Fuzzing Android System Services by Binder Call to Escalate Privilege

Black Hat USA 2015

Presented by: Guang Gong
Date: Thursday August 06, 2015
Time: 17:00 - 17:25
Location: Lagoon K

Binder is the IPC Mechanism in Android. It's used in Communication not only between processes with the same privilege but also between low privileged Apps and high privileged system services. The system services is a juicy attack surface to escalate privileges because parameters passed to it through binder call lack sanitization, but until now there are little disclosed vulnerabilities of this type.

In this presentation, I'll first introduce this attack surface and then demonstrate the first fuzzing tools to find this kind of vulnerabilities. The tool take the binder interfaces exported from system services as attacked targets. This tool is simple but efficient. Through this tool I've found 8 vulnerabilities with CVE-IDs got from Android Security Team and dozens of crashes of system services. At last, I'll detail how to exploit this type of vulnerability to get Android's system_server permission by an unpublicized vulnerability.

Guang Gong

Guang Gong is a security researcher at Qihoo 360 and a former employee of VMware.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats