This is a repo with the Proof of Concept for the CVE discovered for the SAUSAGE (Security Analysis of Unix domain Socket usAGE in Android) paper that was accepted to EuroS&P 2022.
All details can be seen in the .sh file hosted on this repo.
The apaservice daemon receives messages over the DGRAM socket with address @dev/socket/jack/set.priority in the abstract namespace. This socket can be used by malicious apps in 2 ways:
- Stack overflow There exists a stack overflow vulnerability when handling messages sent over the abstract unix domain socket @dev/socket/jack/set.priority This vulnerability exists in android::APAService::handlePriorityMessage and can be triggered by sending a DGRAM message starting with "*4" followed by 25 bytes. This causes a crash in apaservice due to stack corruption. Therefore, the impact of this vulnerability can range from DoS of apaservice to Local code execution. The PoC script attached to this report automates this process using socat, and contains the expected crash logs at the very end including the stack trace. To use the PoC, use adb to push it to /data/local/tmp, make it executable, and execute it:
adb push samsung_apaservice_poc.sh /data/local/tmp adb shell chmod +x /data/local/tmp/samsung_apaservice_poc.sh adb shell /data/local/tmp/samsung_apaservice_poc.sh
The PoC performs the following steps:
-
Create the "socat" binary executable needed to communicate to Unix domain sockets in the abstract namespace Note: If you prefer, you can download and build socat yourself and place it in /data/local/tmp/ Note: I added the binary to the zip file too for convenience If you choose to do so, you do not need the first "echo" command and you can comment it out
-
Make socat executable
-
Call IAPAService::startJackd() using service call to create the socket
-
Send message to @dev/socket/jack/set.priority starting with *4 (preamble) followed by a random string of length 25. In the message, I indicated where the base pointer is overwritten with ""
-
Buffer overflow is triggered. The logs show that the return value was overwritten with ""
Mitigation: Proper checking of the message size being parsed before copying into the buffer.
- SELinux policy In Samsung's SELinux policy, an untrusted_app is allowed to communicate with the apaservice process via Unix domain sockets. Among other things, a malicious app can use the @dev/socket/jack/set.priority Unix domain socket to set its own priority or the priority of other processes by sending it a message of the following format "4*,," Where pid is the pid of the process, tid is the thread ID for which the priority is requested, and prio is the priority requested. In vanilla Android, this functionality is restricted to only a certain set of UIDs. Thus, apaservice allows malicious apps to bypass this restriction. This might lead to resource starvation of apaservice or of other performance-intensive or security-sensitive processes. In addition, it can also be used to raise the priority for a malicious app such as a cryptominer.
Mitigation: Remove SELinux rule allowing an untrusted app to communicate with apaservice if this communication is not needed.