/bindump4j

A portable utility to locate android binder service

Primary LanguageJavaGNU General Public License v3.0GPL-3.0

What's Bindump4j for

Vendor binder services proved to be an interesting part of android devices nature. They usually remains close-source, but sometimes open attack surface for privilege escalation. Namely examples like SVE-2016-7114 (By @laginimaineb), CVE-2018-9143 and CVE-2018-9139 (By @flanker_hqd) and so on, which are all memory corruption vulnerabilities.

Locating interesting binder service processes

Before Android N, all binder services were registered to servicemanager, and communicated with each other under /dev/binder. After Android N, binder domains are splitted to normal domain under /dev/binder, vendor domain under /dev/vndbinder, and hardware domain under /dev/hwbinder. Normal untrusted_app access is restricted to /dev/binder.

There're possibly more than 200 binder services on some vendor devices, how do we deduce which services may have interesting native code for possible memory corruption? Most importantly, where are these services running in?

J previously released a tool named bindump, by reading binder node data in debugfs, the tool can iterate which process owns a service and which processes are using this service. However days have passed and android has involved pretty much, major problems including

  • debugfs is no longer readable by normal process so you will need root to run
  • Binder node now have context so you have to distinguish between different domain context
  • libbinder.so linking symbols change over each version so one may not be able to reuse the binary and need to recompile the source on top of corresponding AOSP source branch for every major version

To solve problem 2 and 3, I rewrite the tool in Java and encapsulated it into a standalone jar, which is portable across all android platforms and friendly with Android N or later.

Usage

The usage is fairly simple. I assume you've obtained the precompiled binary or make your own, specifically Main.jar and run.sh. Push them to /data/local/tmp/ :

a70q:/data/local/tmp # ./run.sh dump com.samsung.android.bio.face.IFaceDaemon                                   
User: 28986    app_process    /data/local/tmp/Bindump com.samsung.android.bio.face.IFaceDaemon
Owner: 1074    /system/bin/faced    /system/bin/faced
User: 554    /system/bin/servicemanager    /system/bin/servicemanager

Or simply use dumpall to dump all services and find your target.

Compilation

If you would like to craft your own binary, just refer to compile.sh. Note to replace the dx path.

Limitations

On Windows CMD sometimes the console display messed up. Maybe because windows console cannot property handle \t

Usage In Action

In a following post I'll describe how we analyze and fuzz vendor binder services to find various vulnerabilities, e.g. CVEs mentioned above.