- 标题:SVE-2021-23076 (CVE-2021-25510, CVE-2021-25511): Camera privilege escalation and arbitrary file write in FilterProvider (system_app) in Samsung Device
- 描述:An improper validation vulnerability in FilterProvider prior to SMR Dec-2021 Release 1 allows local privilege escalation. The patch adds proper validation logic to prevent privilege escalation.
- 二进制的位置在
/system/app/FilterProvider/FilterProvider.apk - 所有组件中唯一能直接进来的就是这个PackageIntentReceiver
<receiver android:exported="true" android:name="com.samsung.android.provider.filterprovider.PackageIntentReceiver"> <intent-filter> <action android:name="com.samsung.android.provider.filterprovider.INTENT_PACKAGE_ADDED"/> <action android:name="com.samsung.android.provider.filterprovider.INTENT_PACKAGE_REMOVED"/> </intent-filter> <intent-filter> <action android:name="com.samsung.filterinstaller.INSTALL_FILTER"/> <data android:scheme="package" android:sspPrefix="com.candycamera.android.filter"/> <data android:scheme="package" android:sspPrefix="com.ucam.filters.forsamsung"/> <data android:scheme="package" android:sspPrefix="com.pinguo.camera360filter"/> <data android:scheme="package" android:sspPrefix="com.linecorp.aillis.filter"/> <data android:scheme="package" android:sspPrefix="com.linecorp.b612.filter"/> <data android:scheme="package" android:sspPrefix="com.seerslab.filter"/> <data android:scheme="package" android:sspPrefix="com.samsung.android.filter.effect"/> </intent-filter> </receiver> - 而FilterProvider我们只能申请读权限
<provider android:authorities="com.samsung.android.provider.filterprovider" android:exported="true" android:name="com.samsung.android.provider.filterprovider.FilterProvider" android:readPermission="com.samsung.android.provider.filterprovider.permission.READ_FILTER" android:writePermission="com.samsung.android.provider.filterprovider.permission.WRITE_FILTER"/> - 权限定义
<permission android:description="@string/permission_read_filter_desc" android:label="@string/permission_read_filter" android:name="com.samsung.android.provider.filterprovider.permission.READ_FILTER" android:protectionLevel="normal"/> <permission android:description="@string/permission_write_filter_desc" android:label="@string/permission_write_filter" android:name="com.samsung.android.provider.filterprovider.permission.WRITE_FILTER" android:protectionLevel="signature"/> -
onReceiver之后,先进行一番权限的检查,权限检查通过就启动FilterPackageService服务
@Override // android.content.BroadcastReceiver public void onReceive(Context arg16, Intent arg17) { String v13; if(arg17.getDataString() == null) { Log.i(PackageIntentReceiver.TAG, "DataString is null : " + arg17.getAction()); return; } String v3 = arg17.getAction(); String v0 = arg17.getDataString().substring(8); if("com.samsung.filterinstaller.INSTALL_FILTER_LIST".equals(v3)) { //... } Log.i(PackageIntentReceiver.TAG, "action : " + v3); Log.i(PackageIntentReceiver.TAG, "pkgName : " + v0); if(("com.samsung.android.provider.filterprovider.INTENT_PACKAGE_ADDED".equals(v3)) || ("com.samsung.filterinstaller.INSTALL_FILTER".equals(v3))) { try { PackageManager v11_1 = arg16.getPackageManager(); if(v11_1 == null) { return; } PackageInfo v0_5 = v11_1.getPackageInfo(v0, 0x1000); // package name validation bypass if(v0_5 == null || v0_5.requestedPermissions == null) { Log.e(PackageIntentReceiver.TAG, "This package does not have permission"); return; } if(!Arrays.asList(v0_5.requestedPermissions).contains("com.sec.android.camera.permission.USE_EFFECT_FILTER")) { // request permissions validation bypass Log.e(PackageIntentReceiver.TAG, "This package is not a effect filter"); return; Log.e(PackageIntentReceiver.TAG, "This package does not have permission"); return; } } catch(PackageManager.NameNotFoundException v0_4) { Log.e(PackageIntentReceiver.TAG, "onReceive NameNotFoundException : " + v0_4.toString()); } } try { Intent v0_7 = new Intent(arg16, FilterPackageService.class); if(("com.samsung.android.provider.filterprovider.INTENT_PACKAGE_ADDED".equals(v3)) || ("com.samsung.android.provider.filterprovider.INTENT_PACKAGE_REMOVED".equals(v3)) || ("com.samsung.filterinstaller.INSTALL_FILTER".equals(v3)) || ("com.samsung.filterinstaller.INSTALL_FILTER_LIST".equals(v3))) { v0_7.fillIn(arg17, 2); arg16.startService(v0_7); return; } } catch(Exception v0_6) { Log.e(PackageIntentReceiver.TAG, "onReceive exception : " + v0_6.toString()); return; } } - 这个校验写的是让我开幕雷击,这里面至少能想到两个绕过的思路
- 首先是包名字段直接受控于dataString这个外部传入的数据,可以直接伪造sspPrefix里面指定的几个包名就可以了
- 其次requestedPermissions只代表AndroidManifest.xml中定义的权限,和实际应用是否被授予了这个权限无关
- 所以这里面的绕过思路就是,首先配置成白名单的URI和包名,然后再在AndroidManifest.xml定义一下权限
com.sec.android.camera.permission.USE_EFFECT_FILTER即可。 - 测试代码以及输出
try { PackageManager pm = getPackageManager(); PackageInfo pi = pm.getPackageInfo(getPackageName(), PackageManager.GET_PERMISSIONS); Log.d(TAG, "pi.requestedPermissions.length = " + pi.requestedPermissions.length); for (String requestPermission : pi.requestedPermissions) { Log.d(TAG, "requestedPermission: " + requestPermission); } } catch (PackageManager.NameNotFoundException e) { e.printStackTrace(); }D/STest: pi.requestedPermissions.length = 1 D/STest: requestedPermission: com.sec.android.camera.permission.USE_EFFECT_FILTER - 扩展思考:其实这个地方想做权限控制非常简单,直接用checkCallingPermission就完了,不知道三星这是在搞什么。
- 启动FilterPackageService服务之后,是发了一个Handler消息
@Override // android.app.Service public int onStartCommand(Intent arg5, int arg6, int arg7) { if(arg5 == null) { Log.i(FilterPackageService.TAG, "onStartCommand(null)"); return 2; } String v0 = arg5.getAction(); this.mStartId = arg7; Message v7 = this.mServiceHandler.obtainMessage(); Log.v(FilterPackageService.TAG, "onStartCommand(" + v0 + ")"); if("com.samsung.android.provider.filterprovider.INTENT_PACKAGE_ADDED".equals(v0)) { v7.arg1 = 1; v7.obj = arg5.getData().toString(); this.mServiceHandler.sendMessage(v7); return 1; } if("com.samsung.android.provider.filterprovider.INTENT_PACKAGE_REMOVED".equals(v0)) { v7.arg1 = 2; v7.obj = arg5.getData().toString(); this.mServiceHandler.sendMessage(v7); return 1; } if("com.samsung.filterinstaller.INSTALL_FILTER".equals(v0)) { v7.arg1 = 1; v7.setData(arg5.getExtras()); v7.obj = arg5.getData().toString(); this.mServiceHandler.sendMessage(v7); return 1; } if("com.samsung.filterinstaller.INSTALL_FILTER_LIST".equals(v0)) { v7.arg1 = 3; v7.obj = arg5.getParcelableArrayListExtra("filter_package_list"); this.mServiceHandler.sendMessage(v7); return 1; } this.stopSelfResult(this.mStartId); return 1; } - Handler处理消息的代码
