Android Binder Information Disclosure
Posted by deepcore on October 13, 2016 – 8:36 pm
The interaction between the kernel /dev/binder and the usermode Parcel.cpp mean that when a binder object is passed as BINDER_TYPE_BINDER or BINDER_TYPE_WEAK_BINDER, a pointer to that object (in the server process) is leaked to the client process as the cookie value. This leads to a leak of a heap address in many of the privileged binder services, including system_server.
Post a reply
You must be logged in to post a comment.