Android Security Bulletin Analysis (August 2021)

2021-08-01 security patch level vulnerability details

Framework

CVE-2021-0640

  • statsd中noteAtomLogged函数,atomId参数可以传入负值,导致整数溢出以及越界写
 void StatsdStats::noteAtomLogged(int atomId, int32_t timeSec) {
     lock_guard<std::mutex> lock(mLock);
 
-    if (atomId <= kMaxPushedAtomId) {
+    if (atomId >= 0 && atomId <= kMaxPushedAtomId) {
         mPushedAtomStats[atomId]++;
     } else {
+        if (atomId < 0) {
+            android_errorWriteLog(0x534e4554, "187957589");
+        }
         if (mNonPlatformPushedAtomStats.size() < kMaxNonPlatformPushedAtoms) {
             mNonPlatformPushedAtomStats[atomId]++;
         }

CVE-2021-0645

  • 对于ExternalStorageProvider,不允许访问/sdcard/Android中的文件。

CVE-2021-0646

  • sqlite中使用精度大于2147483647的浮点数会导致缓冲区溢出,通过编译时限制浮点数最大精度为100000000来解决。测试代码:
select (printf('%.2147483647G',0.01));

Media Framework

CVE-2021-0519

System

CVE-2021-0591

  • 在系统设置中,BluetoothPermissionActivity是一个导出组件,接受用户传入的Intent并发送广播,而Intent中可以指定广播的接收者,从而实现以system uid发送广播给任意未导出的或带有权限的广播接收器,但攻击者无法决定其他参数。
// packages/apps/Settings/src/com/android/settings/bluetooth/BluetoothPermissionActivity.java
mReturnPackage = i.getStringExtra(BluetoothDevice.EXTRA_PACKAGE_NAME);
mReturnClass = i.getStringExtra(BluetoothDevice.EXTRA_CLASS_NAME);
//...
if (mReturnPackage != null && mReturnClass != null) {
    intent.setClassName(mReturnPackage, mReturnClass);
}
//...
sendBroadcast(intent, android.Manifest.permission.BLUETOOTH_ADMIN);
  • 利用此漏洞可实现越权恢复出厂设置,只需要将组件指定为:
android/com.android.server.MasterClearReceiver

CVE-2021-0593

  • 在系统设置中,DevicePickerFragment是导出组件DevicePickerActivity的一部分,接受了用户传入给DevicePickerActivity的Intent,并发送广播,同样地Intent中可以指定广播的接收者,从而实现system uid发送广播给任意未导出的或带有权限的广播接收器,但攻击者无法决定其他参数。
// packages/apps/Settings/src/com/android/settings/bluetooth/DevicePickerFragment.java
mLaunchPackage = intent.getStringExtra(BluetoothDevicePicker.EXTRA_LAUNCH_PACKAGE);
mLaunchClass = intent.getStringExtra(BluetoothDevicePicker.EXTRA_LAUNCH_CLASS);
//...
if (mLaunchPackage != null && mLaunchClass != null) {
    intent.setClassName(mLaunchPackage, mLaunchClass);
}
getActivity().sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN);
  • 利用此漏洞可实现越权恢复出厂设置,只需要将组件指定为:
android/com.android.server.MasterClearReceiver

CVE-2021-0584

  • Parcel内存布局的一个问题,比较复杂需要些时间去研究,原始内容:
verify embedded buffer matches address in parent

Below is a diagram showing what scatter gather would look like where we
have one reference to a buffer, and then we have a single embedded
buffer. For instance, 'a1' might be the hidl_vec object and 'a2' might
be the data pointer in this object. In practice, there might be
arbitrarily many levels (this happens when structures contain vectors
which contain structures etc...).

   legend:
      "...." - random data we don't care about
      "|" - some position in the data
      "<a#>" - some constant address

   offsets into Parcel's mData:
    .....|....<a1>....|.....|....<a2>....|.....
         ^    ^             ^    ^
         |    |             |    \- 'buffer' field of structure
         |    |             |
         |    |             |  (binder object structure)
         |    |             \- mObjects[child]
         |    |
         |    \- binder object structure 'buffer' field
         |
         \- mObjects[parent] (binder object structure)

    kernel-owned ro buffer @ address a1 ('parent' buffer)
      .......<a3>....................
             ^
             \- parent buffer as address + parent offset
                (in the example, this would be the data field
                 of hidl_vec. This should be a2).

    kernel-owned ro buffer @ address a2 ('child' buffer)
      ............................
             (any random data)

What was happening here was that by maliciously constructing
mObjects[child] to be null, there would be no child object, so the
kernel wouldn't know to fixup the embedded buffer (<a3>) and it
would be unchanged.

CVE-2021-0641

  • getAvailableSubscriptionInfoList接口仍旧使用READ_PHONE_STATE权限保护,存在问题,应改为由READ_PRIVILEGED_PHONE_STATE特许权限保护。

CVE-2021-0642

  • 为CONFIGURE_VOICEMAIL这个intent-filter提高优先级,设为1000。

2021-08-05 security patch level vulnerability