Exploit the possiblities

Android tlc_server Heap Overflow

Android tlc_server Heap Overflow
Posted Dec 29, 2016
Authored by Google Security Research, laginimaineb

Android suffers from a heap overflow vulnerability in the tlc_server via the LOAD_TUI_RESOURCE command.

tags | advisory, overflow
MD5 | eaa1fa22c33faa9c41779a49bc7c8169

Android tlc_server Heap Overflow

Change Mirror Download
Android: Heap-overflow in "tlc_server" via LOAD_TUI_RESOURCE command 




As a part of the TrustZone framework available on Samsung devices, Samsung provides an Android daemon which enables communication with a selected set of trustlets running in the Secure World.

The daemon is spawned multiple time, once for each supported trustlet. It then registers an Android binder service with a name corresponding to the trustlet with which it may communicate.

Apart from the regular commands which enable communication with the trustlet itself, the daemon also provides a special command called LOAD_TUI_RESOURCE (command code 5) which enables loading a KNOX TUI (Trusted User Interface) resource.

The function handling this command has the following logic:

Parcel data = ...;
...
if (data.readInt32(&numDwords))
goto error;
uint32_t* buffer = (uint32_t*)malloc(numDwords * 4);
if (!buffer)
goto error;
for (uint32_t i=0; i<numDwords; i++) {
if (data.readInt32(&dword))
goto error;
buffer[i] = dword;
}

Since the length field (numDwords) is not validated, it may be arbitrarily large. This means that the calculation a4*numDwordsa may overflow on 32-bit builds of "tlc_server" (i.e., on 32-bit Android devices), resulting in a small value.

The loop would then attempt to copy whatever amount of values written to the parcel (controlled by the attacker) into the allocated buffer, resulting in a heap-overflow.

The tlc_server runs with the asystema UID and GID and has an SELinux context of au:r:tlc_server:s0a.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.



Found by: laginimaineb

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    42 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close