@Override // android.os.Handler public void handleMessage(Message arg8) { String v0_1; if(FilterPackageService.VERBOSE_LOGGING) { Log.v(FilterPackageService.TAG, "handleMessage " + arg8.arg1); } PackageManager v0 = FilterPackageService.this.getPackageManager(); if(v0 == null) { Log.e(FilterPackageService.TAG, "There is no packageManager returned"); return; } if(v0.getApplicationEnabledSetting("com.samsung.android.provider.filterprovider") == 2) { Log.e(FilterPackageService.TAG, "FilterProvider application is not enabled"); return; } if(arg8.arg1 == 3) { v0_1 = null; } else { //... } int v4 = arg8.arg1; if(v4 == 1) { new FilterInstaller(FilterPackageService.this.getApplicationContext(), v0_1).installFilters(); } else if(v4 == 2) { new FilterInstaller(FilterPackageService.this, v0_1).uninstallFilters(); } else if(v4 == 3) { Log.d(FilterPackageService.TAG, "ACTION_LIST_ADDED"); if(arg8.obj != null) { ArrayList v8 = (ArrayList)arg8.obj; int v0_2; for(v0_2 = 0; v0_2 < v8.size(); ++v0_2) { Log.d(FilterPackageService.TAG, ((String)v8.get(v0_2))); new FilterInstaller(FilterPackageService.this.getApplicationContext(), ((String)v8.get(v0_2))).installFilters(true); } } FilterNotifyUtil.NotifyChange(FilterPackageService.this.getApplicationContext(), 2, null); } int v0_3 = FilterPackageService.this.mStartId; FilterPackageService.this.stopSelfResult(v0_3); } - 可以看到1号消息是安装一个Filters,2号消息是卸载Filters,而3号消息是安装一个Filters列表,这里我们就关注1号消息
void installFilters(boolean arg4) { Log.i(FilterInstaller.TAG, "installFilters"); this.createDownloadFilterDirectory(); try { Bundle v0 = this.mServiceContext.getPackageManager().getApplicationInfo(this.mPackageName, 0x80).metaData; if(v0 != null && v0.getInt("version") == 3) { this.installSelFilter(this.mServiceContext, v0, this.mPackageName, ((boolean)(((int)arg4)))); return; } this.installLibFilter(this.mServiceContext, this.mPackageName, ((boolean)(((int)arg4)))); } catch(Exception v4) { Log.e(FilterInstaller.TAG, "installFilters error : " + v4.toString()); } } - 这里面的this.mPackageName也是我们可以控制的,因为在FilterInstaller的构造函数里面发现他就是根据构造时传入的第二参数进行设置的,而第二参数是来源于消息对象
FilterInstaller(Context arg1, String arg2) { this.mPackageName = arg2; this.mServiceContext = arg1; } - 此外还取了目标包名应用Manifest文件里面的metaData字段,这些我们也是可以控制的
- 在installSelFilter中存在写入文件的操作,而文件的来源居然是我们应用的assets
private void installSelFilter(Context arg20, Bundle arg21, String arg22, boolean arg23) { Resources v0_5; Cursor v10; Log.i(FilterInstaller.TAG, "installSelFilter"); String v3 = arg21.getString("title"); String v5 = arg21.getString("vendor"); int v7 = arg21.getInt("version"); int v9 = arg21.getInt("title_id"); ContentResolver v15 = arg20.getContentResolver(); int v16 = 0; try { v10 = v15.query(Constants.URI_FILTERS, null, "package_name", new String[]{arg22}, null); } catch(Exception v0) { goto label_63; } //... label_74: String v10_1 = null; try { v0_5 = arg20.getPackageManager().getResourcesForApplication(arg22); // Read our application resources } catch(PackageManager.NameNotFoundException v0_4) { Log.e(FilterInstaller.TAG, "installSelFilter, getResourcesForApplication : " + v0_4.toString()); v0_5 = null; } AssetManager v0_6 = v0_5.getAssets(); // Read our application assets String v11 = v3 + ".sel"; String v12 = this.renameFilterName(v11, arg22); String v13 = FilterInstaller.FILTER_STORAGE_SEL + "/" + v12; Bitmap v0_7 = this.decryptSelFilter(v0_6, "sel/" + v11); if(v0_7 != null) { v10_1 = this.saveBitmapFile(v0_7, v13, true); Log.i(FilterInstaller.TAG, "copied file path : " + v10_1); } if(v10_1 != null) { ContentValues v0_8 = new ContentValues(); v0_8.put("package_name", arg22); v0_8.put("name", v3); v0_8.put("filename", v12); v0_8.put("vendor", v5); v0_8.put("version", String.valueOf(v7)); v0_8.put("title_id", Integer.valueOf(v9)); v0_8.put("filter_type", "SINGLE"); v0_8.put("category", Integer.valueOf(2)); v0_8.put("preload_filter", Integer.valueOf(0)); v0_8.put("vendor_package_name", arg22); Log.i(FilterInstaller.TAG, "installSelFilter - insert DB"); v15.insert(Constants.URI_FILTERS, v0_8); if(arg23) { v16 = 3; } FilterNotifyUtil.NotifyChange(arg20, v16, v0_8); } } - 改名函数是把文件名改为
[package_name].[title].sel,由于title可使用任意字符所以存在路径穿越问题 - 解密过程的密钥和IV值全部为硬编码,可以直接拿来进行加密
private Bitmap decodeAES(String arg6) { try { byte[] v6_1 = Base64.decode(arg6, 0); IvParameterSpec v1 = new IvParameterSpec(FilterInstaller.IV_BYTES); SecretKeySpec v2 = new SecretKeySpec(FilterInstaller.SECRET_KEY.getBytes("UTF-8"), "AES"); Cipher v3 = Cipher.getInstance("AES/CBC/PKCS5Padding"); v3.init(2, v2, v1); return BitmapFactory.decodeByteArray(v3.doFinal(v6_1), 0, v3.doFinal(v6_1).length); } catch(Exception v6) { Log.e(FilterInstaller.TAG, "decodeAES error : " + v6.toString()); return null; } } private Bitmap decryptSelFilter(AssetManager arg4, String arg5) { Log.i(FilterInstaller.TAG, "decryptSelFilter source : " + arg5); try { Scanner v4_1 = new Scanner(arg4.open(arg5)).useDelimiter("\\A"); String v4_2 = v4_1.hasNext() ? v4_1.next() : ""; return this.decodeAES(v4_2); } catch(Exception v4) { Log.e(FilterInstaller.TAG, "decryptSelFilter error : " + v4.toString()); return null; } } - 密钥和IV的值
FilterInstaller.IV_BYTES = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; FilterInstaller.SECRET_KEY = "[3%250947@#73985$903*&)7"; - 这样一来我们可以构造一个合法的Sel文件并且写入到下面的目录中
FilterInstaller.FILTER_STORAGE_ROOT_DIR = Environment.getDataDirectory().getPath(); FilterInstaller.FILTER_STORAGE_SEL = FilterInstaller.FILTER_STORAGE_ROOT_DIR + "/DownFilters"; - 而在installLibFilter函数中,也存在类似的逻辑
private void installLibFilter(Context arg11, String arg12, boolean arg13) { Cursor v1_2; Resources v0; Log.i(FilterInstaller.TAG, "install filter for Lib"); try { v0 = arg11.getPackageManager().getResourcesForApplication(arg12); } catch(PackageManager.NameNotFoundException v11) { Log.e(FilterInstaller.TAG, "installLibFilter, resource error, package name : " + arg12 + ", exception : " + v11.toString()); return; } ContentResolver v1 = arg11.getContentResolver(); int v11_1 = 0; try { v1_2 = v1.query(Constants.URI_FILTERS, null, "package_name", new String[]{arg12}, null); } catch(Exception v1_1) { goto label_67; } //... label_70: AssetManager v1_4 = v0.getAssets(); String[] v2_1 = new String[0]; try { v2_1 = v1_4.list("so"); } catch(IOException v3_1) { Log.e(FilterInstaller.TAG, "installLibFilter, asset lib list exception : " + v3_1.toString()); } if(v2_1.length <= 0) { Log.e(FilterInstaller.TAG, "asset lib list length is small than 0"); return; } int v3_2 = v2_1.length; int v4; for(v4 = 0; v4 < v3_2; ++v4) { String v5 = v2_1[v4]; Log.i(FilterInstaller.TAG, "filterFile : " + v5); if(this.storeLibFilters(v1_4, v0, v5, v5.split("\\.")[0]) == -1L && (v5.endsWith(".so"))) { Log.e(FilterInstaller.TAG, "storeLibFilters fail"); } } ContentValues v0_1 = new ContentValues(); v0_1.put("package_name", arg12); Context v12 = this.mServiceContext; if(arg13) { v11_1 = 3; } FilterNotifyUtil.NotifyChange(v12, v11_1, v0_1); } - 也是从我们应用的assets中取文件,storeLibFilters的逻辑如下
