Created
March 25, 2015 02:04
-
-
Save thejh/8adbc8e9633dd5ec5813 to your computer and use it in GitHub Desktop.
Android Security issue [#1055942661] Race Condition, reported 20.06.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When unpacking packages, there's a race that allows putting lib*.so files w= | |
ith standard permissions | |
into all kinds of places where they shouldn't be. How to exploit: | |
- let your app move its "lib" directory away (or delete it if it's empty) | |
- let your app create a new "lib" directory (owned by the app) | |
- run something like this in the background while the user is installing a= | |
n update containing evil shared objects: | |
while ls -ld lib|grep app_68 > /dev/null; do true; done; mv lib lib-= | |
exa; ln -s ../radonsoft.net.spectralview/lib lib | |
=20 | |
Now, your .so files will overwrite the ones that belong to the targeted app. | |
I successfully planted a .so file into another apps directory this way, wit= | |
h the small difference | |
that I used an ssh connection and "su app_68" to run the line shown above -= | |
but that shouldn't | |
make a difference, right? I then tried to start the attacked app whose .so = | |
file was replaced with a small text | |
file, and voila, it crashed. :) | |
Heh, at least I can't just overwrite the libs in /system/lib because they'r= | |
e root-owned and /system is read-only. :D |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment