Jann thejh
thejh
/ gist:effb87638bddae9c7541
Created
February 27, 2015 18:36
scenes from android boot (5.0.555 AOSP build)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 13328 18:23:41.051041 clock_gettime(CLOCK_MONOTONIC, {1794, 795397756}) = 0 <0.000092> | |
| 13328 18:23:41.051377 clock_gettime(CLOCK_MONOTONIC, {1794, 795733449}) = 0 <0.000092> | |
| 13328 18:23:41.138657 clock_gettime(CLOCK_MONOTONIC, {1794, 883013723}) = 0 <0.000092> | |
| 13328 18:23:41.138932 clock_gettime(CLOCK_MONOTONIC, {1794, 883288381}) = 0 <0.000061> | |
| 13328 18:23:41.139176 clock_gettime(CLOCK_MONOTONIC, {1794, 883532522}) = 0 <0.000061> | |
| 13328 18:23:41.139451 clock_gettime(CLOCK_MONOTONIC, {1794, 883776662}) = 0 <0.000061> | |
| 13328 18:23:41.139756 clock_gettime(CLOCK_MONOTONIC, {1794, 884112356}) = 0 <0.000061> | |
| 13328 18:23:41.140122 clock_gettime(CLOCK_MONOTONIC, {1794, 884448049}) = 0 <0.000061> | |
| 13328 18:23:41.140366 clock_gettime(CLOCK_MONOTONIC, {1794, 884692190}) = 0 <0.000061> | |
| 13328 18:23:41.140641 clock_gettime(CLOCK_MONOTONIC, {1794, 884966848}) = 0 <0.000061> |
thejh
/ canttermme.c
Created
March 11, 2015 19:55
PoC for blocking signals under SECCOMP_MODE_STRICT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <sys/prctl.h> | |
| #include <linux/seccomp.h> | |
| #include <stdint.h> | |
| #include <stddef.h> | |
| #define __u16 uint16_t | |
| #define __u32 uint32_t | |
| #define __u64 uint64_t |
thejh
/ gist:0cf5af6151518d0fc6d8
Created
March 12, 2015 14:55
couchdb localhost latency issue (tested with 1.6.0)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ab -k -n 1000 -A XXX:XXX http://127.0.0.1:5984/jann_mail/8de31498bb790a5e6979f4b16f322481 | |
| This is ApacheBench, Version 2.3 <$Revision: 1604373 $> | |
| Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ | |
| Licensed to The Apache Software Foundation, http://www.apache.org/ | |
| Benchmarking 127.0.0.1 (be patient) | |
| Completed 100 requests | |
| Completed 200 requests | |
| Completed 300 requests | |
| Completed 400 requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Mar 11 17:51:00 pc systemd-modules-load[307]: Failed to find module 'lp' | |
| Mar 11 17:51:00 pc systemd-modules-load[307]: Module 'ppdev' is builtin | |
| Mar 11 17:51:00 pc systemd-modules-load[307]: Module 'parport_pc' is builtin | |
| Mar 11 17:51:00 pc systemd-modules-load[307]: Module 'fuse' is builtin | |
| Mar 11 17:51:00 pc systemd[1]: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE | |
| Mar 11 17:51:00 pc systemd[1]: Failed to start Load Kernel Modules. | |
| Mar 11 17:51:00 pc systemd[1]: Dependency failed for netfilter persistent configuration. | |
| Mar 11 17:51:00 pc systemd[1]: Unit systemd-modules-load.service entered failed state. |
thejh
/ gist:0cc96201155470714279
Created
March 25, 2015 01:48
Android Security issues #1069937150, reported 10.07.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Content-Type: multipart/mixed; boundary="LpQ9ahxlCli8rRTG" | |
| Content-Disposition: inline | |
| --LpQ9ahxlCli8rRTG | |
| Content-Type: text/plain; charset=us-ascii | |
| Content-Disposition: inline | |
| Hello, | |
| two more pretty interesting issues (verified both on my phone): |
thejh
/ gist:11b5fc8a7db44ed66716
Created
March 25, 2015 01:50
Android Security issue [#1086869776] Browser doesn't properly delimit protocol and domain in the "password" table, reported 02.08.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| EDIT: changed the domain names for public disclosure | |
| Have a look at /data/data/com.android.browser/databases/webview.db, table "password". | |
| columns: _id, host, username, password | |
| "host" contains protocol and hostname concatenated without any delimiter. What this means: | |
| - login to https://example.org/ with valid username and password | |
| - go to http://sexample.org/ |
thejh
/ BrowserXSS.tar.gz
Last active
August 29, 2015 14:17
Android Security issue [#1086986860] Stealing login data from the browser, reported 02.08.12
thejh
/ gist:36e559b036a3a4c679ee
Created
March 25, 2015 02:02
Android Security issue [#1093611178] UID reuse, reported 14.08.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Android reuses UIDs, and IMO, it shouldn't do that, at least not without having rebooted once. | |
| Reasons: | |
| - the deinstallation process doesn't kill all processes with the UID of the app, and neither does | |
| the installation process - therefore, an app can gain higher privileges by tricking the user | |
| into uninstalling it and then installing another app with higher privileges | |
| - there are app-writable filesystems which aren't protected against suid executables, so an app | |
| could drop a suid-shell in one of those filesystems and thereby allow other malicious apps to | |
| obtain full access to whatever app will be the next one to get assigned the uid (all filesystems | |
| without nosuid, except for rootfs, seem to be temporary, so a reboot should wipe all suid executables) |
thejh
/ gist:8adbc8e9633dd5ec5813
Created
March 25, 2015 02:04
Android Security issue [#1055942661] Race Condition, reported 20.06.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| When unpacking packages, there's a race that allows putting lib*.so files w= | |
| ith standard permissions | |
| into all kinds of places where they shouldn't be. How to exploit: | |
| - let your app move its "lib" directory away (or delete it if it's empty) | |
| - let your app create a new "lib" directory (owned by the app) | |
| - run something like this in the background while the user is installing a= | |
| n update containing evil shared objects: | |
| while ls -ld lib|grep app_68 > /dev/null; do true; done; mv lib lib-= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <jh.h> | |
| #include <string.h> | |
| #include <arpa/inet.h> | |
| #include <assert.h> | |
| #include <fcntl.h> | |
| /* Table of CRCs of all 8-bit messages. */ | |
| unsigned long crc_table[256]; | |