使用Android NDK演示printf或__android_log_print漏洞 [英] Demonstrating printf or __android_log_print Vulnerabilities With Android NDK

问题描述

我有兴趣通过NDK应用程序演示printf漏洞.需要明确的是，我知道要登录控制台，我们可以使用__android_log_print(ANDROID_LOG_DEBUG, "LOG_TAG", "Print : %d %s",someVal, someStr);.我已经尝试过了，而且我知道它有效.但是我明确地想演示printf()的漏洞，特别是要使用%n说明符来写入指向的位置.

I am interested in demoing printf vulnerabilities via an NDK app. To be clear, I am aware that to log in the console we can use __android_log_print(ANDROID_LOG_DEBUG, "LOG_TAG", "Print : %d %s",someVal, someStr);. I have tried it and I know it works. But I explicitly want to demo the vulnerabilities of printf(), specifically to use the %n specifier to write to a pointed location.

是否有办法使printf()达到此效果，或者是否可以通过__android_log_print()达到此目的?我尝试使用android/log.h标头，但没有成功.

Is there a way to make printf() work to this effect or is it possible to achieve this via __android_log_print()? I attempted it with the android/log.h header but it didn't work.

我可以通过按printf(%s%s%s%s%s%s%s%s%s%s)的方式运行某些程序来使应用程序崩溃.但是同样，我不能操纵指针.

I can get the app to crash by running something along the lines of printf(%s%s%s%s%s%s%s%s%s%s). But again, I can't manipulate pointers.

出于一般知识的目的，为什么printf()首先不起作用，为什么__android_log_print()如何阻止这些攻击?

For general knowledge purposes, why is it that printf() doesn't work in the first place and how does __android_log_print() prevent these exploits?

推荐答案

您确实意识到Android是开源的.

You do realize that Android is open source.

从寻找__android_log_print()开始 并找到它: https://android .googlesource.com/platform/system/core/+/refs/heads/master/liblog/logger_write.cpp

Starting with looking for __android_log_print() and finding it: https://android.googlesource.com/platform/system/core/+/refs/heads/master/liblog/logger_write.cpp

int __android_log_print(int prio, const char* tag, const char* fmt, ...) {
  va_list ap;
  char buf[LOG_BUF_SIZE];
  va_start(ap, fmt);
  vsnprintf(buf, LOG_BUF_SIZE, fmt, ap);
  va_end(ap);
  return __android_log_write(prio, tag, buf);
}

我最终看到了: https://android.googlesource.com/platform/bionic/+/refs/heads/master/libc/stdio/vfprintf.cpp

第453-454行:

  case 'n':
    __fortify_fatal("%%n not allowed on Android");

代码中还引用了FORTIFY带来的额外安全性，如以下博客文章所述:

Also referenced in the code is additional safety through FORTIFY which is described in the following blog post:

https://android-developers.googleblog.com/2017/04/fortify-in-android.html

这篇关于使用Android NDK演示printf或__android_log_print漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！