TransitionToDataProperty()
在属性过多需要转换为dictionary map时, 会使用map->constructor->initial_map
的elements_kind
设置新隐式类的elements_kind
elements kind的lattice如下, elements kind只能沿着格子向下转换, 也就是逐步变得更加的泛化, 下面这些都是fast elements kind, 也就是基于数组的
elements kind表示对象的可排序属性的保存方式, 对于下面这个默认job(o)->map->elements_kind = HOLEY_ELEMENTS
, 他要变得更加宽泛就只能变成DICTIONARY_ELEMENTS
1 | let o = function (){}; |
这部分EXP如下
1 | let obj = Object; |
由此扩大了战果, 得到了新的crash
1 | # Fatal error in ../../src/objects/object-type.cc, line 82 |
总结一下之前的利用过程
job(Object)->map->constructor
后面一个对象的map
作为当作是job(Object)->map->constructor->initial_map
job(Object)->map->constructor
后面一个对象刚好就是job(Object)->map->constructor->properties
指向的PropertyArray
对象. 添加属性释放该对象并通过堆喷使得越界读到的map
字段可控initial_map
后会调用Normalize(initial_map)
将其转换为dictionary_map, 并且会调用EquivalentToForNormalization()
检查一些字段是否与job(Object)->map
一致, 确认无误后, Normalize(initial_map)
会作为job(Object)->map
Normalize()
与EquivalentToForNormalization()
不会对elements_kind字段进行任何检查, 默认job(Object)->map->elements_kind
与job(Object)->map->constructor->initial->elements_kind
是一致的, 由此导致job(Object)->map->elements_kind
可以被伪造, 从HOLEY_ELEMENTS
被覆盖为DICTIONARY_ELEMENTS
, 但是job(Object)->elements
不会改变现在的问题: 把HOLEY_ELEMENTS
混淆为DICTIONARY_ELEMENTS
后如何利用?
研究读写elements时进行的操作, 看看能否转换为任意读写
NumberDictionary
的内存布局JSObject::eleemtns
字段有两种模式
FixedArray
类型的对象NumberDictionary
类型的对象1 | extern class JSObject extends JSReceiver { |
FixedArrayBase
是FixedArray
和NumberDictionary
的基类, 发现NumberDictionary
是FixedArray
的子类, 内存布局完全一致, 只是对于数组中项使用上的区别, 这是非常好的性质, 可以通过FixedArray
中的SMI或者指针任意伪造NumberDictionary
中的一些元数据字段
1 | extern class FixedArrayBase extends HeapObject { |
那么NumberDictionary
中数组的项有哪些用于元数据呢? 对于下面例子
1 | let o = {}; |
o
的对象表示如下
内存布局如下
NumberDictionary
采用数组来实现一个hash表, 解决hash冲突的方式简单, 如果如果hash(key) = i
, 但是Entry[i]
已经被占用了, 那么就直接延后尝试放在Entry[i+1], Entry[i+2], ...
NumberDictionary
时, 如果hash(key) = i
, 那么就需要从Entry[i]
开始遍历数组, 直到Entry[i].key == key
为止1 | NumberDictionary: |
NumberDictionary
对象现在可以伪造一个NumberDictionary
对象了, 应该尝试给一个很大的capacity, 使其越界读写
想要实现OOB需要解决两个问题
job(obj)->elements
后面的内存回顾搜索过程, initial_entry = hash(index)&(capacity-1)
, hash计算的过程如下, 关键的是计算hash时会与HashSeed
进行异或, 但是HashSeed()
是随机数的不可控, 这就导致hash(index)
的结果不可控
1 | static uint32_t ComputeSeededIntegerHash(Isolate* isolate, int32_t key) { |
思路
capacity
是自己可以完全控制的, 不一定要完全为2的幂, 如果是0x1
, 那么hash
的结果就恒定为0
, 这样就可以消除hash与随机数带来的熵initial_entry
只是大数组中起始搜索的位置, 只要key匹配不上后续就会一致遍历那么怎么布局堆? 溢出覆盖哪一个对象?
现在是一个部分受限制的数组OOB
Entry[i].key
必须已知Entry[i].value
可以被任意读写Entry[i].details
的最后1bit必须是0, 必须是SMIi
必须是2^n - 1
, 这样稳定性最高, 位于数组最后一个, 无论initial_entry
从哪里开始都可以命中. 这个可以通过填充[1, 2, 3, ...]
来控制, 不难解决1 | ------------- |
或者溢出就控制JSArray
中的元素, 因为想在相当于有了两种写入同一个对象中元素的方式, 能否搞出一个类型混淆, 直接实现fakeObj和addrOf原语?
POC如下, obj[0xDD]
和arr[7]
实际引用到的是同一个元素
1 | // job(obj)->elements为FixedArray, job(obj)->map->elements_kind=HOLEY_ELEMENTS |
SMI数组ptr使用最低1bit进行区分, 所以没法直接混淆, 可以让arr
变成double array, 这样就可以完全控制一个Word中的所有bit, 完成double和TaggedPtr之间的混淆
总结: 虽然Entry溢出没法直接溢出到JSArray, Map
等对象的关键字段, 但是可以直接使得job(obj)->elements
的DictionArray
对象与job(arr)->elements
的FixedDoubleArray
对象重叠, 这样就可以实现对于相同内存数据的不同解释方式:
job(obj)->elements
认为Entry的key为TaggedPtr表示方式, 如果末尾1bit为1就会解释为js对象job(arr)->elements
认为内部是64字节的Double数据, 会将其作为纯数据控制进一步的
addrOf()
原语
obj[0xDD] = {}
相当于在job(obj)->elements.entry[7].value
中对象指针arr[3]
相当于把job(arr)->elements[3]
中的数据当做浮点数读出来job(arr)->elements[3]
与job(obj)->elements.entry[7].value
实际上是同一个内存地址, 这就可以泄露对象指针fakeObj()
原语: 思路是一样的, 先arr[3]=...
以浮点数的方式写入数据, 然后obj[0xDD]
将其作为对象指针读出来
实测发现无法通过伪造capacity字段进行越界
伪造NumberDictionary::capacity
字段的方式无法实现数组越界, 因为每次从job(obj)->elements
中加载元素时总会与job(obj)->elements->length
字段进行检查
1 | template <typename TIndex> |
后续发现: 也就是说DictionaryNumber的读走的是CSA编写的方法, 这会进行字段的检查, 但是DictionaryNumber的写入走的是Runtime方法, Runtime方法并没有进行Elements数组边界检查, 这启发我们: 能否让DictionaryNumber的读操作也走Runtime方法, 以绕过CAS的CHECK检查
检查一下CSA实现的DictionaryNumber
的Load的逻辑, 看一下怎么使其进入Runtime的处理方法
KeyedLoadIC_Megamorphic()
会调用到KeyedLoadICGeneric()
, KeyedLoadICGeneric()
:
TryToName()
转换var_name
, "0"
可以转换为索引, 所以会进入if_index
分支if_index
分支中会调用GenericElementLoad()
在NumbericDictionary
中根据index
搜索对应的值, 如果搜索失败则进入if_runtime
分支if_runtime
分支会调用runtime方法GetProperty()
进行处理1 | void AccessorAssembler::KeyedLoadICGeneric(const LoadICParameters* p) { |
注意:
js中一个对象可以访问的属性除了自身内部定义的属性外, 还有其整个原型链上定义的属性, 都是可读写的
比如obj[0xDD]
KeyedLoadICGeneric()
的if_index
分支, 就专门用于在job(obj)->elements
中搜索0xDD
对应的属性, 如果job(obj)->elements
中不存在那么就会进入if_runtime
分支if_runtime
分支会调用Runtime方法GetProperty
, GetProperty
则是严格按照js中属性访问的定义来实现的, 如果job(obj)->elements
中不存在, 还会搜索job(obj)->properties
, 并沿着原型链job(obj)->map->prototype
指向的对象进行搜索因此, 直接访问obj[0xDD]
会命中CSA中的检查, 但是使用原型对象中转一下就可以实现通过Runtime路径完成读写obj[0xDD]
这个属性
POC如下
obj2
只是一个普通的JS_OBJECT
对象, 自身没有任何属性, 因此KeyedLoadICGeneric()
在处理obj2[0xDD]
时是无法在job(obj2)->elements
中找到这个属性, 因此会进入if_runtime
分支if_runtime
分支的GetProperty()
方法沿着原型链寻找, 最终在job(obj)->elements
中找到0xDD
对应的属性值, 在读入时runtime方法的get()
并不会检查是否超过了job(obj)->elements->length
由此完成越界读写1 | let obj2 = {}; |
这也addrOf与fakeObj原语就齐全了
1 | /*===============工具方法===============*/ |
有了addrOf与fakeObj原语后, 还需要通过shellcode偷渡技术来绕过CFI保护(使用PKEY禁止写入rwx页), 本exp并未绕过v8 heap sandbox, 最终利用效果如下
The Android Application Sandbox is the cornerstone of the Android Security Model, which protects and isolates each application’s process and data from the others. Attackers usually need kernel vulnerabilities to escape the sandbox, which by themselves proved to be quite rare and difficult due to emerging mitigation and attack surfaces tightened.
