I hereby claim:
- I am fuzion24 on github.
- I am fuzion24 (https://keybase.io/fuzion24) on keybase.
- I have a public key whose fingerprint is DCA7 93D3 BA47 EE72 0733 7426 464A 7A0A A335 84D8
To claim this, I am signing this object:
bitbox ➜ aosp find . -type f -name "*.java" -print0 | xargs -0 -r grep -E --files-with-matches --null -- "(public|private) native" | xargs -0 -r grep -E --files-with-matches -- "implements (Serializable|Parcelable)" | |
./frameworks/ml/bordeaux/learning/stochastic_linear_ranker/java/android/bordeaux/learning/StochasticLinearRanker.java | |
./frameworks/base/media/java/android/media/MediaPlayer.java | |
./frameworks/base/graphics/java/android/graphics/Region.java | |
./frameworks/base/core/java/android/view/InputChannel.java | |
./frameworks/base/core/java/android/hardware/camera2/impl/CameraMetadataNative.java | |
./external/chromium_org/chrome/android/java/src/org/chromium/chrome/browser/ChromeBrowserProvider.java | |
./libcore/libart/src/main/java/java/lang/String.java | |
./libcore/libart/src/main/java/java/lang/Class.java |
#!/bin/bash | |
#Basic set up for an Application AndroidManifest Fuzzer | |
#this requires a preexisting ant buildable application project to be set up! so get the SDK and ant1.8 | |
#this file reproduces the bug mentioned here http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/ | |
#NOTE: values from 260000 and up cause SIGSEGvs to be sent to the system_server (test on KitKat 4.4.2) | |
#NOTE: you should probably monitor $(adb logcat)||(/system/bin/gdbserver) for responsiveness to the issue | |
APP_PROJ_DIR="..." #<-- PATH TO PROJ DIR | |
APP_PACKAGE_NAME="..." #<-- PACKAGE NAME | |
APP_LAUNCH_COMP="..." # <--- MAIN ACTIVITY NAME |
package com.nexus5.dos; | |
import android.content.Intent; | |
import android.support.v7.app.ActionBarActivity; | |
import android.os.Bundle; | |
import android.view.Menu; | |
import android.view.MenuItem; | |
import android.view.View; | |
import android.widget.Button; | |
public class MainActivity extends ActionBarActivity { |
I hereby claim:
To claim this, I am signing this object:
#include <stdio.h> | |
#include <signal.h> | |
#include <string.h> | |
/* | |
CVE-2013-2141 | |
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f | |
*/ | |
void * kernel_stack_address = NULL; |
I/chromium( 6890): [INFO:CONSOLE(37)] "AddJavascriptInterface: top[Android]: com.WebAppInterface@3847a08c -
error: Access to java.lang.Object.getClass is blocked", source: http://[REDACTED].com/ (37)
For applications targeting Android >= 5.0, you can enumerate the methods available from inside javascript. "Enumeration of methods will be enabled for applications targeting API levels newer than KitKat (to preserve compatibility with older apps)."
This is a brief guide on how I patched the CVE-2015-1474 for my Nexus 5 - 5.0.1. This involes downloading and building AOSP with the patch for the vuln applied. I have attached a pre-built patched version of libui.so for the Nexus5 5.0.1 in the case you are too lazy to build it yourself (and you trust me).
repo init -u https://android.googlesource.com/platform/manifest -b android-5.0.1_r1
repo sync -j16
cd frameworks/native
# https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091%5E%21/#F0
git cherry-pick 2bc5e811a817a8c667bca4318ae98582b0ee6dc6
a |
LOAD:FE82CDA8 DCD aTzbsp_pil_init ; "tzbsp_pil_init_image_ns"
LOAD:FE82CDAC DCD 0x3D
LOAD:FE82CDB0 DCD tzbsp_pil_init_image_ns+1
LOAD:FE82CDB4 DCD 2
LOAD:FE82CDB8 DCD 4
LOAD:FE82CDBC DCD 4
LOAD:FE82CDC0 DCD 0x805
LOAD:FE82CDC4 DCD aTzbsp_pil_auth ; "tzbsp_pil_auth_reset_ns"
LOAD:FE82CDC8 DCD 0x3D