Demonstrating printf or __android_log_print Vulnerabilities With Android NDK

Question

I am interested in demoing printf vulnerabilities via an NDK app. To be clear, I am aware that to log in the console we can use __android_log_print(ANDROID_LOG_DEBUG, "LOG_TAG", "Print : %d %s",someVal, someStr);. I have tried it and I know it works. But I explicitly want to demo the vulnerabilities of printf(), specifically to use the %n specifier to write to a pointed location.

Is there a way to make printf() work to this effect or is it possible to achieve this via __android_log_print()? I attempted it with the android/log.h header but it didn't work.

I can get the app to crash by running something along the lines of printf(%s%s%s%s%s%s%s%s%s%s). But again, I can't manipulate pointers.

For general knowledge purposes, why is it that printf() doesn't work in the first place and how does __android_log_print() prevent these exploits?

Answer 1

Android specifically does not support %n format specifiers because they're vulnerable.

https://android.googlesource.com/platform/bionic/+/400b073ee38ecc2a38234261b221e3a7afc0498e/tests/stdio_test.cpp#328

Answer 2

You do realize that Android is open source.

Starting with looking for __android_log_print() and finding it: https://android.googlesource.com/platform/system/core/+/refs/heads/master/liblog/logger_write.cpp

int __android_log_print(int prio, const char* tag, const char* fmt, ...) {
  va_list ap;
  char buf[LOG_BUF_SIZE];
  va_start(ap, fmt);
  vsnprintf(buf, LOG_BUF_SIZE, fmt, ap);
  va_end(ap);
  return __android_log_write(prio, tag, buf);
}

I eventually ended up looking at: https://android.googlesource.com/platform/bionic/+/refs/heads/master/libc/stdio/vfprintf.cpp

lines 453-454:

  case 'n':
    __fortify_fatal("%%n not allowed on Android");

Also referenced in the code is additional safety through FORTIFY which is described in the following blog post:

https://android-developers.googleblog.com/2017/04/fortify-in-android.html