Unix Domain Socket Study

Home

This website provides exploit demos for our CCS submission: The Misuse of Android Unix Domain Socket and Security Implications.

List of our demos:

KingRoot v4.8.2 (Section 5.1.1)
ES File Explorer v4.0.5.2 (Section 5.1.2)
Hideman VPN (based on OpenVPN for Android, Section 5.1.3)
LG AT Daemon on LG G3 (Section 5.2.1)
Qualcomm Time Daemon on Galaxy S4 (Section 5.2.2)

In summary, these vulnerabilities can be exploited to

grant root access to any apps, giving the attacker entire control of the device,
read and write arbitrary files, allowing the attacker to steal user privacy and modify system settings,
cause deniel of service of VPN,
factory reset the victim device, causing permanent data loss, and
change system date and time, resulting in denial of service.

Paper abstract:

In this work, we perform the first systematic study in understanding the security properties of the usage of Android Unix domain socket by both apps and system daemons as an IPC (Inter-process Communication) mechanism, especially for cross-layer communication between the Java and the native layer. We propose a tool called SInspector to expose potential security vulnerabilities in the IPC usage through the process of identifying socket addresses, detecting authentication checks, and performing data flow analysis on the native code. Our in-depth analysis found some serious vulnerabilities in both apps and system daemons such as root privilege escalation and arbitrary file access, some of which we reported to the vendors. Based on our findings, we propose countermeasures and improved practices for utilizing Unix domain socket.