SilentCircle fail

rysiek rysiek at hackerspace.pl
Wed Jan 28 04:03:10 PST 2015 

So,

this:
http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html

------------------------

While exploring my recently purchased BlackPhone, I discovered that the
messaging application contains a serious memory corruption vulnerability
that can be triggered remotely by an attacker.  If exploited
successfully, this flaw could be used to gain remote arbitrary code
execution on the target's handset. The code run by the attacker will
have the privileges of the messaging application, which is a standard
Android application with some additional privileges. Specifically, it is
possible to:

    decrypt messages / commandeer SilentCircle account
    gather location information
    read contacts
    write to external storage
    run additional code of the attacker's choosing (such as a privilege
escalation exploit aimed at gaining root or kernel-mode access, thus
taking complete control of the phone)


The only knowledge required by the attacker is the target's Silent
Circle ID or phone number - the target does not need to be lured in to
contacting the attacker (although the flaw is exploitable in this
scenario as well).

(...)

By resetting the jctx->msg->msgType field with the "dh2" attribute at
the end of the message, a type confusion vulnerability will occur where
the seq fields supplied in the "data" message will be incorrectly
interpreted as the pk field - a raw memory pointer. (In this case, the
low two bytes have been set to 0x8080.) Note that by utilizing messages
other than "data", we could arbitrarily modify the entire pointer (and
the pkLen field, indicating how much data pk points to). Assuming that
we are at the correct phase of protocol negotiation, sending this
message results in the following crash:

]Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 17201
(com.silentcircl)
I/DEBUG   ( 9735): *** *** *** *** *** *** *** *** *** *** *** *** ***
*** *** ***
I/DEBUG   ( 9735): Revision: '0'
I/DEBUG   ( 9735): pid: 15611, tid: 17201, name: com.silentcircl  >>>
com.silentcircle.silenttext <<<
I/DEBUG   ( 9735): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr
deadbaad
I/DEBUG   ( 9735): Abort message: 'invalid address or address of corrupt
block 0x601b8078 passed to dlfree'

(...)

....a raw memory pointer....
....a raw memory pointer....
....a raw memory pointer....
....a raw memory pointer....

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150128/6379c8f4/attachment-0001.sig>

More information about the cypherpunks mailing list