lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D90423C.7000701@gmx.org> Date: Mon, 28 Mar 2011 10:09:32 +0200 From: Marc Schoenefeld <marc.schoenefeld@....org> To: full-disclosure@...ts.grok.org.uk, "Bugtraq" <bugtraq@...urityfocus.com> Subject: Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo Hi, the dexdump tool, bundled with Android SDK was identified to perform suspicious write accesses in the dexDecodeDebugInfo function, as defined in dalvik/libdex/DexFile.c. The structural parser in dexdump failed to properly parse debug info such as code position info, with indications of code execution. This could potentially be misused by remote attackers, tricking users into opening apk/dex-files from untrusted sources (such as for disassembling or decompiling via undx). The crash dump looks as follows: exception=EXC_BAD_ACCESS:signal=Segmentation fault:is_exploitable=yes:instruction_disassembly=movl %edx,(%eax,%esi):instruction_address=0x00000000000087e0:access_type=write:access_address=0x00000000c00feeb0: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. Process: dexdump [75749] Path: /Users/marc/android-sdk-mac_86/platforms/android-8/tools/dexdump Identifier: dexdump Version: ??? (???) Code Type: X86 (Native) Parent Process: exc_handler_snowleopard [75748] Date/Time: 2010-05-26 08:30:16.960 +0200 OS Version: Mac OS X 10.6.3 (10D573) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c00feeb0 Crashed Thread: 0 Thread 0 Crashed: 0 dexdump 0x000087e0 dexDecodeDebugInfo + 672 1 dexdump 0x00003bd7 dumpPositions + 135 2 dexdump 0x00005183 dumpCode + 179 3 dexdump 0x00005335 dumpMethod + 405 4 dexdump 0x00005a6f dumpClass + 1087 5 dexdump 0x00005d04 processDexFile + 148 6 dexdump 0x00005edf process + 239 7 dexdump 0x00006212 main + 754 8 dexdump 0x00002a36 start + 54 The issue was reported to Google in May 2010 and fixed in trunk with this patch adding new constraints that prevent the bug to be triggered: http://android.git.kernel.org/?p=platform/dalvik.git;a=commit;h=4b0750e8df91220690bb417f45d7ae8b7851b220 Late February 2011 Android security team confirmed the bug to be a vulnerability, pre-assigning CVE-2011-1001. The current version dumps a correct error message for the given testcase: W/dalvikvm(63949): Bad index: (item->typeIdx)(1050) > (state->pHeader->typeIdsSize)(233) E/dalvikvm(63949): Trouble with item 7 @ offset 0x4a48 E/dalvikvm(63949): Swap of section type 0004 failed E/dalvikvm(63949): ERROR: Byte swap + verify failed ERROR: Failed structural verification of 'blabla.dex' Anyone interesting in the reproducer for research purposes, feel free to contact me. Cheers Marc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists