使用Android NDK演示printf或__android_log_print漏洞 [英] Demonstrating printf or __android_log_print Vulnerabilities With Android NDK
问题描述
我有兴趣通过NDK应用程序演示printf
漏洞.需要明确的是,我知道要登录控制台,我们可以使用__android_log_print(ANDROID_LOG_DEBUG, "LOG_TAG", "Print : %d %s",someVal, someStr);
.我已经尝试过了,而且我知道它有效.但是我明确地想演示printf()
的漏洞,特别是要使用%n
说明符来写入指向的位置.
I am interested in demoing printf
vulnerabilities via an NDK app. To be clear, I am aware that to log in the console we can use __android_log_print(ANDROID_LOG_DEBUG, "LOG_TAG", "Print : %d %s",someVal, someStr);
. I have tried it and I know it works. But I explicitly want to demo the vulnerabilities of printf()
, specifically to use the %n
specifier to write to a pointed location.
是否有办法使printf()
达到此效果,或者是否可以通过__android_log_print()
达到此目的?我尝试使用android/log.h
标头,但没有成功.
Is there a way to make printf()
work to this effect or is it possible to achieve this via __android_log_print()
? I attempted it with the android/log.h
header but it didn't work.
我可以通过按printf(%s%s%s%s%s%s%s%s%s%s)
的方式运行某些程序来使应用程序崩溃.但是同样,我不能操纵指针.
I can get the app to crash by running something along the lines of printf(%s%s%s%s%s%s%s%s%s%s)
. But again, I can't manipulate pointers.
出于一般知识的目的,为什么printf()
首先不起作用,为什么__android_log_print()
如何阻止这些攻击?
For general knowledge purposes, why is it that printf()
doesn't work in the first place and how does __android_log_print()
prevent these exploits?
推荐答案
您确实意识到Android是开源的.
You do realize that Android is open source.
从寻找__android_log_print()
开始
并找到它: https://android .googlesource.com/platform/system/core/+/refs/heads/master/liblog/logger_write.cpp
Starting with looking for __android_log_print()
and finding it: https://android.googlesource.com/platform/system/core/+/refs/heads/master/liblog/logger_write.cpp
int __android_log_print(int prio, const char* tag, const char* fmt, ...) {
va_list ap;
char buf[LOG_BUF_SIZE];
va_start(ap, fmt);
vsnprintf(buf, LOG_BUF_SIZE, fmt, ap);
va_end(ap);
return __android_log_write(prio, tag, buf);
}
我最终看到了: https://android.googlesource.com/platform/bionic/+/refs/heads/master/libc/stdio/vfprintf.cpp
第453-454行:
case 'n':
__fortify_fatal("%%n not allowed on Android");
代码中还引用了FORTIFY带来的额外安全性,如以下博客文章所述:
Also referenced in the code is additional safety through FORTIFY which is described in the following blog post:
https://android-developers.googleblog.com/2017/04/fortify-in-android.html
这篇关于使用Android NDK演示printf或__android_log_print漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!