So, this: http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.... ------------------------ While exploring my recently purchased BlackPhone, I discovered that the messaging application contains a serious memory corruption vulnerability that can be triggered remotely by an attacker. If exploited successfully, this flaw could be used to gain remote arbitrary code execution on the target's handset. The code run by the attacker will have the privileges of the messaging application, which is a standard Android application with some additional privileges. Specifically, it is possible to: decrypt messages / commandeer SilentCircle account gather location information read contacts write to external storage run additional code of the attacker's choosing (such as a privilege escalation exploit aimed at gaining root or kernel-mode access, thus taking complete control of the phone) The only knowledge required by the attacker is the target's Silent Circle ID or phone number - the target does not need to be lured in to contacting the attacker (although the flaw is exploitable in this scenario as well). (...) By resetting the jctx->msg->msgType field with the "dh2" attribute at the end of the message, a type confusion vulnerability will occur where the seq fields supplied in the "data" message will be incorrectly interpreted as the pk field - a raw memory pointer. (In this case, the low two bytes have been set to 0x8080.) Note that by utilizing messages other than "data", we could arbitrarily modify the entire pointer (and the pkLen field, indicating how much data pk points to). Assuming that we are at the correct phase of protocol negotiation, sending this message results in the following crash: ]Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 17201 (com.silentcircl) I/DEBUG ( 9735): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 9735): Revision: '0' I/DEBUG ( 9735): pid: 15611, tid: 17201, name: com.silentcircl >>> com.silentcircle.silenttext <<< I/DEBUG ( 9735): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad I/DEBUG ( 9735): Abort message: 'invalid address or address of corrupt block 0x601b8078 passed to dlfree' (...) ....a raw memory pointer.... ....a raw memory pointer.... ....a raw memory pointer.... ....a raw memory pointer.... -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
participants (1)
-
rysiek