Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
Android Class Loading Hijacking
Abstract
Loading classes from an untrusted source or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker.
Explanation
Android Class Loading Hijacking vulnerabilities take two forms:
- An attacker can change the name of the directories that the program searches to load classes, thereby pointing the path to one that they have control over: the attacker explicitly controls the paths which should be searched for classes.
- An attacker can change the environment in which the class loads: the attacker implicitly controls what the path name means.
In this case, we are primarily concerned with the first scenario, the possibility that an attacker may be able to control the directories searched for classes to load. Android Class Loading Hijacking vulnerabilities of this type occur when:
1. Data enters the application from an untrusted source.
2. The data is used as or as part of a string representing a library directory to search for classes to load.
3. By executing code from the library path, the application gives the attacker a privilege or capability that the attacker would not otherwise have.
Example 1: The following code uses the user changeable
This code allows an attacker to load a library and potentially execute arbitrary code with the elevated privilege of the app by being able to modify the result of
Example 2: The following code uses the user changeable
This code allows an attacker to specify the output directory for Optimized DEX files (ODEX). This then allows a malicious user to change the value of
- An attacker can change the name of the directories that the program searches to load classes, thereby pointing the path to one that they have control over: the attacker explicitly controls the paths which should be searched for classes.
- An attacker can change the environment in which the class loads: the attacker implicitly controls what the path name means.
In this case, we are primarily concerned with the first scenario, the possibility that an attacker may be able to control the directories searched for classes to load. Android Class Loading Hijacking vulnerabilities of this type occur when:
1. Data enters the application from an untrusted source.
2. The data is used as or as part of a string representing a library directory to search for classes to load.
3. By executing code from the library path, the application gives the attacker a privilege or capability that the attacker would not otherwise have.
Example 1: The following code uses the user changeable
userClassPath to determine the directory in which to search for classes to load.
...
productCategory = this.getIntent().getExtras().getString("userClassPath");
DexClassLoader dexClassLoader = new DexClassLoader(productCategory, optimizedDexOutputPath.getAbsolutePath(), null, getClassLoader());
...
This code allows an attacker to load a library and potentially execute arbitrary code with the elevated privilege of the app by being able to modify the result of
userClassPath to point to a different path, which they control. Because the program does not validate the value read from the environment, if an attacker can control the value of userClassPath, then they can fool the application into pointing to a directory that they control and therefore load the classes that they have defined, using the same privileges as the original app.Example 2: The following code uses the user changeable
userOutput to determine the directory the optimized DEX files should be written.
...
productCategory = this.getIntent().getExtras().getString("userOutput");
DexClassLoader dexClassLoader = new DexClassLoader(sanitizedPath, productCategory, null, getClassLoader());
...
This code allows an attacker to specify the output directory for Optimized DEX files (ODEX). This then allows a malicious user to change the value of
userOutput to a directory that they control, such as external storage. Once this is achieved, it is simply a matter of replacing the outputted ODEX file with a malicious ODEX file to have this executed with the same privileges as the original application.References
[1] Android Class Loading Hijacking Symantec
desc.dataflow.java.android_class_loading_hijacking