Overview
Explore the intricacies of Android's inter-process communication (IPC) system and the vulnerabilities associated with parcel handling in this 35-minute Black Hat conference talk. Dive deep into the concept of "BadParcel" attacks, where malformed marshalled byte streams can be exploited to achieve privilege escalation. Learn about the fuzzing and code auditing techniques used to uncover high-severity vulnerabilities in Android 6.0 and earlier versions. Discover how zero-permission attacking applications can execute code in high-privilege processes like mediaserver and system_server. Gain insights into custom fuzzer development, integration with ASAN and AFL, and exploitation techniques for turning seemingly benign info-leaks into full PC control and shell code execution. Explore heap spray and memory fengshui techniques that can be applied to similar vulnerabilities. Understand the intricacies of Binder, Java data boxing and unboxing, and the importance of heap fengshui in exploiting these vulnerabilities.
Syllabus
Intro
Tencent KEEN Security Lab
Binder in Android - Advantages (cont.)
Key of the heart: Binder (cont.)
Conclusion
Data booking and unboxing in Java
Fuzzing strategies of Java land (cont.)
Integration with ASAN
Example 1 (cont.)
Exploitability Analysis
Vector item
Strong Pointer (cont.)
We still need heap fengshui
Taught by
Black Hat