Binder.getCallingPid()和Binder.getCallingUid()漏洞分析

最近在学习安卓漏挖，在分析ghera数据集时发现一个很有意思的binder特性，但还没搞懂底层原理，先挖个坑

漏洞分析

EnforceCallingOrSelfPermission-PrivilegeEscalation-Lean

以下代码使用Binder.getCallingPid()和Binder.getCallingUid()对调用方进行了权限检查

// MyService.java
public int onStartCommand(Intent intent, int flags, int startId) {Log.d("MyService", "Calling PID = " + Binder.getCallingPid() + " Calling UID  = " + Binder.getCallingUid());if (checkPermission("santos.benign.permission", Binder.getCallingPid(), Binder.getCallingUid()) == PackageManager.PERMISSION_GRANLog.d("MyService", "Service Started");Intent activityIntent = new Intent(this, SensitiveActivity.class);activityIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);activityIntent.putExtra("status_msg", "SUCCESS");this.startActivity(activityIntent);} else {Log.d("MyService", "Failed to start the service");}return super.onStartCommand(intent, flags, startId);
}

其中调用方如下

// MainActivity.java
protected void onResume() {super.onResume();if (checkPermission("santos.benign.permission", android.os.Process.myPid(), android.os.Process.myUid()) == PackageMLog.d("MyService", "permission to service already granted");startService(new Intent(getApplicationContext(), MyService.class));} else {Log.d("MyService", "component does not have permission to call service");ActivityCompat.requestPermissions(this, new String[]{"santos.benign.permission"}, 100);}
}

可以看到，MyService是由MainActivity启动的，也就是他们都属于主线程。而在主线程调用Binder.getCallingPid()和Binder.getCallingUid()不会返回调用方的信息，只会返回自身进程的信息，这样上面代码的权限校验相当于只对自身权限做了检查，正确的做法应该是在manifest中静态声明权限或使用EnforceCallingPermission方法进行校验