Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010...
Transcript of Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010...
![Page 1: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/1.jpg)
The Risk you carry in your Pocket
Nils
Black Hat Abu Dhabi 2010
MWR InfoSecurity
![Page 2: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/2.jpg)
2
Who Am I?
• Head of Research @ MWR • Exploiting stuff before…
• Microsoft, Google, Adobe, IBM, Mozilla, Sun, Linux, Apple …
• Pwn2Own Winner 2009 • Safari, IE and Firefox
• Pwn2Own Winner 2010 • Firefox on Windows 7
![Page 3: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/3.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
3
![Page 4: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/4.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
4
![Page 5: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/5.jpg)
5
Introduction
• Prerequisites: • I have got a WebKit vulnerability
• Can own: • iPhone • Palm Web OS • Android
• In Android I am limited to the Sandbox • Access to Passwords, Cookies, etc…
![Page 6: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/6.jpg)
6
Introduction
• I want more Privileges • Record Audio
![Page 7: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/7.jpg)
7
Introduction
• Research on Android Phone • Not emulator • HTC Legend
• Android 2.1 • Some apps
![Page 8: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/8.jpg)
8
What will you see?
• How to: • Audit a Android Handset • Additions by Vendors
• And Carriers • Audit Android Applications
• And how to exploit the findings
![Page 9: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/9.jpg)
9
Android – Previous Research
• Kernel vulnerabilities: • E.g. sock_sendpage()
• Local vulnerabilities: • E.g. adb root vulnerability
• Fork bomb • Setuid return value not checked
![Page 10: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/10.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
10
![Page 11: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/11.jpg)
11
Android – Sandbox
• Applications are Sandboxed • Using Linux User/Group model • Every Application == 1 User
• In theory … • Communication through IPC • Permissions
![Page 12: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/12.jpg)
12
Android – Permissions
• Applications request Permissions • AndroidManifest.xml
• Pre-installed apps • Set-up by default in phone
• User installed apps • Granted by User during installation • Limited
![Page 13: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/13.jpg)
13
Android – Permissions
• Examples: • android.permission.CALL_PHONE • android.permission.RECORD_AUDIO • android.permission.INSTALL_PACKAGE
![Page 14: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/14.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
14
![Page 15: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/15.jpg)
15
Android – IPC
• Inter-Process Communication • Used by all of the Apps • Core feature on Android • Protected using Permissions
• Mechanism: • Services • Content-Providers • Broadcasts • Activities
![Page 16: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/16.jpg)
16
Android – IPC
• Supported by /dev/binder • Kernel • Message routing • Permission enforcement
• Messages in “Parcels” • Intents special Parcels
![Page 17: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/17.jpg)
17
Android – Intent
• Serialised Data Structure • Sent to IPC endpoints • Contain Extras
• Strings • Primitive Data Types • Arrays thereof • Serialisable Java Objects (!)
![Page 18: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/18.jpg)
18
Android – Service
• Similar to RPC • Class extends Service.class
• Public methods are exported • Called through Intents
• Defined in AndroidManifest.xml: <service android:name="BluetoothHeadsetService"> <intent-‐filter> <action android:name="android.bluetooth.IBluetoothHeadset" /> </intent-‐filter> </service>
![Page 19: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/19.jpg)
19
Android – Activity
• Visual Components of Applications • Application can instantiate them
• Sometimes • Take arguments in Intents • Will run in Implementing Process
• Permissions!
![Page 20: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/20.jpg)
20
Android – Content-Providers
• Provide Access to any Data • Emails • Pictures
• Often backed by SQLite Databases • Content-Resolver • URI: content://browser/bookmarks • Standard Interface using Cursors • Write and Read Permissions • Not using Intents
![Page 21: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/21.jpg)
21
Android – Broadcast Receivers
• Register to Broadcast Messages • System and Custom
• Some Messages are protected • Others can be forged by anyone
• Arguments in Broadcasts • Intents
• AndroidManifest.xml • Can register dynamically as well
![Page 22: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/22.jpg)
22
Android – Idea
App2
App3
Service1
App1
Service2
Service Content-Provider Broadcast-Receiver Activity
![Page 23: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/23.jpg)
23
Android – IPC Exports
• Default IPC exports • Exported by default
• Content-Providers • Export depends on set Filters
• Services • Broadcast Receivers • Activities
• Developers aware of that?
