CVE-2018-9405 - BnDmAgent::onTransact in dm_agent.cpp: Possible Out of Bounds Write and Local Privilege Escalation

In this post, we will take a deep dive into the details of the CVE-2018-9405 vulnerability, a possible out of bounds write issue due to a missing bounds check in BnDmAgent::onTransact of dm_agent.cpp. This vulnerability could lead to local escalation of privilege, and it does not require any user interaction for exploitation.

The issue was initially reported in the Android 9 vulnerabilities list and it affects devices running Android 9. and below. Links to the relevant Android security bulletin and the original Android source code will be provided for reference.

The following code snippet shows the vulnerable function, BnDmAgent::onTransact

status_t BnDmAgent::onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
    switch(code) {
        case TRANSACTION_DmAgentSaveMyLog: {
            CHECK_INTERFACE(IDmAgent, data, reply);
            String8 material = data.readString8();
            String8 result;
            status_t err = DmAgentSaveMyLog(material, &result);
            reply->writeString8(result);
            return err;
        } break;
        ...
    }
}

Source: dm_agent.cpp

Original References

- Android Security Bulletin: https://source.android.com/security/bulletin/2018-12-01
- Android Source Code: https://android.googlesource.com/device/lge/hammerhead/+/android-cts-master-dev/libsreditsm/dm_agent.cpp

Exploit Details

The vulnerability lies in the BnDmAgent::onTransact function of the dm_agent.cpp file. The code does not validate the size of the string received as input (in this case, the variable 'material'). This can cause a buffer overflow if the input is too large and, as a consequence, could lead to the overwrite of adjacent memory regions, which might contain sensitive information or control structures.

An attacker could exploit this vulnerability by sending an input string larger than the allocated buffer's capacity, causing the program to crash or execute arbitrary code with system execution privileges. Note that user interaction is not needed for the exploitation of this vulnerability, making it a high-risk issue.

How to Prevent Exploitation

To prevent exploitation of this vulnerability, always validate the size of the user-provided data before performing any write operations on memory buffers. This can be done in multiple ways, including:

- Implementing proper bounds checking either through the use of safer functions that perform an automatic check or by manually verifying that the input does not exceed the allowed size;

Sanitizing user input and eliminating any dangerous data;

- Updating to a patched version of the Android operating system that includes the necessary security fixes for this issue.

In conclusion, CVE-2018-9405 is a critical vulnerability that affects Android 9. and below, allowing a malicious actor to escalate privileges on the system by exploiting an out of bounds write in BnDmAgent::onTransact of dm_agent.cpp. Understanding and mitigating this issue is essential to ensure the security and privacy of users' data and devices.

Timeline

Published on: 01/18/2025 00:15:24 UTC
Last modified on: 03/14/2025 17:15:38 UTC