Android SDK suffers from buffer overflow and lack of hardening

A classic buffer overflow exploit has been discovered in the Android software development kit (SDK) that impacts all versions of the Android Debug Bridge on Linux x86_64.

The exploit scenario involved an attacker starting a malicious Android Debug Bridge (ADB) server that interfaces with Android devices on a multi-user system and waiting for ADB clients, started by developers wanting to debug apps or send commands to devices, to connect. Due to the buffer exploit occurring early in protocol negotiations, droidsec said any command that communicates with the ADB Server will lead to successful exploitation.

Writing in a blog post to publicly disclose its findings, the droidsec group said that the exploit was confirmed on version 18.0.1 of the Android SDK platform tools on x86_64 Ubuntu Linux 12.04. Attempts to exploit the vulnerability on a 32-bit Linux system and the adb binary found on the Nexus 4 were unsuccessful. The droidsec team said it did not test the vulnerability on any Windows system.

Droidsec also discovered that the ADB binary failed to have a non-executable stack, and the executable was not position independent. The droidsec team said that taking advantage of this situation would be trivial.

"It should also be noted that host compilation also seems to intentionally opt out of the FORTIFY_SOURCE protections," droidsec said. "It's not clear why this is the case since the comment near this line of code references an internal only bug number."

The issues were discovered in early December, with patches submitted by droidsec soon after and accepted by Google into Android's source code tree. Following a lack of communication from Google, the droidsec team decided to publicly disclose the issues and patches.

Facebook today announced the open sourcing of Conceal, a set of Java APIs designed by the social network for encrypting user data on Android devices.