![Page 24: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/24.jpg)
24
Android – Privilege Escalation
• Any vulnerability in any exported:- • Service, Content-Provider • Broadcast Receiver or Activity
• Can lead to privilege Escalation • Gaining privileges of vulnerable App
![Page 25: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/25.jpg)
25
Android - Applications
• Many Apps on the phone • All in different Processes (Theoretically)
• Default Android apps • ~ 70 apps
• Vendor apps • HTC: ~ 60 apps • Plus carrier apps!
• User installed apps • Many more
![Page 26: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/26.jpg)
26
Android – Processes
• 1 User 1 App • Multiple processes per App • Not on real phones though
• Shared User Id’s • Across apps
• Shared processes • Across apps
• => Shared Permissions and Access-rights
![Page 27: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/27.jpg)
27
Android – Shared UIDs
• Applications can Share UserIds • If signed by same Developer Key
• Or Pre-installed • Pro:
• Performance • Contra:
• Security
![Page 28: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/28.jpg)
28
Android – Shared UIDs
• Example: • com.htc.WeatherWidget
• Permissions: android.permissions.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS
![Page 29: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/29.jpg)
29
Android – Shared UIDs
• Example: • com.htc.WeatherWidget
• Shares “com.htc.rosie.uid.shared” with: com.htc.FriendStreamWidget, com.htc.TwitterWidget, com.htc.htcmailwidgets, com.htc.NewsReaderWidget, com.htc.StockWidget, com.htc.widget.clockwidget, com.htc.htccalendarwidgets, com.htc.footprints.widgets, com.htc.htccontactwidgets, com.htc.htcmsgwidgets, com.htc.htcsyncwidget, com.htc.launcher, com.htc.WeatherWidget, com.htc.htcsettingwidgets, com.htc.photo.widgets, com.htc.htcbookmarkwidget, com.htc.MusicWidget, com.htc.htcsearchwidgets
![Page 30: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/30.jpg)
30
Android – Shared UIDs
• Example: • com.htc.WeatherWidget
• Permissions: android.permissions.GET_ACCOUNTS, android.permission.READ_SYNC_SETTINGS
![Page 31: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/31.jpg)
31
Android – Shared UIDs
• Example: • com.htc.WeatherWidget
• Shared Permissions: android.permission.INTERNET, com.htc.htctwitter.permission.useprovider, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.GET_ACCOUNTS,
android.permission.READ_SYNC_SETTINGS, android.permission.READ_CALENDAR, android.permission.WRITE_CALENDAR,
com.google.android.googleapps.permission.GOOGLE_AUTH.mail, android.permission.READ_CONTACTS,
android.permission.CALL_PHONE, android.permission.CALL_PRIVILEGED, android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_CONTACTS,
android.permission.RECEIVE_SMS, android.permission.RECEIVE_MMS, android.permission.SEND_SMS, android.permission.VIBRATE, android.permission.WRITE_SMS, android.permission.CHANGE_NETWORK_STATE, android.permission.READ_PHONE_STATE, android.permission.WAKE_LOCK, android.permission.EXPAND_STATUS_BAR, android.permission.GET_TASKS, android.permission.SET_WALLPAPER, android.permission.SET_WALLPAPER_HINTS, android.permission.WRITE_SETTINGS, com.htc.launcher.permission.READ_SETTINGS, com.htc.launcher.permission.WRITE_SETTINGS, android.permission.SET_TIME_ZONE, android.permission.READ_SYNC_STATS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.BROADCAST_STICKY,
android.permission.WRITE_SECURE_SETTINGS, android.permission.CHANGE_WIFI_STATE, android.permission.CLEAR_APP_USER_DATA, android.permission.MODIFY_PHONE_STATE, android.permission.ACCESS_COARSE_LOCATION, android.permission.WRITE_APN_SETTINGS, android.permission.ACCESS_CHECKIN_PROPERTIES, android.permission.BLUETOOTH, android.permission.BLUETOOTH_ADMIN, android.permission.ACCESS_WIMAX_STATE, android.permission.CHANGE_WIMAX_STATE, android.permission.ACCESS_LOCATION_EXTRA_COMMANDS, android.permission.ACCESS_LOCATION, android.permission.ACCESS_ASSISTED_GPS, android.permission.ACCESS_NETWORK_LOCATION, android.permission.ACCESS_GPS, com.android.browser.permission.READ_HISTORY_BOOKMARKS, com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
