Yesterday, Maddie Stone, a Security Researcher in the Google Project Zero team shared a detailed analysis of the use-after-free Android Binder vulnerability. The vulnerability, tracked under CVE-2019-2215 was being exploited in-the-wild affecting most Android devices manufactured before fall last year.
Stone’s post goes into detail about how they discovered this Android Binder vulnerability, its technical details, how it can be exploited, and its fix. Along with these details, she also shared that the Project Zero team is working on improving their approach of handling “in-the-wild” zero-day exploits under the mission “make zero-day hard.” Their current approach is to hunt for bugs based on rumors or leads and patch the bug, perform variant analysis to find similar vulnerabilities and patch them. Finally, sharing the complete detailed analysis of the exploit with the community.
The use-after-free Android Binder vulnerability
The use-after-free Android Binder vulnerability is a local privilege escalation vulnerability that gives the attacker full read and write access to a vulnerable device. It is not new though. Back in 2017, Szybot, a syzkaller system reported it to both the Linux kernel and syzkaller-bugs mailing lists. In February 2018, it was patched in the Linux 4.14, Android 3.18, Android 4.4, and Android 4.9 kernels. The patch, however, never made it to the Android monthly security bulletin leaving many already released devices such as Pixel and Pixel 2 vulnerable to an exploit.
Then in late summer 2019, the NSO Group, an Israel-based technology firm known for its Pegasus spyware, informed Project Zero about an Android zero-day exploit that was part of an attack chain that installed Pegasus spyware on target devices. Based on the details shared by the NSO Group Stone was able to track down the bug in Android Binder.
Project Zero reported the Android Binder vulnerability to Android on September 27. In the report Stone has shared a list of devices that appear to be vulnerable:
“Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):
1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones (run the same kernel according to the website)
9) Samsung S7, S8, S9 “
After reporting the Android Binder vulnerability to Android, the team publicly disclosed it on October 3 and three days later Android added updates to the October Android Security Bulletin. In a statement to the Project Zero team, Android shared, “Android partners were notified of the bug and provided updates to address it within 24 hours. Android also assigned CVE-2019-2215 to explicitly indicate that it represents a security vulnerability as the original report from syzkaller and the corresponding Linux 4.14 patch did not highlight any security implications.”
The statement further reads, “Pixel 3 and 3a were already protected against these issues. Updates for affected Pixel devices were available to users as early as October 7th, 2019.”
To read more about the exploit, check out Stone’s blog post: Bad Binder: Android In-The-Wild Exploit. Also, check out the proof-of-concept exploit that Stone wrote together with Jann Horn, a fellow team member. The PoC demonstrates how this vulnerability can be used to gain arbitrary read and write permissions when run locally.