hostsidetests/securitybulletin/src/android/security/cts/LaunchSomeWhere.java - platform/cts - Git at Google

 /**
  * Copyright (C) 2018 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.cts;

 import com.android.tradefed.device.ITestDevice;

 /*
  * Adding Tests:
  * We are testing a series of exploits that all take advantage of binder in the
  * same way, using a malformed parcel to get system permission, with the only
  * difference being the details of how we create the malformed parcel. In order
  * to take advantage of these similarities (among other reasons) we share code
  * between these exploits with an app that only requires two things to run a new
  * version of this exploit: a class implementing IGenerateMalformedParcel and an
  * intent telling the app which version of the exploit to run.
  *
  * When you recieve a new LaunchAnyWhere exploit it will likely be in the form
  * of an app that can perform a number of actions such as creating a new pin
  * or installing an app without recieving the appropriate permissions. However,
  * the only file we care about form the app will be GenMalformedParcel.java.
  * Find that file and follow these steps to add a new LaunchAnyWhere test:
  *
  * 1. Copy GenMalformedParcel.java into the LaunchAnyWhere app at
  *    cts/hostsidetests/security/test-apps/launchanywhere/src... Rename the file
  *    and class after the CVE that you are addressing. Modify the class
  *    signature and method signature so that it implements
  *    IGenerateMalformedParcel (namely, add the `implements` clause and change
  *    the function to public Parcel generate(Intent intent)).
  *
  * 2. Next, add a hostside test to the appropriate file in this directory.
  *    In the test all you have to do is call
  *    LaunchSomeWhere.launchSomeWhere("CVE_20XX_XXXXX", getDevice());
  *
  * 3. Verify your test and submit, assuming all went well. If not then check
  *    for differences between the files in the submitted apk and the code in
  *    tests/tests/security/src/android/security/cts/launchanywhere.
  *
  * Exploit Overview:
  * All LaunchAnyWhere exploits take advantage of classes that write more data
  * than they read. They follow the same process to send an intent with system
  * permissions. The process is described below (you do not need to understand
  * this in order to create tests, but we learned this while debugging some
  * things and don't want the information to be lost):
  *
  * 1. Add an account with the account type 'com.launchanywhere' When an account
  *    is added the AccountManager delegates the task of authenticating the
  *    account to an instance of AbstractAccountAuthenticator. Our malicious
  *    authenticator finds
  *    android.accounts.IAccountAuthenticatorResponse.Stub.Proxy and replaces
  *    it's mRemote field with our anonymous IBinder before returning a
  *    default-constructed bundle. We save the old value and delegate to it
  *    after altering the arguments when appropriate (MitM).
  *
  * 2. When we finish, our IBinder's transact is called. At this point we create
  *    a reboot intent and send it to the appropriate class to generate the
  *    malformed parcel. This grants the intent system permissions.
  *
  * 3. The phone reboots, proving a successful exploit.
  */
 class LaunchSomeWhere {
     public static void launchSomeWhere(String cve, ITestDevice device)
         throws Exception {

         String command = "am start";

         String[] args = {
             "--es", "cve", cve,
             "-n", "com.android.security.cts.launchanywhere/.StartExploit"
         };

         for (String s : args) {
           command += " " + s;
         }

         AdbUtils.runCommandLine(command, device);
         if (device.waitForDeviceNotAvailable(9_000))
             device.waitForDeviceAvailable();
     }
 }
	/**
	* Copyright (C) 2018 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.cts;

	import com.android.tradefed.device.ITestDevice;

	/*
	* Adding Tests:
	* We are testing a series of exploits that all take advantage of binder in the
	* same way, using a malformed parcel to get system permission, with the only
	* difference being the details of how we create the malformed parcel. In order
	* to take advantage of these similarities (among other reasons) we share code
	* between these exploits with an app that only requires two things to run a new
	* version of this exploit: a class implementing IGenerateMalformedParcel and an
	* intent telling the app which version of the exploit to run.
	*
	* When you recieve a new LaunchAnyWhere exploit it will likely be in the form
	* of an app that can perform a number of actions such as creating a new pin
	* or installing an app without recieving the appropriate permissions. However,
	* the only file we care about form the app will be GenMalformedParcel.java.
	* Find that file and follow these steps to add a new LaunchAnyWhere test:
	*
	* 1. Copy GenMalformedParcel.java into the LaunchAnyWhere app at
	* cts/hostsidetests/security/test-apps/launchanywhere/src... Rename the file
	* and class after the CVE that you are addressing. Modify the class
	* signature and method signature so that it implements
	* IGenerateMalformedParcel (namely, add the `implements` clause and change
	* the function to public Parcel generate(Intent intent)).
	*
	* 2. Next, add a hostside test to the appropriate file in this directory.
	* In the test all you have to do is call
	* LaunchSomeWhere.launchSomeWhere("CVE_20XX_XXXXX", getDevice());
	*
	* 3. Verify your test and submit, assuming all went well. If not then check
	* for differences between the files in the submitted apk and the code in
	* tests/tests/security/src/android/security/cts/launchanywhere.
	*
	* Exploit Overview:
	* All LaunchAnyWhere exploits take advantage of classes that write more data
	* than they read. They follow the same process to send an intent with system
	* permissions. The process is described below (you do not need to understand
	* this in order to create tests, but we learned this while debugging some
	* things and don't want the information to be lost):
	*
	* 1. Add an account with the account type 'com.launchanywhere' When an account
	* is added the AccountManager delegates the task of authenticating the
	* account to an instance of AbstractAccountAuthenticator. Our malicious
	* authenticator finds
	* android.accounts.IAccountAuthenticatorResponse.Stub.Proxy and replaces
	* it's mRemote field with our anonymous IBinder before returning a
	* default-constructed bundle. We save the old value and delegate to it
	* after altering the arguments when appropriate (MitM).
	*
	* 2. When we finish, our IBinder's transact is called. At this point we create
	* a reboot intent and send it to the appropriate class to generate the
	* malformed parcel. This grants the intent system permissions.
	*
	* 3. The phone reboots, proving a successful exploit.
	*/
	class LaunchSomeWhere {
	public static void launchSomeWhere(String cve, ITestDevice device)
	throws Exception {

	String command = "am start";

	String[] args = {
	"--es", "cve", cve,
	"-n", "com.android.security.cts.launchanywhere/.StartExploit"
	};

	for (String s : args) {
	command += " " + s;
	}

	AdbUtils.runCommandLine(command, device);
	if (device.waitForDeviceNotAvailable(9_000))
	device.waitForDeviceAvailable();
	}
	}