![Page 32: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/32.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
32
![Page 33: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/33.jpg)
33
Android – Vulnerabilities
• SQL injection in Content Providers • When backed by SQLite
• Allows for arbitrary reads in databases • Across processes
• Can be filtered by Developer • Usually is not • Not encouraged by Dev Docs
• Have not found instances of writes to DB • No useful functions (load_extension()…)
![Page 34: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/34.jpg)
34
Android – SQL Injection
final Cursor query( Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder);
![Page 35: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/35.jpg)
35
Android – SQL Injection
final Cursor query( “content://settings/system”, null, null, null, null);
SELECT * FROM system;
![Page 36: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/36.jpg)
36
Android – SQL Injection
final Cursor query( “content://settings/system”, null, “_id=1”, null, null);
SELECT * FROM system WHERE _id=1;
![Page 37: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/37.jpg)
37
Android – SQL Injection
final Cursor query( “content://settings/system”, null, "(select count(*) from secure where \ name='adb_enabled' and value=’0’)=0”, null, null);
SELECT * FROM system WHERE "(select count(*) from secure where name='adb_enabled' and value=’0’)=0;
![Page 38: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/38.jpg)
38
Android – SQL Injection
final Cursor query( “content://settings/system”, {“_id”}, null, null, null);
SELECT _id FROM system;
![Page 39: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/39.jpg)
39
Android – SQL Injection
final Cursor query( “content://settings/system”, {“ * FROM bluetooth_devices;”}, null, null, null);
SELECT * FROM bluetooth_devices; FROM system;
![Page 40: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/40.jpg)
40
Android – SQL Injection
final Cursor query( “content://settings/system”, {“ * FROM sqlite_master;”}, null, null, null);
SELECT * FROM sqlite_master; FROM system;
![Page 41: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/41.jpg)
41
Android – Vulnerabilities
• Unprotected services • Example:
• Introduced by HTC • com.htc.soundrecorder.RecordingService
• Not protected • Explicitly exported
• android.permission.RECORD_AUDIO • Now useless
• Every HTC Android phone I checked
![Page 42: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/42.jpg)
42
Android – Native APIs
• Java less prone to Memory Corruptions • Native APIs more promising for Review • Services
• Directly exporting native API’s • Keep a look out for:
• loadLibrary(“”) • And “ native “ keyword
![Page 43: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/43.jpg)
43
Android – Native APIs
char mJetFilePath[256];
int JetPlayer::loadFromFile(const char* path) { … strncpy(mJetFilePath, path, strlen(path));
I/DEBUG ( 31): pid: 1257, tid: 1258 >>> com.example.test1 <<< I/DEBUG ( 31): signal 11 (SIGSEGV), fault addr 00000000 I/DEBUG ( 31): r0 ffffffff r1 41413000 r2 00000004 r3 ffff0ff0 I/DEBUG ( 31): r4 00000000 r5 41413000 r6 afd40328 r7 00000000 I/DEBUG ( 31): r8 00100000 r9 80848121 10 10000000 fp 00117808 I/DEBUG ( 31): ip afd20209 sp 100ffe20 lr afd20201 pc 80849aa4 cpsr 80000030 I/DEBUG ( 31): #00 pc 00049aa4 /system/lib/libdvm.so I/DEBUG ( 31): #01 lr afd20201 /system/lib/libc.so
public boolean loadJetFile(String path) { return native_loadJetFromFile(path); }
![Page 44: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/44.jpg)
