One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8385365 |
| Date de publication | 2023-09-19 09:01:22 (vue: 2023-09-19 16:06:23) |
| Titre | Analyse d'un exploit Android in-the-wild moderne Analyzing a Modern In-the-wild Android Exploit |
| Texte | By Seth Jenkins, Project ZeroIntroductionIn December 2022, Google\'s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG\'s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one of the exploit chains, specifically CVE-2023-0266 (a 0-day in the ALSA compatibility layer) and CVE-2023-26083 (a 0-day in the Mali GPU driver) as well as the techniques used by the attacker to gain kernel arbitrary read/write access.Notably, all of the previous stages of the exploit chain used n-day vulnerabilities:CVE-2022-4262, a vulnerability patched in Chrome that was unpatched in the Samsung browser (i.e. a "Chrome n-day"), was used to achieve RCE.CVE-2022-3038, another Chrome n-day, was used to escape the Samsung browser sandbox. CVE-2022-22706, a Mali n-day, was used to achieve higher-level userland privileges. While that bug had been patched by Arm in January of 2022, the patch had not been downstreamed into Samsung devices at the point that the exploit chain was discovered.We now pick up the thread after the attacker has achieved execution as system_server.Bug #1: Compatibility Layers Have Bugs Too (CVE-2023-0266)The exploit continues with a race condition in the kern |
| Envoyé | Oui |
| Condensat | #1: #2: #endif #ifdef &ashmem &buffer &card &control &kctl &tmp &ucontrol break; if data return //at name snd while //dst memset return cve in once so *buf *c; *card *control *data *dst *elem *file *get; *info; *kcontrol *kctl; *p; *ppos *private *put; *src *ucontrol *ue *vd; //drop /dev /dev/ashmem 0266 0; 0; memset 0ll 0x8000000000000000ll 1056ll 107 160h 17th 1; 1fa4445f9adf1 2017 2021 2022 2023 22706 244 245 255 256 26083 260h 3038 4096 4262 60h 898840 ; memcpy ; return ; if ; //they ; //this ; if ; page ;if ;note ;static >access >controls >elem >id >mutex >needs >owner >page >private >put >value >vd ability able about above access accidentally achieve achieved acquisition across acting actor add added additionally address addressed address” advanced advantage after agnostic all allocated allocation allocation/creation allowed allows along alsa also although analysis analyzing android another api:static apparent appfuse apps arb arbitrary architecture are arm array/copy ashmem associated attacker attackers attr available away back backing backported backporting backwards base based because been before behaved behaviors behind being believe below:struct bit blending blog both boundaries broader browser buf buffer buffer while bug bugfix bugs build but bypass byref char bytes bytes write call called calling calls calls if campaign can capabilities capability card case cases certain chain chains change change; changed changes char chose chrome circumstances classical clear code codebases combination combining comes command commit community compat compat ctl compat snd compatibility complete complex conclusionthis condition conditions config configfs confusion consequential considered const construct constunsigned containing contains context contextual continue continues control controllably controlled controls conventions copy copying corruption could count count; counter counteracts couple covers create created creating ctl cve data data; day days december default defeat defines definition degrees dentry described design despite destination detail detailed deterministic developer developing development device devices differ different directly discovered discovering does down downstream downstreamed driver drivers drops dst dst; neg due duplication during dynamic each early ecosystem efault efficient efforts elem element elements end enoent; enomem; enough ensure entirely eperm; equivalent err error escape etc even event events every example exception executing execution exist explained exploit exploitation exploited exploits extra facility failed fake family faster feature features fed field file files filesystem fill final find fixed flow flush following fops forge forged forging forgotten format forward fragile free free2; freeable freed from fully function functions further future gain gated generate generating get gives giving going good google goto gpu graph greatly group had half handlers happens hardest has have head heap heavily held here high higher highly hit holds however id; identical identified identifiers idx idx; impact implemented important improperly improve including inconsequential increases indefinite index indicator induced info information init initial input inside instead int int128 int64 intended intentional interestingly interpret intfill introducing invest ioctl |
| Tags | Vulnerability Threat Technical |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.