CVE_2016_0807.java

package fuzion24.device.vulnerability.vulnerabilities.system;

import android.content.Context;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.util.ArrayList;
import java.util.List;

import fuzion24.device.vulnerability.util.CPUArch;
import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
import fuzion24.device.vulnerability.vulnerabilities.helper.BinaryAssets;
import fuzion24.device.vulnerability.vulnerabilities.helper.KMPMatch;

/**
 * Created by fuzion24 on 2/2/16.
 */
public class CVE_2016_0807  implements VulnerabilityTest {

/*
Elevation of Privilege Vulnerability in the Debuggerd

An elevation of privilege vulnerability in the Debuggerd component could enable a local malicious application to execute arbitrary code within the device root context. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.

CVE	Bug(s)	Severity	Updated versions	Date reported
CVE-2016-0807	ANDROID-25187394	Critical	6.0 and 6.0.1	Google Internal

Patched here: https://android.googlesource.com/platform/system/core.git/+/d167d5eabc794ba4ddef1a2900eb729720da84a2%5E%21/#F0
*/

    @Override
    public String getCVEorID() {
        return "CVE-2016-0807";
    }

    @Override
    public boolean isVulnerable(Context context) throws Exception {

        File debuggerd = new File("/system/bin/debuggerd");
        if(!debuggerd.exists() || !debuggerd.isFile()){
            throw new Exception("debuggerd doesn't exist or is not a file");
        }

        String patchedString = "Possible corrupted note, desc size value is too large: %u";
        String unpatchedString = "Possible corrupted note, name size value is too large: %u";

        ByteArrayOutputStream debuggerdBAOS = new ByteArrayOutputStream((int)debuggerd.length());
        BinaryAssets.copy(new FileInputStream(debuggerd), debuggerdBAOS);
        byte[] debuggerdBin = debuggerdBAOS.toByteArray();

        KMPMatch binMatcher = new KMPMatch();

        int indexOf = binMatcher.indexOf(debuggerdBin, patchedString.getBytes());
        boolean hasPatchedString = indexOf == -1;

        indexOf = binMatcher.indexOf(debuggerdBin,  unpatchedString.getBytes());
        boolean hasUnpatchedString = indexOf == -1;


        return hasPatchedString && !hasUnpatchedString;
    }

    @Override
    public List<CPUArch> getSupportedArchitectures() {
        List<CPUArch> archs = new ArrayList<>();
        archs.add(CPUArch.ALL);
        return archs;
    }
}