Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Exploiting checkCallingOrSelfPermission() for privilege escalation attack

I was going through checkCallingOrSelfPermission() in the Context class and wondering how it can be exploited; i.e. if some application triggers a method of the callee/your application which in turn calls checkCallingOrSelfPermission(), finally giving access to that permission to the other application, or releasing sensitive information that would otherwise require that permission.

This is what i understood after going through the Java Doc:

This method can be only exploited by any calling application which is in the same process of callee application. To get into the same process both the apps need to have the same shareuserid and process in the manifest file, in addition to also being signed by the same certificate.

So the calling application needs to do following.

  1. Has to know under which process and shareuser id the callee application is running. (I'm not sure how feasible this is?)

  2. Has to be signed with the same certificate that the callee application was signed with (unlikely assuming the certificate is kept safe).

Is this the method of exploitation that the checkCallingOrSelfPermission() documentation is warning against, or are there other (more realistic) ways that it could be exploited.

I also checked this post, but the answer was not satisfactory.

like image 352
saurav Avatar asked Oct 01 '14 11:10

saurav


People also ask

What techniques can be used to escalate privileges on a system?

Attackers can perform privilege escalation by exploiting vulnerabilities in the design, implementation, or configuration of multiple systems – including communication protocols, communication transports, operating systems, browsers, web applications, cloud systems, and network infrastructure.

Which alerts detect privilege escalation?

Cloud Infrastructure Entitlements Management (CIEM) is the answer to your privilege escalation troubles. A strong CIEM solution can detect every single pathway between every single identity and data, permissions, roles and more, across different accounts and environments.

What is local privilege escalation?

A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications.


1 Answers

Under normal circumstances Binder.callingPid() == Process.myPid() holds. This changes when handling an IPC request, the system modifies the calling PID value stored by Binder, it assigns it to the PID of the caller app. However, this change only affects the thread where the remotelly called method is executed, in other threads the equality still holds. Therefore, if checkCallingOrSelfPermission() is called in a such an unaffected thread, it will return PERMISSION_GRANTED (provided the service app holds that permission) and a leak (or other biblical consequences) may occur.

Alternatively, if clearCallingIdentity() is called before checkCallingOrSelfPermission() the same issue can arise, although I believe it is less likely to happen.

Tested on Nexus 6P, Android 6.0.1 (MHC19I).

like image 114
cuihtlauac Avatar answered Nov 07 '22 18:11

cuihtlauac