However, we found a vulnerability in the Android 11 stable that breaks the dam purely from userspace. Combined with other 0days we discovered in major Android vendors forming a chain, a malicious zero permission attacker app can totally bypass the Android Application Sandbox, owning any other applications such as Facebook and WhatsApp, reading application data, injecting code or even trojanize the application ( including unprivileged and privileged ones ) without user awareness. We named the chain "Mystique" after the famous Marvel Comics character due to the similar ability it possesses.
In this talk we will give a detailed walk through on the whole vulnerability chain and bugs included. On the attack side, we will discuss the bugs in detail and share our exploitation method and framework that enables privilege escalation, transparently process injection/hooking/debugging and data extraction for various target applications based on Mystique, which has never been talked about before. On the defense side, we will release a detection SDK/tool for app developers and end users since this new type of attack differs from previous ones, which largely evade traditional analysis.
Android 应用程序沙箱是 Android 安全模型的基石,它保护并隔离每个应用程序的进程和数据。攻击者通常需要内核漏洞来逃离沙箱,由于新兴的缓解措施和攻击面收紧,这本身被证明是非常罕见和困难的。
但是,我们在 Android 11 稳定版中发现了一个漏洞,该漏洞完全来自用户空间。结合我们在主要Android供应商中发现的其他0day形成链,恶意零权限攻击者应用程序可以完全绕过Android应用程序沙箱,拥有Facebook和WhatsApp等任何其他应用程序,在用户无意识的情况下,读取应用程序数据,注入代码甚至木马化应用程序(包括非特权和特权的)。我们以著名的漫威漫画角色命名该连锁店“Mystique”,因为它拥有类似的能力。
在本次演讲中,我们将详细介绍整个漏洞链和包含的错误。在攻击方面,我们将详细讨论漏洞并分享我们的利用方法和框架,该方法和框架可以实现基于 Mystique 的各种目标应用程序的权限提升、透明进程注入/挂钩/调试和数据提取,这是以前从未讨论过的。在防御方面,我们将为应用程序开发人员和最终用户发布检测 SDK/工具,因为这种新型攻击与以前的攻击不同,很大程度上规避了传统分析。
Binary Ninja is an easy-to-use binary analysis platform that provides rich API interfaces to help security researchers perform automated analysis.
Binary Ninja是一款简单易用的二进制分析平台,它提供了丰富的API接口,可以帮助安全研究人员进行自动化的分析。
Parallels Desktop is a virtual machine software under the macOS system that helps users run Windows, Linux and other operating systems. In September 2021, I started security research on Parallels Desktop, during which I discovered several high-severity vulnerabilities. Unfortunately, in the latest update, my vulnerabilities were patched. I wrote this article to describe my Parallels Desktop research process, as well as the technical details of finding and exploiting vulnerabilities.
Parallels Desktop是在macOS系统下的一款虚拟机软件,帮助用户在macOS上运行Windows、Linux等操作系统。在2021年9月份我开始了Parallels Desktop的安全研究,期间发现了若干高危漏洞,非常不幸地是在最近一次更新中,我的漏洞被修补掉了。我写这篇文章用于介绍我的Parallels Desktop研究过程,以及发现漏洞、利用漏洞的技术细节。