Fuzion24

a

Fuzion24

Fuzion24

This is a brief guide on how I patched the CVE-2015-1474 for my Nexus 5 - 5.0.1. This involes downloading and building AOSP with the patch for the vuln applied. I have attached a pre-built patched version of libui.so for the Nexus5 5.0.1 in the case you are too lazy to build it yourself (and you trust me).

Building patched libui for your nexus device

repo init -u https://android.googlesource.com/platform/manifest -b android-5.0.1_r1
repo sync -j16

cd frameworks/native
# https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091%5E%21/#F0
git cherry-pick 2bc5e811a817a8c667bca4318ae98582b0ee6dc6

Fuzion24

Android 5.0

I/chromium( 6890): [INFO:CONSOLE(37)] "AddJavascriptInterface: top[Android]: com.WebAppInterface@3847a08c - 
error: Access to java.lang.Object.getClass is blocked", source: http://[REDACTED].com/ (37)

For applications targeting Android >= 5.0, you can enumerate the methods available from inside javascript. "Enumeration of methods will be enabled for applications targeting API levels newer than KitKat (to preserve compatibility with older apps)."

Fuzion24

#include <stdio.h>
#include <signal.h>
#include <string.h>
 
/*
  CVE-2013-2141
  http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
*/
 
void * kernel_stack_address = NULL;

Fuzion24

Keybase proof

I hereby claim:

• I am fuzion24 on github.
• I am fuzion24 (https://keybase.io/fuzion24) on keybase.
• I have a public key whose fingerprint is DCA7 93D3 BA47 EE72 0733 7426 464A 7A0A A335 84D8

To claim this, I am signing this object:

Fuzion24

package com.nexus5.dos;

import android.content.Intent;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.widget.Button;
public class MainActivity extends ActionBarActivity {

Fuzion24

#!/bin/bash
#Basic set up for an Application AndroidManifest Fuzzer
#this requires a preexisting ant buildable application project to be set up! so get the SDK and ant1.8
#this file reproduces the bug mentioned here http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/
#NOTE: values from 260000 and up cause SIGSEGvs to be sent to the system_server (test on KitKat 4.4.2)
#NOTE: you should probably monitor $(adb logcat)||(/system/bin/gdbserver) for responsiveness to the issue

APP_PROJ_DIR="..." #<-- PATH TO PROJ DIR
APP_PACKAGE_NAME="..." #<-- PACKAGE NAME
APP_LAUNCH_COMP="..." # <--- MAIN ACTIVITY NAME

Fuzion24

bitbox ➜  aosp  find . -type f -name "*.java"  -print0 | xargs -0 -r grep -E --files-with-matches --null -- "(public|private) native" | xargs -0 -r grep -E --files-with-matches -- "implements (Serializable|Parcelable)"
./frameworks/ml/bordeaux/learning/stochastic_linear_ranker/java/android/bordeaux/learning/StochasticLinearRanker.java
./frameworks/base/media/java/android/media/MediaPlayer.java
./frameworks/base/graphics/java/android/graphics/Region.java
./frameworks/base/core/java/android/view/InputChannel.java
./frameworks/base/core/java/android/hardware/camera2/impl/CameraMetadataNative.java
./external/chromium_org/chrome/android/java/src/org/chromium/chrome/browser/ChromeBrowserProvider.java
./libcore/libart/src/main/java/java/lang/String.java
./libcore/libart/src/main/java/java/lang/Class.java