Friday, March 29, 2024

Critical Vulnerability in Android Phone Let Hackers Execute an Arbitrary Code Remotely

Researchers discovered a new Critical Android vulnerability that may allow attackers to perform remote code execution on a vulnerable Android device and to take control of it.

The vulnerability resides in the way Android handing the proxy auto-config (PAC), a file that defines how web browsers and other user agents can automatically choose the appropriate proxy server.

In this case, Android uses a library called libpac. In order to parse the Javascript, libpac using the V8 JS engine which is the main attack surface and the version of V8 is vulnerable to recent exploit and leads to crash the PacProcessor service.

Researchers explain that “the crash wasn’t caused by an issue within V8 but instead was due to a problem with allocations of ArrayBuffers within the context of the JS function FindProxyForUrl.”

 PAC settings can be accessed in Android by going to the current wifi network -> editing the advanced settings -> selecting “Proxy Auto-Config” in the proxy dropdown.

 Austin Emmitt, a security researcher from NowSecure found this vulnerability in July 2019 and reported to Google and it was confirmed as “Critical” severity.

Vulnerability Details

Austin manually found the vulnerability in Android with the help of a few tools & tricks. The vulnerability occurs due to improper initialization of an object that provides methods for ArrayBuffer objects in V8.

“He refers that the vulnerability is due to the use of automatic storage of the instance of ArrayBufferAllocator on the stack on line 770 of proxy_resolver_v8.cc in the chromium-libpac library.”

Android vulnerability
Vulnerability in the use of automatic storage

The attacker who control the PAC script has the ability to manipulate what urls are passed to “FindProxyForURL” function and also attacker can trigger the call to the ArrayBuffer functions based on whether the PAC URL matches an appropriate exploit string” said via blog post.

The vulnerability can be exploited remotely by the attacker in two different ways.

  1. Leak an address to executable memory
  2. Spray the heap sufficiently to ensure that attacker-controlled bytes are executed.

The researcher believes that the ret gadget (a sequence of instructions ending in RET is called a gadget) would give the attacker a powerful read and write primitive since this could return to the attacker an ArrayBuffer of unlimited size that can read and write any values using the normal DataView methods.”

Another advantage for attackers is the PacProcessor will restart after a crash that helps the attacker to execute an exploit as many as he can.

PoC Exploit

The researcher published a PoC exploit that uses a malicious app along with a malicious PAC script to execute arbitrary code and perform the elevation of privilege and gains the INTERNET permissions associated with PacProcessor. 

The exploit can be launched by run poc.py which hosts the malicious PAC file and app. You can find the PoC code under the PoC exploit category. 

“This vulnerability potentially affects any user that uses PAC scripts and could result in remote code execution. Also, Android versions below 8.0 may enable apps to set the system proxy settings, which would allow a malicious app to exploit the vulnerability without the user needing to manually set a PAC URL.” Austin Concluded.

You can also read the complete technical details here.

Also Read

NFC Beaming Vulnerability in Android Let Hackers to Infect Vulnerable Devices With Malware

Vulnerability in Qualcomm Chip Let Hackers Steal Sensitive Data From Android Devices

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles