While working on a init hack for attaining root for the S5 past OE1, I decided to look around for information while I was taking a break.
I've been looking into old exploits, to learn as much as possible. That, and it is very interesting reading material.
I figured I should look into android security news as well.
That is when I found a vulnerability post that SEARCH-LAB Ltd. has discovered in ADB.
"...discovered a vulnerability in the design of the Android
backup mechanism: the backup manager, which invokes the custom
BackupAgent does not filter the data stream returned by the
applications. A malicious BackupAgent (without any Android permissions)
is able to inject additional applications (APKs) through reflection into
the backup archive without the user's consent. Upon restoration of the
backup archive, the system installs the injected, additional application
(since it is already part of the backup archive). The installed malware
could gain any (non-system) permissions it wanted without any
confirmation dialogs."
While this means that applications can be pushed to the phone, they won't be able to achieve system permissions.
What do you guys think would happen if we took a backup of an application with root permissions from a different S5 and used this injection method to place them onto our devices. I'm sure the signature wouldn't allow root to carry from a non-identical device. It is fun to play around though. Experimentation always leads to fun knowledge.
Anyway, I figured you guys might be interested in this. Have fun playing around!
I've been looking into old exploits, to learn as much as possible. That, and it is very interesting reading material.
I figured I should look into android security news as well.
That is when I found a vulnerability post that SEARCH-LAB Ltd. has discovered in ADB.
"...discovered a vulnerability in the design of the Android
backup mechanism: the backup manager, which invokes the custom
BackupAgent does not filter the data stream returned by the
applications. A malicious BackupAgent (without any Android permissions)
is able to inject additional applications (APKs) through reflection into
the backup archive without the user's consent. Upon restoration of the
backup archive, the system installs the injected, additional application
(since it is already part of the backup archive). The installed malware
could gain any (non-system) permissions it wanted without any
confirmation dialogs."
While this means that applications can be pushed to the phone, they won't be able to achieve system permissions.
What do you guys think would happen if we took a backup of an application with root permissions from a different S5 and used this injection method to place them onto our devices. I'm sure the signature wouldn't allow root to carry from a non-identical device. It is fun to play around though. Experimentation always leads to fun knowledge.
Anyway, I figured you guys might be interested in this. Have fun playing around!
Aucun commentaire:
Enregistrer un commentaire