From 926b88d6b39de445f623c528a0fe8934c5fbabaf Mon Sep 17 00:00:00 2001 From: J Van Dyke Date: Fri, 12 Aug 2016 10:47:58 -0400 Subject: [PATCH 1/3] add test for CVE_2016_0808 on arm32 --- app/src/main/assets/vuln_map.json | 14 ++ .../VulnerabilityOrganizer.java | 4 + .../framework/graphics/CVE_2016_0808.java | 122 ++++++++++++++++++ 3 files changed, 140 insertions(+) create mode 100644 app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java diff --git a/app/src/main/assets/vuln_map.json b/app/src/main/assets/vuln_map.json index 9a966b7..9cf7e0a 100644 --- a/app/src/main/assets/vuln_map.json +++ b/app/src/main/assets/vuln_map.json @@ -1,4 +1,18 @@ { + "CVE-2016-0808": { + "cve": "CVE-2016-0808", + "altnames": [], + "description": "This vulnerability is what is known as a denial-of-service which gives a malicious application or individual the ability to cause continuous rebooting", + "impact": "Continuous reboot", + "external_links": [ + "https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b" + ], + "patch": [ + "https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b%5E%21/#F0" + ], + "cvssv2": 4.9, + "cvedate": "02/01/2016" + }, "CVE-2015-3636": { "cve": "CVE-2015-3636", "altnames": [ diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java index f921405..1e71571 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java @@ -8,6 +8,7 @@ import java.util.List; import fuzion24.device.vulnerability.util.CPUArch; +import fuzion24.device.vulnerability.vulnerabilities.framework.graphics.CVE_2016_0808; import fuzion24.device.vulnerability.vulnerabilities.framework.graphics.GraphicBufferTest; import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6602; import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6608; @@ -38,7 +39,10 @@ private VulnerabilityOrganizer() { //TODO: Maybe add dates to each of these and sort chronologically public static List getTests(Context ctx){ + List allTests = new ArrayList<>(); + + allTests.add(new CVE_2016_0808()); allTests.add(new ZipBug9950697()); allTests.add(new ZipBug8219321()); allTests.add(new ZipBug9695860()); diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java new file mode 100644 index 0000000..ec97932 --- /dev/null +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java @@ -0,0 +1,122 @@ +package fuzion24.device.vulnerability.vulnerabilities.framework.graphics; + +import android.content.Context; +import android.util.Log; + + +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.util.ArrayList; +import java.util.List; + +import fuzion24.device.vulnerability.util.CPUArch; +import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest; +import fuzion24.device.vulnerability.util.DeviceInfo; +import fuzion24.device.vulnerability.vulnerabilities.helper.BinaryAssets; +import fuzion24.device.vulnerability.vulnerabilities.helper.KMPMatch; +import fuzion24.device.vulnerability.vulnerabilities.helper.SystemUtils; + +/** + * Created by kg on 09/03/16. + */ +public class CVE_2016_0808 implements VulnerabilityTest{ + + @Override + public String getCVEorID() { + return "CVE-2016-0808"; + } + + @Override + public boolean isVulnerable(Context context) throws Exception { + + String cpuArch1 = SystemUtils.propertyGet( context, "ro.product.cpu.abi" ); + String cpuArch2 = SystemUtils.propertyGet( context, "ro.product.cpu.abi2" ); + if( cpuArch1 == cpuArch2 ) + { + cpuArch2 = ""; + } + + Log.e( getCVEorID(), "cpu stuffs: " + DeviceInfo.getDeviceInfo().getBuildCpuABI() ); + + return IsVuln( cpuArch1 ) || IsVuln( cpuArch2 ); + + + /*int checkVal = 0;//checkCVE20160808(); + if(checkVal == 0) { + return false; + }else if(checkVal == 1) { + return true; + }else { + throw new Exception("Error running test"); + }*/ + } + + private boolean IsVuln( String arch ) + { + // this method doesn't work for arm64. the 0x15555553 is not stored in a literal pool + // MOV W26, #0x5553 + // MOVK W26, #0x1555,LSL#16 + // CMP W0, W26 + + + // 32bit arm + String thePath; + byte[] theBytes; + if( CPUArch.ARM7.getArch().equals( arch ) + || CPUArch.ARM.getArch().equals( arch ) ) + { + thePath = "/system/lib/libminikin.so"; + theBytes = new byte[] {0x53, 0x55, 0x55, 0x15}; + } + else + { + if( !arch.isEmpty() ) + { + Log.e( getCVEorID(), "unsupported arch: " + arch ); + } + return false; + } + File theFile = new File(thePath); + + if(!theFile.exists() || !theFile.isFile()){ + Log.e( getCVEorID(), "vulnerable for arch: " + arch ); + return false; + } + + + ByteArrayOutputStream baos = new ByteArrayOutputStream((int)theFile.length()); + try + { + BinaryAssets.copy(new FileInputStream(theFile), baos); + } + catch(Exception e) + { + Log.e( getCVEorID(), "error reading file: " + thePath ); + e.printStackTrace(); + return false; + } + byte[] so = baos.toByteArray(); + + + KMPMatch binMatcher = new KMPMatch(); + + + int indexOf = binMatcher.indexOf(so, theBytes); + if( indexOf == -1 ) + { + Log.e( getCVEorID(), "vulnerable for arch: " + arch ); + return true; + } + Log.e( getCVEorID(), "pattern not found in the file: " + thePath ); + return false; + } + + @Override + public List getSupportedArchitectures() { + ArrayList archs = new ArrayList(); + archs.add(CPUArch.ARM7); + archs.add(CPUArch.ARM); + return archs; + } +} \ No newline at end of file From 8ab1414b87b4484547a2cad022366dc088f6ae08 Mon Sep 17 00:00:00 2001 From: J Van Dyke Date: Fri, 12 Aug 2016 10:52:14 -0400 Subject: [PATCH 2/3] remove old code --- .../framework/graphics/CVE_2016_0808.java | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java index ec97932..5cc44b3 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java @@ -40,16 +40,6 @@ public boolean isVulnerable(Context context) throws Exception { Log.e( getCVEorID(), "cpu stuffs: " + DeviceInfo.getDeviceInfo().getBuildCpuABI() ); return IsVuln( cpuArch1 ) || IsVuln( cpuArch2 ); - - - /*int checkVal = 0;//checkCVE20160808(); - if(checkVal == 0) { - return false; - }else if(checkVal == 1) { - return true; - }else { - throw new Exception("Error running test"); - }*/ } private boolean IsVuln( String arch ) From 3dfdcba1c9d5a1b5e41e9da9881733074aa4bacf Mon Sep 17 00:00:00 2001 From: J Van Dyke Date: Fri, 12 Aug 2016 10:58:12 -0400 Subject: [PATCH 3/3] remove old code --- .../vulnerabilities/framework/graphics/CVE_2016_0808.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java index 5cc44b3..3133729 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java @@ -37,8 +37,6 @@ public boolean isVulnerable(Context context) throws Exception { cpuArch2 = ""; } - Log.e( getCVEorID(), "cpu stuffs: " + DeviceInfo.getDeviceInfo().getBuildCpuABI() ); - return IsVuln( cpuArch1 ) || IsVuln( cpuArch2 ); }