private long storeLibFilters(AssetManager arg17, Resources arg18, String arg19, String arg20) { String v8; String v15 = null; String v13 = null; Log.i(FilterInstaller.TAG, "storeLibFilters - title : " + arg20 + ", file name : " + arg19); String v6 = this.renameFilterName(arg19, this.mPackageName); Log.i(FilterInstaller.TAG, "newFileName : " + v6); String v7 = this.copyFileFromAssets(arg17, "so/" + arg19, FilterInstaller.FILTER_STORAGE_LIB + "/" + v6, true); if(v7 == null) { Log.e(FilterInstaller.TAG, "lib copy failed : " + v6); return -1L; } try { if(arg17.list("so_arm64").length > 0) { v8 = this.copyFileFromAssets(arg17, "so_arm64/" + arg19, FilterInstaller.FILTER_STORAGE_LIB64 + "/" + v6, true); if(v8 == null) { Log.e(FilterInstaller.TAG, "lib64 copy failed : " + v6); return -1L; } } else { goto label_98; } goto label_99; } catch(IOException v0) { Log.e(FilterInstaller.TAG, "Exception from check 64bit library so file : " + v0.toString()); return -1L; } label_98: v8 = null; try { label_99: String[] v15_1 = arg17.list("tex"); if(v15_1.length > 0) { v15 = this.renameFilterName(v15_1[0], this.mPackageName); v13 = this.copyFileFromAssets(arg17, "tex/" + v15_1[0], FilterInstaller.FILTER_STORAGE_TEXTURE + "/" + v15, true); if(v13 == null) { Log.e(FilterInstaller.TAG, "texture copy failed : " + v15); return -1L; } } else { goto label_148; } } catch(IOException v0_1) { Log.e(FilterInstaller.TAG, "installLibFilter, asset texture list exception : " + v0_1.toString()); } goto label_154; label_148: v13 = null; v15 = null; label_154: Log.i(FilterInstaller.TAG, "success copy lib32 : " + v7); Log.i(FilterInstaller.TAG, "success copy lib64 : " + v8); Log.i(FilterInstaller.TAG, "success copy texture : " + v13); if((arg19.endsWith(".so")) && !this.checkSoSignature(v6)) { Log.e(FilterInstaller.TAG, "Signature check failed."); return -1L; } if(!arg19.endsWith(".sig")) { ContentResolver v8_1 = this.mServiceContext.getContentResolver(); ContentValues v9 = new ContentValues(); try { int v0_3 = arg18.getIdentifier(arg20 + "_title", "string", this.mPackageName); int v7_1 = arg18.getIdentifier(arg20 + "_vendor", "string", this.mPackageName); int v4 = arg18.getIdentifier(arg20 + "_version", "string", this.mPackageName); Log.e(FilterInstaller.TAG, "title = " + arg18.getString(v0_3) + ", vendor = " + arg18.getString(v7_1) + ", version = " + arg18.getString(v4)); v9.put("name", arg18.getString(v0_3)); v9.put("filename", v6); v9.put("version", arg18.getString(v4)); v9.put("vendor", arg18.getString(v7_1)); v9.put("package_name", this.mPackageName); v9.put("title_id", Integer.valueOf(v0_3)); v9.put("preload_filter", Integer.valueOf(0)); v9.put("filter_type", "SINGLE"); v9.put("category", Integer.valueOf(2)); v9.put("vendor_package_name", this.mPackageName); if(v13 != null) { v9.put("texture", v15); } } catch(Resources.NotFoundException v0_2) { Log.e(FilterInstaller.TAG, "Resource is not defined properly! " + v0_2.toString()); return -1L; } Uri v0_4 = v8_1.insert(Constants.URI_FILTERS, v9); if(v0_4 == null) { if(FilterPackageService.VERBOSE_LOGGING) { Log.v(FilterInstaller.TAG, "Installation failure: " + arg19); } return -1L; } return (long)Long.valueOf(v0_4.getLastPathSegment()); } return -1L; } - 里面大概的逻辑就是,取so文件夹下的32位ELF和so_arm64下的64位ELF,以及tex下的texture文件,并且对于so结尾的文件存在签名校验
- 这个签名校验是使用的一个硬编码的公钥进行校验的,如果无法获得私钥是没办法绕过的。不过由于这个东西看起来像一个业务特性,可以尝试逆向那些本来就在白名单里的应用看能否找到私钥,也就是下面这些URI所对应的应用
com.candycamera.android.filter com.ucam.filters.forsamsung com.pinguo.camera360filter com.linecorp.aillis.filter com.linecorp.b612.filter com.seerslab.filter com.samsung.android.filter.effect - 然而即使是无法转化为代码执行,这里也同样存在路径穿越可以写入任意文件。而且从漏洞描述来看,很可能上报者是成功找到了这个私钥的。