从Stagefright到Stagescream：流”血”不止的安卓多媒体库吴家志, 吴磊 of C0RE Team ABOUT US Ø C0RE Team Founding Members (c0reteam.org) Ø Working on Android/Linux Security Ø Linux Kernel/3rd-party Drivers: CVE-2015-0568, CVE-2015-4419, … Ø Android Framework/Apps: CVE-2015-3862, CVE-2015-3868, … Ø North Carolina State University PhDs (北卡州立大学博士) Ø Virtualization Security: HyerLock (EuroSys ‘12), DeHype (NDSS ‘13) Ø Mobile Security: Android Malware Genome Project (Oakland ’12), SEFA (CCS ‘13), AirBag (NDSS ’14) libstagefright Ø Linked by privileged processes (e.g., mediaserver) Ø Processing complicated input (e.g., MPEG4, Ogg, OMX files) Ø Activated by processing media files à easy to trigger attacks Picture from https://source.android.com/devices/media.html JDUCK’S FINDINGS Ø Vulnerabilities Ø Seven 0-day stagefright vulnerabilities identified Ø Six of them are rated critical Ø Ways to Exploit AOSP Bugs Ø State-of-the-art results of exploiting the 0-day vulnerabilities BUG ESSENCE #1 Ø Memory Allocation with an “Overflowed” Size Allocating (Size+1) I think I have (Size+1) :P What you really allocated What happens when you is (0xffffffff+1) = nothing! try to access it? Picture from http://imgs.xkcd.com/comics/goto.png BUG ESSENCE #1 Ø Related AOSP Patch BUG ESSENCE #2 Ø Out of Bound Access to Stack/Heap Buffer Ø Due to unsafe size checking logic Picture from http://truefactscomics.tumblr.com/ BUG ESSENCE #2 Ø Related AOSP Patch STAGEFRIGHT è STAGESCREAM Ø We found out more 0-day vul.s in Android Multimedia Framework Ø CVE-2015-3873 (Critical Severity, $2,000 awarded) Ø CVE-2015-3869 (Critical Severity, $3,000 awarded) Ø CVE-2015-3868 (Critical Severity, $4,000 awarded) Ø CVE-2015-3862 (Low Severity, $666 awarded) Ø Patches will be released by Google soon! Ø In many cases, the bugs can’t be fixed in one shot Picture from http://oaks.nvg.org BUG ESSENCE #1 Ø Memory Allocation with an “Overflowed” Size Ø Leading to CVE-2015-3868 Ø Critical Severity Ø $3,000 Rewarded Ø P = malloc(A*size); for ( i=0 ; i<A ; i++ ) { P[i] = B;} Ø What if A*size < A? Ø e.g., 0x80000000 * 2 = 0 on 32-bit machines Picture from http://imgs.xkcd.com/comics/goto.png BUG ESSENCE #2 Ø Out of Bound Access to Stack/Heap Buffer Ø Due to unsafe size checking logic Ø Leading to CVE-2015-3869 Ø Critical severity, $3,000 awarded Ø Leading to CVE-2015-3873 Ø Critical severity, $2,000 awarded Ø if (size+4 < sizeof(P)) {memcpy(P, Q, size);} Ø What if “size” > sizeof(P)? Ø e.g., size = 0xfffffffc => size+4 = 0 (on 32-bit machines) Picture from http://truefactscomics.tumblr.com/ BUG ESSENCE #3 Ø Memory Allocation without Error Handling Ø Leading to CVE-2015-3862 Ø Low Severity, $666 rewarded Ø P = malloc(size); P[0]=A; Ø What if P is NULL (e.g., size is too large)? http://imgs.xkcd.com/comics/compiler_complaint.png STAGESCREAM Ø Part of related patches in the coming October CVE Severity CVE Severity CVE-2015-3873 Critical CVE-2015-6599 Critical CVE-2015-3872 Critical CVE-2015-6600 Critical CVE-2015-3871 Critical CVE-2015-3870 Critical CVE-2015-3868 Critical CVE-2015-6601 Critical CVE-2015-3867 Critical CVE-2015-3876 Critical CVE-2015-3869 Critical CVE-2015-6604 Critical CVE-2015-3870 Critical CVE-2015-6605 Low CVE-2015-3823 Critical CVE-2015-3862 Low CVE-2015-6598 Critical EXPLOITATION Ø Null Pointer Deference (NPD) Ø Just crash Ø Stack Overflow Ø Heap Overflow Ø Which What one can do we have be exploited ? ？ POC by jduck 18 EXPLOITATION: CVE-2015-1538 if mNumSampleToChunkOffsets == 0xC0000003 then mNumSampleToChunkOffsets * 12 = 0x00000024 mSampleToChunkEntries = 3 BASIC STEPS Overwriting Array mDataSource ... Heap Sprayed buffer spray_addr fake strong pointer object rop_gadgets … E[1].chunkDesc spray_addr E[1].samplesPerChunk spray_addr E[1].startChunk spray_addr E[0].chunkDesc spray_addr E[0].samplesPerChunk spray_addr E[0].startChunk spray_addr fake strong pointer object rop_gadgets fake strong pointer object rop_gadgets fake strong pointer object rop_gadgets Destruction RefBase::decStrong (CVE-2014-7911)