I was going through checkCallingOrSelfPermission() in the Context class and wondering how it can be exploited; i.e. if some application triggers a method of the callee/your application which in turn calls checkCallingOrSelfPermission(), finally giving access to that permission to the other application, or releasing sensitive information that would otherwise require that permission.
This is what i understood after going through the Java Doc:
This method can be only exploited by any calling application which is in the same process of callee application. To get into the same process both the apps need to have the same shareuserid and process in the manifest file, in addition to also being signed by the same certificate.
So the calling application needs to do following.
Has to know under which process and shareuser id the callee application is running. (I'm not sure how feasible this is?)
Has to be signed with the same certificate that the callee application was signed with (unlikely assuming the certificate is kept safe).
Is this the method of exploitation that the checkCallingOrSelfPermission() documentation is warning against, or are there other (more realistic) ways that it could be exploited.
I also checked this post, but the answer was not satisfactory.
Attackers can perform privilege escalation by exploiting vulnerabilities in the design, implementation, or configuration of multiple systems – including communication protocols, communication transports, operating systems, browsers, web applications, cloud systems, and network infrastructure.
Cloud Infrastructure Entitlements Management (CIEM) is the answer to your privilege escalation troubles. A strong CIEM solution can detect every single pathway between every single identity and data, permissions, roles and more, across different accounts and environments.
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications.
Under normal circumstances Binder.callingPid() == Process.myPid()
holds. This changes when handling an IPC request, the system modifies the calling PID value stored by Binder
, it assigns it to the PID of the caller app. However, this change only affects the thread where the remotelly called method is executed, in other threads the equality still holds. Therefore, if checkCallingOrSelfPermission()
is called in a such an unaffected thread, it will return PERMISSION_GRANTED
(provided the service app holds that permission) and a leak (or other biblical consequences) may occur.
Alternatively, if clearCallingIdentity()
is called before checkCallingOrSelfPermission()
the same issue can arise, although I believe it is less likely to happen.
Tested on Nexus 6P, Android 6.0.1 (MHC19I).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With