BinderFuzzy

pentest Android Services

An App intended for fuzzing the Binder interface and System Services of Android. You can use this Project in order to find bugs and exploits inside the Binder interface or System Services.

Description

BinderFuzzy is a fuzzer that can generate binder events in order to pentest system services running on the Android operating system (https://developer.android.com/reference/android/os/Binder, https://source.android.com/devices/architecture/hidl/binder-ipc). You can validate if system services have correct error handling or transfer binder objects / tokens of other services in order to validate if the target system service validates binder arguments.

This Project covers following features:

  • Browse managers and binder interfaces.
  • Execute Fuzzy tasks
  • Configure argument lists for each parameter of the method to fuzz
  • Read logs of recent tasks
  • Use python3 cli (optional) to execute fuzzer from desktop.
  • Define fuzzer script and execute via cli

Use Android app

Download

Create Fuzzy task

After a click on the “NEW” button you’ll see a list of available system services. This items point to client representations of the system services.

Now you can see a list of available members of this object. You can select a field to open it and see also it’s members and methods or you can select a method to penetrate.

In our scenario we search for the field “IActivityTaskManagerSingleton” and open it by just click on it. You can also use the searchbar to find the field more easy. (see also the android source code: https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/app/ActivityTaskManager.java)

Now we search for the function “startActivity”.

Aftera click on it you will see the Paramter configuration screen. Each parameter of the taret function has to be configured and can have multiple values or ranges specified. The Fuzzer will iterate through all combinations and call the function for each.

For most parameters you can decide between auto-search or NULL. Auto-Search will search the memory for occurrences of the parameter type while NULL will just put a null as value.

However other types like strings, Intents or integers have more options. You can ask package manager for package names for example.

Or for a list of start Intents.

Integers can be searched in memory, defined via a range or a constant.

In our case a range from 1 till 100 is completely enough.

A very interesting parameter is the IBinder type. If you select Auto-search here the Fuzzer will search for values implementing the IBinder interface. The will pentest for vulnerabilities explained here (https://stackoverflow.com/questions/6686686/android-binder-security). In short words: If you handover a binder object representing another system service it’s possible that the target service will call this binder object and thus can be used trigger functions that need system uid. Read more in the provided link. In our scenario we select Auto-Search for the parameter of type IBinder.

In our scenario if you select Auto-search for the ProfilerInfo you will see that there is no value of this type in memory. This only exists if you connect the Profiler (https://developer.android.com/studio/profile/android-profiler) to you’re app. So we have to select NULL here.

Once all values are configured you can press the “Start” button.

You’ll see a screen like this telling that BinderFuzzy is going to search for occurrences of values of type “IApplicationThread”. Once he found this value it will search for the other auto configured values. Then it will start the fuzzy task automatically and will print statistics about it.

Running row will tell you how many iterations are already performed and how much must be done in total. The success number will tell how many calls without exceptions were made while failed will tell you how many exceptions were thrown. Also a list of different exception types is written down. In our case the first exception is of type SecurityException.

Later you can revisit this pentest by checking the Recents and look into the logs. There you’ll see every invokation and parameter that was used. Also you’ll be able to analyze the return values of the system service. In case of a system crash you’ll observe the last parameters causing the system or service to crash.

Also you can fetch the logs via:

adb pull /sdcard/Android/org.chickenhook.binderfuzzy/files/logs/

and analyze it with you’re favorite log file analyzer.

Use Python

Prerequisites

Installation

1. Download https://github.com/ChickenHook/BinderFuzzy/releases/download/c2/release.zip
2. unzip release.zip
3. cd bin/

Usage

The CLI will offer the following options:

$ python3 binderfuzzy.py --help
Launching BinderFuzzy version: 1.0
usage: binderfuzzy.py [-h] [--fuzzy-apk [APK_PATH]] [--script [SCRIPT_PATH]]
                      [--pull-logs]

Process paths.

optional arguments:
  -h, --help            show this help message and exit
  --fuzzy-apk [APK_PATH]
                        path to binderfuzzy-release.apk
  --script [SCRIPT_PATH]
                        path to action script
  --pull-logs           just pull the test results

Please consider that this script requires ADB to be installed and to occur in the PATH environment variable (see more here: https://stackoverflow.com/questions/2517493/adb-command-not-found-in-linux-environment).

And here is a typical start routine:

python3 binderfuzzy.py --fuzzy-apk ./binderfuzzy-debug.apk --script ./startActivity.bf

After the task is done you can fetch the logs via:

python3 binderfuzzy.py --pull-logs

Please add comments if you need more information here.

Writing Fuzzy scripts for python CLI

This chapter will explain how to write fuzzy scripts to be executed via CLI. The next code will show you an example configuration:

{
	"fields_ordered" : [
	    {
		    "clazz": "android.app.ActivityTaskManager",
		    "field": "IActivityTaskManagerSingleton"
	    },
	    {
	        "clazz": "android.util.Singleton",
	        "field": "mInstance"
	    }
	],
	"call" : {
	    "clazz": "android.app.IActivityTaskManager",
	    "method": "startActivity(",
	    "params":[
	        "auto",
	        "packageNames",
	        "launchIntents",
	        "packageNames",
	        "auto",
	        "packageNames",
	        "auto",
	        "auto",
	        "null",
	        "auto"
	    ]
	}
}

The fields_ordered list

Please consider that for some fuzzy tasks it is required to fetch objects with a list of reflection calls to gather static or non static fields and their values. Those fields are specified in the in the fields_ordered list.

In this scenario the fuzzer will first search for the IActivityTaskManagerSingleton field in the ActivityTaskManager class. Once this object was gathered the mInstance field inside the IActivityTaskManagerSingleton will be gathered. The fuzzer will automatically take the last object gathered. The first field must always be static because the host parameter will be set to null.

The call key

Now we came to the invokation specification. If the fields_ordered list is empty the fuzzer will automatically specify null as host object which requires the target method to be static. Other wise the last gathere object will be used for the call. In our scenario an object of type IActivityTaskManager (this is the type of mInstance in our case) was gathered and will be used for invoke the specified “startActivity” call. Currently functions are searched by checking if a Method.toGenericString() (read more here: https://developer.android.com/reference/java/lang/reflect/Method#toGenericString()) contains a value defined in our config via the “method” key.

The next step is to configure the parameters currently per parameter you can specify one parameter configuration. Currently the following configuration types are supported:

  • auto
  • packageNames
  • launchIntents
  • null

In future this list will be appended by more possible configuration options.

Findings

This chapter will sho some of the findings we already found using the BinderFuzzy tool.

Enter a negative user id

For some functions you can specify a negative user id without causing a permission exception. In our test we were logged in as user 0 but still we were able to do calls via the user -3.

Help and contribute

This is a very new project and you can help us to improve. Feel free to submit feature requests or issues via Github: https://github.com/ChickenHook/BinderFuzzy/issues

Thanks for reading!

Greetigns

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *