Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1001 The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, it can be passed within a Parcel or a Bundle and transferred via binder to remote processes. The implementation of MemoryIntArray keeps track of the "owner" of each instance by recording the pid of the creating process within the constructor and serializing it to the Parcel whenever the instance is marshalled. Moreover, each MemoryIntArray instance keeps an additional field, mMemoryAddr, denoting the address at which the array is mapped in memory. This field is also written to a Parcel whenever the instance is marshalled (therefore transferring instances of MemoryIntArray between processes automatically reveals information about the address-space of the sharing process, constituting an information-leak). When MemoryIntArray instances are deserialized, they perform a check to see whether or not the current process is the "owner" process of the deserialized instance. If so, the transferred memory address in the parcel is used as the memory address of the shared buffer (as the address space in which the array was created is the same as the current address space). Since all of the fields above are simply written to a Parcel, they can be easily spoofed by an attacker to contain any value. Specifically, this means an attacker may and set the mPid field to the pid of a remote process to which the MemoryIntArray is being sent, and may also set the mMemoryAddr field to point to any wanted memory address. Placing such an instance within a Bundle means that any function the unparcels the Bundle will deserialize the embedded instance, creating a new fully controlled instance in the remote process. Here is a short snippet of the constructor which creates new instances from a given Parcel: private MemoryIntArray(Parcel parcel) throws IOException { mOwnerPid = parcel.readInt(); mClientWritable = (parcel.readInt() == 1); mFd = parcel.readParcelable(null); if (mFd == null) { throw new IOException("No backing file descriptor"); } final long memoryAddress = parcel.readLong(); if (isOwner()) { //mOwnerPid == Process.myPid() mMemoryAddr = memoryAddress; } else { mMemoryAddr = nativeOpen(mFd.getFd(), false, mClientWritable); } } Lastly, once the MemoryIntArray instance is garbage collected, its finalizer is called in order to unmap the shared buffer: static void android_util_MemoryIntArray_close(JNIEnv* env, jobject clazz, jint fd, jlong ashmemAddr, jboolean owner) { if (fd < 0) { jniThrowException(env, "java/io/IOException", "bad file descriptor"); return; } int ashmemSize = ashmem_get_size_region(fd); if (ashmemSize <= 0) { jniThrowException(env, "java/io/IOException", "bad ashmem size"); return; } int unmapResult = munmap(reinterpret_cast(ashmemAddr), ashmemSize); if (unmapResult < 0) { jniThrowException(env, "java/io/IOException", "munmap failed"); return; } ... } Putting this together, an attacker may serialize a MemoryIntArray instance with a controlled memory address and ashmem file descriptor in order to cause any remote process which deserializes it to call munmap with a controlled memory address and size. This can then be leveraged by an attacker to replace key memory regions in the remote process with attack-controlled data, achieving code execution. I've attached a small PoC which uses this bug in order to unmap libc.so from the address-space of system_server. ################################################################################ Attaching another version of the PoC, adjusted for Android 7.1 (since MemoryIntArray's fields have slightly changed). This version also finds the specific PID of system_server (via /proc/locks) to avoid flooding the process with too many file descriptors. Note that the PoC needs to be executed several times in order to trigger the vulnerability, since the MemoryIntArray instances are sometimes not finalized immediately (I'm unsure why - this leaks file descriptors in system_server). Here is a sample crash from a successful execution of the PoC: 11-22 11:51:58.574 28893 28893 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 11-22 11:51:58.575 28893 28893 F DEBUG : Build fingerprint: 'Android/sdk_google_phone_x86_64/generic_x86_64:7.1.1/NPF10D/3354678:userdebug/test-keys' 11-22 11:51:58.575 28893 28893 F DEBUG : Revision: '0' 11-22 11:51:58.575 28893 28893 F DEBUG : ABI: 'x86_64' 11-22 11:51:58.575 28893 28893 F DEBUG : pid: 26559, tid: 26574, name: Binder:26559_2 >>> system_server <<< 11-22 11:51:58.575 28893 28893 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ffef7482000 11-22 11:51:58.575 28893 28893 F DEBUG : rax 0000000000000000 rbx 0000000013526e20 rcx 000000006f45a0b0 rdx 00000000000001d0 11-22 11:51:58.575 28893 28893 F DEBUG : rsi 00007ffef7482000 rdi 0000000013526e2c 11-22 11:51:58.575 28893 28893 F DEBUG : r8 00007ffef7482000 r9 00000000000001d0 r10 00000000fffffff0 r11 00007ffef42ed8b8 11-22 11:51:58.576 28893 28893 F DEBUG : r12 00000000000001d0 r13 00007ffedf71470c r14 00007ffef7482000 r15 0000000000000000 11-22 11:51:58.576 28893 28893 F DEBUG : cs 0000000000000033 ss 000000000000002b 11-22 11:51:58.576 28893 28893 F DEBUG : rip 00007ffef423ed31 rbp 00007ffeea5b3dc0 rsp 00007ffedf7144d0 eflags 0000000000000283 11-22 11:51:58.577 28893 28893 F DEBUG : 11-22 11:51:58.577 28893 28893 F DEBUG : backtrace: 11-22 11:51:58.577 28893 28893 F DEBUG : #00 pc 000000000001cd31 /system/lib64/libc.so (memcpy+33) 11-22 11:51:58.577 28893 28893 F DEBUG : #01 pc 0000000000925e1f /dev/ashmem/dalvik-main space (deleted) (offset 0x1000) Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41354.zip # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-17]