Wednesday, 5 February 2014

Buffer Overflow Exploit Discovered In Android SDK

Android SDK also suffers lack of compile-time hardening.
Buffer Overflow Exploit, Android SDK , compile-time hardening, droidsec security group, Android Debug Bridge, buntu Linux 12.04, google

The droidsec security group has discovered and patched a buffer overflow issue and a lack of compile-time hardening in the Android Debug Bridge, with the team deciding to publicly disclose the issues and patches after a lack of communication from Google. The buffer overflow exploit discovered in the Android software development kit effects all versions of the Android Debug Bridge on Linux x86_64.
According to droidsec the exploit has been confirmed on version 18.0.1 of the Android SDK platform tools on x86_64 Ubuntu Linux 12.04. Meanwhile, attempts of exploitation on a 32-bit Linux system and the adb binary found on the Nexus 4 were unsuccesful. Windows systems were kept out of the test.

The exploit starts with an attacker starting a malicious Android Debug Bridge (ADB) server. This ADB server then interfaces with Android devices on a multi-user system and waits for ADB clients to connect. Any command that communicates with the ADB Server will lead to 'successful' exploitation. Further, it has been found that the ADB binary failed to have a non-executable stack. Also the executable was not position independent.

"It should also be noted that host compilation also seems to intentionally opt out of the FORTIFY_SOURCE protections. It's not clear why this is the case since the comment near this line of code references an internal only bug number." " droidsec was quoted as saying.

Shivam Kotwalia, CodeKill
Posted by
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive

Labels

Tutorial (129) Tech News (83) E-Books (55) Pdf (47) Hacking (46) Linux (32) Android (23) Programming (22) Tools (22) Video (21) Ethical Hacking (16) Electronics (12) Google (10) Hacked (9) Python (9) Facebook (8) Java (8) Software (8) PHP (7) Android App (6) C (6) Free Online Coureses (6) OpenSource (6) Ubuntu (6) Unix (6) Windows (6) C++ (5) Game Programming (5) Java Programming (5) Kali Linux (5) CodeKill (4) Cryptography (4) Firefox (4) JavaScript (4) Linux System Administrator (4) Mac (4) Penetration testing (4) Python Programming (4) Security (4) Top Distros (4) WhatsApp (4) CSS (3) Circuit (3) Cloud Computing (3) Game Devlopment (3) Hacking Tools (3) Malware (3) MicroController (3) Microsoft (3) Networking Tool (3) Perl (3) Source Code (3) WebSite (3) Windows 8.1 (3) C Programming (2) C Series (2) C# (2) CheetSheet (2) Computer (2) Computer Networking (2) Data Storage (2) Dual Boot (2) Eclipse (2) Edward Snowden (2) Exploit (2) Facts (2) Games On Linux (2) Google Chrome (2) HTML5 (2) Hacking Challenges (2) IDE's (2) Information Security (2) Lenovo (2) Linux Kernel (2) Malicious (2) Mobile (2) Motorola (2) Mozilla (2) MySQL (2) NoSQL (2) Raspberry Pi (2) Ruby (2) Security Tools (2) Syrian Electronic Army (2) Tricks and Tips (2) Valentine Day (2) Web Design (2) iOS (2) iPhone (2) jQwery (2) *nix (1) 2014 (1) 3D Modeling (1) Algorithm (1) Android Hacking (1) Android Pattern Lock Screen.. (1) Anonymous Mail (1) Anti-Spam (1) Apps (1) Arduino (1) Artificial Intelligance (1) Audio Software (1) BSD (1) BeAWARE (1) Bitcoin (1) Black Hat Hackers (1) BlackBerry (1) Buffer Overflow (1) C++ vs Java (1) CISO (1) Circuit Analysis (1) Circuit Design (1) Circuit Programming (1) Circuit Simulators (1) Codes (1) Crptology (1) Cryptanalysis (1) DDOS (1) Devlopers (1) Drupal (1) DuckDuckGo Search Engine (1) E-Card (1) E-Mails (1) Embedded System (1) Encryption Tools (1) Error (1) FTP (1) Famous Passwords (1) FileZilla (1) Flipkart (1) Forbes (1) Forgot Password (1) GCHQ (1) Genders (1) Gmail (1) Google Tricks and Trips (1) HTML (1) Hacking Distro (1) Hard Disk (1) Hash Encryption (1) Illegal (1) Internet (1) LAMP (1) Language Theory (1) LibreOffice (1) Linus Trovalds (1) Logic Gates (1) MATLAB (1) MOSFET (1) Mail (1) Mark Zuckerberg (1) Mathematical (1) MicroProcessor (1) Mind Mapping Tools (1) Myntra (1) NoSQL Database (1) Nobal Prize (1) Nokia (1) Object Oriented Programming (1) Office (1) Oldboot (1) Online (1) Paranoid Android (1) Passwords (1) Passwords Cracking Tools (1) PayPal (1) Perl Programming (1) Plugins (1) Prolog Programming (1) Python Basics (1) Remote (1) SEA (1) SQL Injection (1) Sans (1) Screencasts (1) Screenloggers (1) Server Load (1) Servers (1) Shell (1) Software Design (1) Software Developer (1) Software Testing (1) Sony (1) Spider.io (1) Statistical (1) Steve Jobs (1) TCP/IP (1) Timeline (1) Tor (1) Trojan (1) Ubuntu Phones (1) VAIO (1) Virus (1) Web Designers (1) Wi-Fi Hacking (1) Windows Tools (1) Windows XP (1) WordPress (1) XML (1) Yahoo (1) YouTube (1) cpp (1) eBay (1) iBanking (1)