Android bypasses permission authentication and fork Process privilege elevation

Source: Internet
Author: User

When you write patches when shelling native code does not have too high permissions, such as file io, network IO and other basic C functions can not be used, prompting insufficient permissions. The following are some attempts to search for data on the Internet:

1, the APK will be installed in the/data/system/packages.xml record the current app needs to apply for permissions, as follows:

 <package name= "Com.example.unpacker"  codepath= "/data/app/com.example.unpacker-1.apk"   Nativelibrarypath= "/data/app-lib/com.example.unpacker-1"  flags= "572998"  ft= "1504bc58f90"  it= " 1504bad7c65 " ut=" 1504bc5913e " version=" 1 " userid=" 10078 ">         <sigs count= "1" >             <cert index= "9"  key= "XXX"  />         </sigs>        <perms>             <item name= "Android.permission.ACCESS_WIFI_STATE"  />             <item name= " Android.permission.CHANGE_NETWORK_STATE " />             <item name= "Android.permissIon. Access_network_state " />            < Item name= "Android.permission.INTERNET"  />             <item name= "Android.permission.CHANGE_WIFI_STATE"  />         </perms>        <signing-keyset  Identifier= "1"  />    </package>

Attempts to add all permissions to this packages.xml have no effect, the test failed, the specific reason to see later

2, directly bypass permission verification to modify the framework code, the relevant reference http://www.cnblogs.com/GnagWang/archive/2011/03/21/1990507.html

Activitymanagerservice.java (FRAMEWORKS\BASE\SERVICES\JAVA\COM\ANDROID\SERVER\AM) will checkpermission, Checkcallingpermission, Enforcecallingpermission function return value modified to permission_granted, modified after compiling Framework.jar, Framework2.jar, Services.jar then brush into the machine test found that this modification is easy to cause the system does not come, unstable, specific reasons to see later;

3, modify the zygote fork of the process after the permissions, zygote fork process will eventually call Forkandspecializecommon function, The Forkandspecializecommon will determine whether to start the systemserver process or other app processes, Other process words permittedcapabilities and effectivecapabilities will be set to 0

if  (Issystemserver)  {        /*          * don ' t use get_arg_long here for now.   gcc is generating code         * that  Uses register d8 as a temporary, and that ' s coming out          * scrambled in the child process.   b/3138621         */         //permittedcapabilities = get_arg_long (args, 5);         //effectivecapabilities = get_arg_long (args, 7);         permittedCapabilities = args[5] |  (int64_t)  args[6]  << 32;        effectivecapabilities = args[7] |  (int64_t)  args[8]  << 32;}  else {        mountMode = args[5];         permittedCapabilities = effectiveCapabilities = 0;    //other app processes allow permission and have permission to clear o        //change the previous line to   permittedcapabilities = effectivecapabilities = 125910048;         StringObject* seInfoObj =  (stringobject*) args[6];         if  (seinfoobj)  {             seinfo = dvmcreatecstrfromstring (seinfoobj);             if  (!seinfo)  {                  aloge ("seinfo dvmcreatecstrfromstring failed");                 dvmabort ();             }        }         StringObject* niceNameObj =  (stringobject*) args[7];         if  (nicenameobj)  {             nicename = dvmcreatecstrfromstring (NICENAMEOBJ);             if  (!nicename)  {                 aloge ("niceName  Dvmcreatecstrfromstring failed ");                 dvmabort ();             }         }    }

As a result, permission bypass can be implemented by directly forcing the Allow and effective permissions of the app to be set to fixed when the process is started:

Compile libdvm.so Copy to phone discovery now that the process permission is the same as the System_server permission.


Android bypasses permission authentication and fork Process privilege elevation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.