pentest Android Services
An App intended for fuzzing the Binder interface and System Services of Android. You can use this Project in order to find bugs and exploits inside the Binder interface or System Services.
Description
BinderFuzzy is a fuzzer that can generate binder events in order to pentest system services running on the Android operating system (https://developer.android.com/reference/android/os/Binder, https://source.android.com/devices/architecture/hidl/binder-ipc). You can validate if system services have correct error handling or transfer binder objects / tokens of other services in order to validate if the target system service validates binder arguments.
This Project covers following features:
- Browse managers and binder interfaces.
- Execute Fuzzy tasks
- Configure argument lists for each parameter of the method to fuzz
- Read logs of recent tasks
- Use python3 cli (optional) to execute fuzzer from desktop.
- Define fuzzer script and execute via cli
Use Android app
Download
Create Fuzzy task
After a click on the “NEW” button you’ll see a list of available system services. This items point to client representations of the system services.
Now you can see a list of available members of this object. You can select a field to open it and see also it’s members and methods or you can select a method to penetrate.
In our scenario we search for the field “IActivityTaskManagerSingleton” and open it by just click on it. You can also use the searchbar to find the field more easy. (see also the android source code: https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/ActivityTaskManager.java)
Now we search for the function “startActivity”.
Aftera click on it you will see the Paramter configuration screen. Each parameter of the taret function has to be configured and can have multiple values or ranges specified. The Fuzzer will iterate through all combinations and call the function for each.
For most parameters you can decide between auto-search or NULL. Auto-Search will search the memory for occurrences of the parameter type while NULL will just put a null as value.
However other types like strings, Intents or integers have more options. You can ask package manager for package names for example.
Or for a list of start Intents.
Integers can be searched in memory, defined via a range or a constant.
In our case a range from 1 till 100 is completely enough.
A very interesting parameter is the IBinder type. If you select Auto-search here the Fuzzer will search for values implementing the IBinder interface. The will pentest for vulnerabilities explained here (https://stackoverflow.com/questions/6686686/android-binder-security). In short words: If you handover a binder object representing another system service it’s possible that the target service will call this binder object and thus can be used trigger functions that need system uid. Read more in the provided link. In our scenario we select Auto-Search for the parameter of type IBinder.
In our scenario if you select Auto-search for the ProfilerInfo you will see that there is no value of this type in memory. This only exists if you connect the Profiler (https://developer.android.com/studio/profile/android-profiler) to you’re app. So we have to select NULL here.
Once all values are configured you can press the “Start” button.
You’ll see a screen like this telling that BinderFuzzy is going to search for occurrences of values of type “IApplicationThread”. Once he found this value it will search for the other auto configured values. Then it will start the fuzzy task automatically and will print statistics about it.
Running row will tell you how many iterations are already performed and how much must be done in total. The success number will tell how many calls without exceptions were made while failed will tell you how many exceptions were thrown. Also a list of different exception types is written down. In our case the first exception is of type SecurityException.
Later you can revisit this pentest by checking the Recents and look into the logs. There you’ll see every invokation and parameter that was used. Also you’ll be able to analyze the return values of the system service. In case of a system crash you’ll observe the last parameters causing the system or service to crash.
Also you can fetch the logs via:
adb pull /sdcard/Android/org.chickenhook.binderfuzzy/files/logs/and analyze it with you’re favorite log file analyzer.
Use Python
Prerequisites
- Linux (tested on Ubuntu 20.04)
- Python 3
- ADB available via PATH (see here: https://stackoverflow.com/questions/2517493/adb-command-not-found-in-linux-environment)
Installation
1. Download https://github.com/ChickenHook/BinderFuzzy/releases/download/c2/release.zip 2. unzip release.zip 3. cd bin/
Usage
The CLI will offer the following options:
$ python3 binderfuzzy.py --help
Launching BinderFuzzy version: 1.0
usage: binderfuzzy.py [-h] [--fuzzy-apk [APK_PATH]] [--script [SCRIPT_PATH]]
[--pull-logs]
Process paths.
optional arguments:
-h, --help show this help message and exit
--fuzzy-apk [APK_PATH]
path to binderfuzzy-release.apk
--script [SCRIPT_PATH]
path to action script
--pull-logs just pull the test resultsPlease consider that this script requires ADB to be installed and to occur in the PATH environment variable (see more here: https://stackoverflow.com/questions/2517493/adb-command-not-found-in-linux-environment).
And here is a typical start routine:
python3 binderfuzzy.py --fuzzy-apk ./binderfuzzy-debug.apk --script ./startActivity.bfAfter the task is done you can fetch the logs via:
python3 binderfuzzy.py --pull-logsPlease add comments if you need more information here.
Writing Fuzzy scripts for python CLI
This chapter will explain how to write fuzzy scripts to be executed via CLI. The next code will show you an example configuration:
{
"fields_ordered" : [
{
"clazz": "android.app.ActivityTaskManager",
"field": "IActivityTaskManagerSingleton"
},
{
"clazz": "android.util.Singleton",
"field": "mInstance"
}
],
"call" : {
"clazz": "android.app.IActivityTaskManager",
"method": "startActivity(",
"params":[
"auto",
"packageNames",
"launchIntents",
"packageNames",
"auto",
"packageNames",
"auto",
"auto",
"null",
"auto"
]
}
}The fields_ordered list
Please consider that for some fuzzy tasks it is required to fetch objects with a list of reflection calls to gather static or non static fields and their values. Those fields are specified in the in the fields_ordered list.
In this scenario the fuzzer will first search for the IActivityTaskManagerSingleton field in the ActivityTaskManager class. Once this object was gathered the mInstance field inside the IActivityTaskManagerSingleton will be gathered. The fuzzer will automatically take the last object gathered. The first field must always be static because the host parameter will be set to null.
The call key
Now we came to the invokation specification. If the fields_ordered list is empty the fuzzer will automatically specify null as host object which requires the target method to be static. Other wise the last gathere object will be used for the call. In our scenario an object of type IActivityTaskManager (this is the type of mInstance in our case) was gathered and will be used for invoke the specified “startActivity” call. Currently functions are searched by checking if a Method.toGenericString() (read more here: https://developer.android.com/reference/java/lang/reflect/Method#toGenericString()) contains a value defined in our config via the “method” key.
The next step is to configure the parameters currently per parameter you can specify one parameter configuration. Currently the following configuration types are supported:
- auto
- packageNames
- launchIntents
- null
In future this list will be appended by more possible configuration options.
Findings
This chapter will sho some of the findings we already found using the BinderFuzzy tool.
Enter a negative user id
For some functions you can specify a negative user id without causing a permission exception. In our test we were logged in as user 0 but still we were able to do calls via the user -3.
Help and contribute
This is a very new project and you can help us to improve. Feel free to submit feature requests or issues via Github: https://github.com/ChickenHook/BinderFuzzy/issues
Thanks for reading!
Greetigns
Greetings! Very useful advice in this particular article! Its the little changes that will make the biggest changes. Thanks for sharing!