Analyze the security risk of Android open network port

Android applications typically use different domain sockets, such as Pf_unix, Pf_inet, Pf_netlink, for local IPC or remote network communications, which represent potential local or remote attack surfaces, Historically, there have been many cases of using sockets for denial of service, root power, or remote command execution. In particular, the pf_inet type of network socket, can communicate with Android applications through the network, which was originally used in Linux environment Open Network services, due to lack of network caller identity or local callers PID, permission and other fine-grained security check mechanism, In the case of improper implementation, it is possible to break through the sandbox limits of Android and execute commands with the privileges of the attacked application, often with more serious vulnerabilities.

As a novice of Android security research, the author with traditional server infiltration to find open socket port ideas, unexpectedly also brush a lot of loopholes, the following on the discovery of this vulnerability, the case and the impact of induction. Thank you love encrypted website: Provide blog ideas, Android Application Security risk is still grim. Game plug-in, third-party payment vulnerability mining, Prepaid card Payment vulnerability mining, memory modification, archive modification, script recording, game resource file theft and tampering, accelerator, simulator operation, these are a deadly blow to game makers. Http://www.ijiami.cn/appprotect_mobile_games

0x01 Android Open port app Locator

Simply use the command netstat to discover that Android has opened up many socket ports. But the application of these open ports is unclear.

This can be done by three-step positioning method, support non-root mobile phone.

The first step is to use Netstat to find the open socket port of interest in 15555.

The second step is to convert the port to a hexadecimal value to see the corresponding socket state file in the/proc/net/directory where the UID of the app using the socket is found. If the hexadecimal representation of 15555 is 1CC3 and the protocol type is TCP6, then view the/proc/net/tcp6 file.

Note that the 10115 above is the UID of the app that uses the socket. This UID allows you to know that the user name of the app is u0_a115.

The third step, according to the user name can be found in the application

At this point, we know that the open 15555 port application is Com.qiyi.video, although we can not distinguish the exact process of opening the port, but still lay the foundation for further exploit mining.

Write a simple script that automates the task of doing this.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

Importsubprocess,re   Deftohexport (port):     hexport=str (Hex (int (port)))      returnhexport.strip (' 0x '). Upper ()   DEFFINDUID (protocol, entry):     if ( protocol== ' tcp ' orprotocol== ' TCP6 '):         uid=entry.split () [-10]     else:# UDP or UDP6         uid=entry.split () [-6]     uid=int (UID)     if (uid >10000): # Just for Non-system app          return ' u0_a ' +str (uid-10000)     else:          return-1   Defmain ():     netstat_cmd= "adb shell netstat | Grep-ei ' listen|udp* '      #netstat_cmd = "adb shell netstat"     grep_cmd= " adb shell grep "    proc_net="/proc/net/"  # step 1, find interesting PORT     orig_output=subprocess.check_output (Netstat_cmd, shell=true)      List_line=orig_output.split (' \ r \ n ')       apps=[]     strip_listline =[]     pattern=re.compile ("^proto") # omit the first line        Forlineinlist_line:         if (line! = ") and (Pattern.match (line) ==None):   # step 2, find UID In/proc/net/[protocol] based on port          &NB Sp;  socket_entry=line.split ()              protocol=socket_entry[0]               Port=socket_entry[3].split (': ') [-1]              Grep_appid=grep_cmd+ ' +tohexport (port) + ' +proc_net+protocol        &nbsP;    net_entry=subprocess.check_output (Grep_appid, shell=true)              uid=finduid (Protocol, Net_entry) # Step 3, find app username based on UID             if (uid==-1): Continue              applist=subprocess.check_output (' adb shell PS | grep ' + UID, shell=true). Split ()             app=applist[8]             apps.append (APP)              strip_listline.append (line)        itapp=iter (Apps)     itline=iter (Strip_listline) # Last, the Add app in Orig_output of Sockets & Nbsp;   print ("Package                  Proto recv-q send-q         Local Address           Foreign address        state\r\n ")     try:         whiletrue:              printitapp.next () + "+itline.next ()      exceptstopiteration:         pass   if__name__== ' __main_ _ ':     main ()

The operation results are as follows

In addition to Pf_inet sockets, the status files for Pf_unix, Pf_netlink sockets are located in/proc/net/unix and/proc/net/netlink respectively.

Of course, if the phone is rooted, you can directly use the netstat command with the P parameter in the BusyBox installation directory to display the PID and the incomplete program name.

Analyze the security risk of Android open network port