For this paper I will be discussing CVE-2011-1823 [NVD2011] which allowed a malicious user to execute arbitrary code and gain root privileges on the Android operating system. This vulnerability was commonly used to gain root privileges on Gingerbread version of Android until it was patched. The National Vulnerability Database recognizes this CVE-2011-1823 as a class of Numeric Errors (CWE-189). However the more critical problem is that due Due to a lack of Input Validation (CWE-20) the code can be subject to Buffer Errors (CWE-119) and Code Injection (CWE-19). As I will show the lack of validation from a seemingly trustworthy source allows an attacker to compromise the android operating system.

The vulnerability beings in DirectVolume.h where the number of partitions on the system is stored as an signed integer [GOOGLE2015-1] line 36. Later in DirectVolume.cpp an array called mPartMinors is initialized with -1s [GOOGLE2015-2] line 42.

Excerpt from DriectVolumn.h

Later when the program receives an event that a partition is added it stores a value from the event to an index in this array that is specified by the event. The code in the second excerpt from DriectDrive.cpp only checks that the part_num variable is not greater than mDiskNumParts which does not prevent part_num from being negative. Thus if the PARTN parameter of the message is negative the value of the minor variable will be written to an arbitrary place in memory. The mistake was trusting the input from the socket which even though it is local can still be accessed by unprivileged programs.

The events come from a local socket connection, called a PF_NETLINK socket, that is supposed to be only used by the operating system for special events. However, access to this socket has no authorization protection or authentication. Therefore, a malicious user can inject specifically crafted packets that use a negative offset in this array to write an arbitrary values to memory. The code trusts the data is coming from an outside source it should still be validated.that the operating system is the only one writing messages, however even if this is true since the data is coming from an outside source it should still be validated.

Excerpt from DirectDrive.cpp

The vulnerability was addressed in 2 ways; first the check on line 189 of DirectDrive.cpp was updated to ensure part_num was greater than 0 [GOOGLE2015-3] . This will ensure that line 200 will not write data to memory outside of the array. The second update was to the PF_NETLINK socket used to communicate with the kernel. The socket was updated to require authentication and authorization to write to the socket, thus preventing malicious users from writing to the socket.