139
Building your own sandBox
compiled le, named OAT (as we have said until now, they are ODEX
les). Of course, Google has facilitated the code to compile and pass
along the code if desired.
e main dierence between the old Dalvik and the new ART is
in the old virtual machine execution, which interprets the code at the
same time it starts the application. In return, ART is AOT (ahead-
of-time), that is it begins a precompilation to install the application,
therefore, this execution does not require as much data load as before,
and entails starting an application, which will be produced in less
time. Moreover, the rst tests realized by developers with the new
ART have been very encouraging, inasmuch as in some cases the ini-
tiation and implementation time of an application is halved.
e Android Kernel
e Android kernel is formed by the Linux operating system ver-
sion 2.6/3.0. is layer provides services such as security, handling of
memory, management, multithreading, the protocol stack, and driver
“HelloWorld”
“Lcom/google/Blort;”
“printIn”
...
void fn(int)
double fn(object,int)
String fn()
...
PrintStream.printIn(...)
Collection.size()
...
String.offset
Integer.MAX_VAL
UE
...
int
String[ ]
com.google.Blort
...
Header
String_ids
Constant Pool
Type_ids
Constant Pool
Proto_ids
Constant Pool
Field_ids
Constant Pool
Method_ids
Constant Pool
Class
Definitions
Data
Figure 8.6 dex connections.
140
android Malware and analysis
support for devices. is model layer acts as the abstraction layer
between the hardware and the rest of the stack. erefore it is unique
and depends on the hardware.
Nowadays, there are numerous threats that make the Android kernel
vulnerable. Table8.1 is a chronology of the vulnerabilities detected dur-
ing mid 2013 to early 2014. If you are interested in knowing the latest
vulnerabilities aecting the Android core, you may visit cve.mitre.org.
Bad actors quickly take advantage of new public domain vulner-
abilities for nefarious purposes. Recently a new vulnerability was
Table8.1 Android Kernel Vulnerabilities
NAME DESCRIPTION
CVE-2014-1484 Mozilla Firefox before 27.0 on Android 4.2 and earlier creates system-log
entries containing prole paths, which allows attackers to obtain sensitive
information via a crafted application.
CVE-2014-0815 The intent: URL implementation in Opera before 18 on Android allows attackers to
read local les by leveraging an interaction error, as demonstrated by reading
stored cookies.
CVE-2014-0809 Directory traversal vulnerability in the Gapless Player SimZip (aka Simple Zip
Viewer) application before 1.2.1 for Android allows remote attackers to
overwrite or create arbitrary les via a crafted lename.
CVE-2014-0806 The Sleipnir Mobile application 2.12.1 and earlier and Sleipnir Mobile Black
Edition application 2.12.1 and earlier for Android provide Geolocation API
data without verifying user consent, which allows remote attackers to obtain
sensitive location information via a Web site that makes API calls.
CVE-2014-0805 Directory traversal vulnerability in the NeoFiler application 5.4.3 and earlier,
NeoFiler Free application 5.4.3 and earlier, and NeoFiler Lite application 2.4.2
and earlier for Android allows attackers to overwrite or create arbitrary les
via unspecied vectors.
CVE-2014-0804 Directory traversal vulnerability in the CGENE Security File Manager Pro
application 1.0.6 and earlier, and Security File Manager Trial application
1.0.6 and earlier for Android allows attackers to overwrite or create arbitrary
les via unspecied vectors.
CVE-2014-0803 Directory traversal vulnerability in the tetra ler application 2.3.1 and earlier
for Android 4.0.3, tetra ler free application 2.3.1 and earlier for Android
4.0.3, tetra ler application 1.5.1 and earlier for Android before 4.0.3, and
tetra ler free application 1.5.1 and earlier for Android before 4.0.3 allows
attackers to overwrite or create arbitrary les via unspecied vectors.
CVE-2014-0802 Directory traversal vulnerability in the aokitaka ZIP with Pass application 4.5.7
and earlier, and ZIP with Pass Pro application 6.3.8 and earlier for Android
allows attackers to overwrite or create arbitrary les via unspecied vectors.
(continued)
141
Building your own sandBox
Table8.1 Android Kernel Vulnerabilities (continued)
NAME DESCRIPTION
CVE-2013-6642 Google Chrome through 32.0.1700.23 on Android allows remote attackers to
spoof the address bar via unspecied vectors.
CVE-2013-6392 The genlock_dev_ioctl function in genlock.c in the Genlock driver for the Linux
kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android
contributions for MSM devices and other products does not properly initialize
a certain data structure, which allows local users to obtain sensitive
information from kernel stack memory via a crafted GENLOCK_IOC_EXPORT
ioctl call.
CVE-2013-6282 The (1) get_user and (2) put_user API functions in the Linux kernel before
3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses,
which allows attackers to read or modify the contents of arbitrary kernel
memory locations via a crafted application, as exploited in the wild against
Android devices in October and November 2013.
CVE-2013-6271 Android 4.0 through 4.3 allows attackers to bypass intended access restrictions
and remove device locks via a crafted application that invokes the
updateUnlockMethodAndFinish method in the com.android.settings.
ChooseLockGeneric class with the PASSWORD_QUALITY_UNSPECIFIED option.
CVE-2013-6123 Multiple array index errors in drivers/media/video/msm/server/msm_cam_
server.c in the MSM camera driver for the Linux kernel 3.x, as used in
Qualcomm Innovation Center (QuIC) Android contributions for MSM devices
and other products, allow attackers to gain privileges by leveraging camera
device-node access, related to the (1) msm_ctrl_cmd_done, (2) msm_ioctl_
server, and (3) msm_server_send_ctrl functions.
CVE-2013-6122 goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as
used in Qualcomm Innovation Center (QuIC) Android contributions for MSM
devices and other products, does not properly synchronize updates to a global
variable, which allows local users to bypass intended access restrictions or
cause a denial of service (memory corruption) via crafted arguments to the
procfs write handler.
CVE-2013-5933 Stack-based buffer overow in the sub_E110 function in init in a certain
conguration of Android 2.3.7 on the Motorola Defy XT phone for Republic
Wireless allows local users to gain privileges or cause a denial of service
(memory corruption) by writing a long string to the/dev/socket/init_runit
socket that is inconsistent with a certain length value that was previously
written to this socket.
CVE-2013-5324 Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 on
Windows and Mac OS X, before 11.2.202.310 on Linux, before 11.1.111.73 on
Android 2.x and 3.x, and before 11.1.115.81 on Android 4.x; Adobe AIR before
3.8.0.1430; and Adobe AIR SDK & Compiler before 3.8.0.1430 allow attackers
to execute arbitrary code or cause a denial of service (memory corruption) via
unspecied vectors, a different vulnerability than CVE-2013-3361,
CVE-2013-3362, and CVE-2013-3363.
(continued)
142
android Malware and analysis
Table8.1 Android Kernel Vulnerabilities (continued)
NAME DESCRIPTION
CVE-2013-4787 Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic
signatures for applications, which allows attackers to execute arbitrary code via
an application package le (APK) that is modied in a way that does not violate
the cryptographic signature, probably involving multiple entries in a Zip le
with the same name in which one entry is validated but the other entry is
installed, aka Android security bug 8219321 and the “Master Key” vulnerability.
CVE-2013-4777 A certain conguration of Android 2.3.7 on the Motorola Defy XT phone for
Republic Wireless uses init to create a/dev/socket/init_runit socket that
listens for shell commands, which allows local users to gain privileges by
interacting with a LocalSocket object.
CVE-2013-4740 goodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as
used in Qualcomm Innovation Center (QuIC) Android contributions for MSM
devices and other products, relies on user-space length values for kernel-
memory copies of procfs le content, which allows attackers to gain
privileges or cause a denial of service (memory corruption) via an application
that provides crafted values.
