sábado, 7 de mayo de 2016

Turning Android on an Cyber War Camp

Again we come back with the same problems of Android and Java; Serialization and methods unvalidated.

This time, our new security flaw, It allows us crashing applications, creating a permanent denial of service (DoS), if runs that, can crashing repeatedly, and stop application completely and indefinitely, too, this security issue affects all applications Android from version SDK 2.0 to 6+.

Well, the reason this happens is very simple: Each application has a different ClassLoader, which has classes of the core android and the current compiled APK, referenced by a DexClassLoader, and only that, not the other clasess compiled in other APK's.

It is really simple to send a Parcelable or Serializable to an application, service, methods, etc, if the application does not contain these classes simply crash (explodes), Well with this simple theory, just enough to find entry points to send these Parcelable and / or Serializable.

PoC preview

Github: MissileGuidedForAndroid