关联漏洞
描述
Exploit app for CVE-2021-39670 and CVE-2021-39690, two permanent denial-of-service vulnerabilities in Android's wallpaper system
介绍
# Wallbreak
[
Download as APK](https://github.com/Supersonic/Wallbreak/releases/download/release/Wallbreak.apk)
This app demonstrates two high severity permanent denial-of-service vulnerabilities in Android's `WallpaperManagerService` that I discovered: [CVE-2021-39670](https://www.cve.org/CVERecord?id=CVE-2021-39670) and [CVE-2021-39690](https://www.cve.org/CVERecord?id=CVE-2021-39690).
After running either exploit, the device will keep repeatedly crashing and rebooting.
Write-up coming soon! :)
## CVE-2021-39670 "Stream Exploit"
- Exploits the `setStream` API in `WallpaperManager` to exhaust device memory by setting a malicious bitmap file as the wallpaper.
- Appears to be very portable across manufacturers and device versions.
- Patch released in [May 2022 Android Security Bulletin](https://source.android.com/docs/security/bulletin/2022-05-01).
- Was [patched by](https://android.googlesource.com/platform/frameworks/base/+/b1b01433f5b8dc0702c0e1abde5f7b86b708a849) using a more efficient wallpaper decoder in `WallpaperManagerService`, and adding a file-based recovery system in case wallpaper still fails to be decoded.
## CVE-2021-39690 "Padding Exploit"
- Exploits the display padding functionality in some Android phones to either crash `SurfaceFlinger` or exhaust device memory.
- I could only reproduce this vulnerability in Pixel devices with animated live wallpapers.
- Requires Android P or higher.
- Initial patch released in [March 2022 Android Security Bulletin](https://source.android.com/docs/security/bulletin/2022-03-01).
- Was [initially patched by](https://android.googlesource.com/platform/frameworks/native/+/2914a57d755051a3e5f05154d784a08019500946) adding stricter input validation in `SurfaceFlinger`, and then [fully mitigated by](https://android.googlesource.com/platform/frameworks/base/+/f6b503a8c18a6b9179ff8d416544a6651facd805) adding a padding limit in `WallpaperManager`.
As far as I'm aware devices bricked due to these vulnerabilities *can't be fixed except through factory reset*. Please run this app at your own risk.
Note that this project is provided for educational purposes only; please don't use it for malicious activities.
文件快照
[4.0K] /data/pocs/0a63afffde6fcba91acdf6b739a59aded95fe12d
├── [4.0K] app
│ ├── [ 837] build.gradle
│ ├── [ 750] proguard-rules.pro
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [ 917] AndroidManifest.xml
│ ├── [4.0K] assets
│ │ └── [9.5M] exploit.zip
│ ├── [4.0K] java
│ │ └── [4.0K] me
│ │ └── [4.0K] sithi
│ │ └── [4.0K] wallbreak
│ │ └── [6.6K] MainActivity.java
│ └── [4.0K] res
│ ├── [4.0K] drawable
│ │ ├── [ 570] baseline_wallpaper_24.xml
│ │ └── [ 330] ic_launcher_background.xml
│ ├── [4.0K] drawable-v24
│ │ └── [ 647] ic_launcher_foreground.xml
│ ├── [4.0K] layout
│ │ └── [3.2K] activity_main.xml
│ ├── [4.0K] mipmap-anydpi-v26
│ │ ├── [ 272] ic_launcher_round.xml
│ │ └── [ 272] ic_launcher.xml
│ ├── [4.0K] mipmap-hdpi
│ │ ├── [2.8K] ic_launcher_round.webp
│ │ └── [1.4K] ic_launcher.webp
│ ├── [4.0K] mipmap-mdpi
│ │ ├── [1.7K] ic_launcher_round.webp
│ │ └── [ 982] ic_launcher.webp
│ ├── [4.0K] mipmap-xhdpi
│ │ ├── [3.8K] ic_launcher_round.webp
│ │ └── [1.9K] ic_launcher.webp
│ ├── [4.0K] mipmap-xxhdpi
│ │ ├── [5.8K] ic_launcher_round.webp
│ │ └── [2.8K] ic_launcher.webp
│ ├── [4.0K] mipmap-xxxhdpi
│ │ ├── [7.6K] ic_launcher_round.webp
│ │ └── [3.8K] ic_launcher.webp
│ ├── [4.0K] values
│ │ ├── [3.7K] colors.xml
│ │ ├── [ 71] strings.xml
│ │ └── [2.2K] themes.xml
│ └── [4.0K] values-night
│ └── [2.2K] themes.xml
├── [ 458] build.gradle
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 58K] gradle-wrapper.jar
│ └── [ 205] gradle-wrapper.properties
├── [1.1K] gradle.properties
├── [7.9K] gradlew
├── [2.7K] gradlew.bat
├── [ 34K] LICENSE
├── [2.1K] README.md
└── [ 284] settings.gradle
22 directories, 34 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。