CVE-2013-4739 The MSM camera driver for the Linux kernel 3.x, as used in Qualcomm
Innovation Center (QuIC) Android contributions for MSM devices and other
products, allows attackers to obtain sensitive information from kernel
stack memory via (1) a crafted MSM_MCR_IOCTL_EVT_GET ioctl call,
related to drivers/media/platform/msm/camera_v1/mercury/msm_
mercury_sync.c, or (2) a crafted MSM_JPEG_IOCTL_EVT_GET ioctl call,
related to drivers/media/platform/msm/camera_v2/jpeg_10/
msm_jpeg_sync.c.
CVE-2013-4738 Multiple stack-based buffer overows in the MSM camera driver for the Linux
kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions
for MSM devices and other products, allow attackers to gain privileges via (1) a
crafted VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl call, related to
drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c, or (2) a
crafted VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO ioctl call, related to
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c.
CVE-2013-4737 The CONFIG_STRICT_MEMORY_RWX implementation for the Linux kernel 3.x,
as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM
devices and other products, does not properly consider certain memory
sections, which makes it easier for attackers to bypass intended access
restrictions by leveraging the presence of RWX memory at a xed location.
CVE-2013-4736 Multiple integer overows in the JPEG engine drivers in the MSM camera driver
for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC)
Android contributions for MSM devices and other products, allow attackers to
cause a denial of service (system crash) via a large number of commands in
an ioctl call, related to (1) camera_v1/gemini/msm_gemini_sync.c, (2)
camera_v2/gemini/msm_gemini_sync.c, (3) camera_v2/jpeg_10/msm_
jpeg_sync.c, (4) gemini/msm_gemini_sync.c, (5) jpeg_10/msm_jpeg_sync.c,
and (6) mercury/msm_mercury_sync.c.
(continued)
143
Building your own sandBox
discovered, CVE-2013-2094, that allowed for the local elevation of
Linux kernel privileges in the performance counters for Linux (PCL).
Privileges escalation exploits are especially dangerous because they
may permit cybercriminals complete control over the compromised
device. In the past, we have seen privileges escalation vulnerabilities
that may access information of other applications and also overlook
the Android licenses model.
ese kinds of vulnerabilities make a very strong point for it to be
motorized because several threats that employ these mechanisms to
Table8.1 Android Kernel Vulnerabilities (continued)
NAME DESCRIPTION
CVE-2013-4700 The Yahoo! Japan Shopping application 1.4 and earlier for Android does not
verify X.509 certicates from SSL servers, which allows man-in-the-middle
attackers to spoof servers and obtain sensitive information via a crafted
certicate.
CVE-2013-4699 The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and Android
does not verify X.509 certicates from SSL servers, which allows man-in-the-
middle attackers to spoof servers and obtain sensitive information via a
crafted certicate.
CVE-2013-4669 FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and
before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient
Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258
on Linux proceed with an SSL session after determining that the server’s X.509
certicate is invalid, which allows man-in-the-middle attackers to obtain
sensitive information by leveraging a password transmission that occurs before
the user warning about the certicate problem.
CVE-2013-3666 The LG Hidden Menu component for Android on the LG Optimus G E973 allows
physically proximate attackers to execute arbitrary commands by entering
USB Debugging mode, using Android Debug Bridge (adb) to establish a USB
connection, dialing 3845#*973#, modifying the WLAN Test Wi-Fi Ping Test/
User Command tcpdump command string, and pressing the CANCEL button.
CVE-2013-3659 The NTT DOCOMO overseas usage application 2.0.0 through 2.0.4 for Android
does not properly connect to Wi-Fi access points, which allows remote
attackers to obtain sensitive information by leveraging presence in an 802.11
network’s coverage area.
CVE-2013-3647 The WebView class in the Cybozu Live application before 2.0.1 for Android
allows attackers to execute arbitrary JavaScript code, and obtain sensitive
information, via a crafted application that places this code into a local le
associated with a le: URL. Note: This vulnerability exists because of a
CVE-2012-4009 regression.
CVE-2013-3646 The Cybozu Live application before 2.0.1 for Android allows remote attackers
to execute arbitrary Java methods, and obtain sensitive information or
execute arbitrary commands, via a crafted Web site. Note: This vulnerability
exists because of a CVE-2012-4008 regression.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.