tag: Android

Leveraging Android Permissions: A Solver Approach

The Android permission management system has already suffered from several vulnerabilities in the past. Such weaknesses can grant dangerous permissions to a malevolent application, an example being CALL_LOG, which gives access to all incoming and outgoing calls.

This post dives into the Android permission system and how a solver was leveraged to find new vulnerabilities. With this approach, a privilege escalation was identified, which was fixed and assigned CVE-2023-20947 by Google.

The Fuzzing Guide to the Galaxy: An Attempt with Android System Services

Although the Android base is open source, many different constructors customize it with their own UIs and APIs. All these additions represent an extra attack surface that can change from one phone model to another. We tried to automatically fuzz the closed-source system services powering these modifications, discovering CVE-2022-39907 and CVE-2022-39908 along the way.

ARM TrustZone: pivoting to the secure world

  1. Discovery of two vulnerabilities in secure world components
  2. Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
  3. Leverage of aarch32 T32 instruction set to find nice stack pivots
  4. Turning an arbitrary write into an arbitrary code execution