44
Android – Others
• Let’s be creative • Applications do all kinds of stuff
• Some of which is stupid :P
• Example: Skype - App
# ls -‐al /data/data/com.skype.raider/files/skypekit -‐rwxrwxrwx 1 0 2000 43 /data/data/com.skype.raider/files/skypekit
![Page 45: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/45.jpg)
45
Android – Others
• Permissions: android.permission.DISABLE_KEYGUARD android.permission.WAKE_LOCK android.permission.INTERNET android.permission.GET_ACCOUNTS android.permission.READ_CONTACTS android.permission.ACCESS_NETWORK_STATE android.permission.VIBRATE android.permission.MODIFY_AUDIO_SETTINGS android.permission.RECORD_AUDIO android.permission.READ_PHONE_STATE android.permission.ACCESS_COARSE_LOCATION android.permission.GET_TASKS android.permission.AUTHENTICATE_ACCOUNTS android.permission.MANAGE_ACCOUNTS android.permission.READ_SYNC_SETTINGS android.permission.WRITE_SYNC_SETTINGS android.permission.GET_ACCOUNTS android.permission.USE_CREDENTIALS android.permission.WRITE_SETTINGS android.permission.WRITE_SECURE_SETTINGS android.permission.READ_CONTACTS android.permission.WRITE_CONTACTS android.permission.READ_SYNC_STATS android.permission.WRITE_EXTERNAL_STORAGE
![Page 46: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/46.jpg)
46
Android – Deserialisation
• Intents contain Extras • Can be Serialisable
• Object type is checked after deserialisation • Arbitrary objects can be deserialised
• In other Processes • Across trust boundaries • With other permissions
• Is this exploitable? • Sami?
![Page 47: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/47.jpg)
![Page 48: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/48.jpg)
48
Android – Permissions
• Most useful Permission: INSTALL_PACKAGES
• On HTC phones granted to the Browser • That’s True!
• Why • Flashlite Flash player • Installs updates using PackageManager • Needs Permissions for that …
![Page 49: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/49.jpg)
49
Android – Permissions
• INSTALL_PACKAGES in Browser • Impact
• Malicious Code in Browser • Installs arbitrary Applications
• Without prompting the User • Gains arbitrary Permissions
• For malicious applications • No restricted permissions
![Page 50: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/50.jpg)
50
Android – Demo
• That should be enough…
Demo Time!
![Page 51: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/51.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
51
![Page 52: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/52.jpg)
52
Android Demo - Vulnerability
• Use-after-free in Browser • WebKit
• Android, Chrome, Safari, iPhone, Symbian, Palm Pre and more
• Allows for arbitrary code execution • HTML5
• Introduced in Android 2.0 • 1.5 and 1.6 not vulnerable
• JavaScript • Patched in 2.2 • No NX , No ASLR
![Page 53: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/53.jpg)
53
Android - Use-after-free in Browser
Object 1
Object 2
DOM Object
![Page 54: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/54.jpg)
54
Android - Use-after-free in Browser
Object 2
FREE
![Page 55: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/55.jpg)
55
Android - Use-after-free in Browser
Object 2
data data data data data data data data data
![Page 56: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/56.jpg)
56
Android - Use-after-free in Browser
Object 2
data data data data data data data data data (*data)()
![Page 57: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/57.jpg)
57
Android - Shellcode
• Steps: • 1. Connect back to Attacker • 2. Upload malicious APK • 3. Install from Browser • 4. Pwnage!
![Page 58: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/58.jpg)
58
Android - Demo
![Page 59: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/59.jpg)
![Page 60: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/60.jpg)
60
Android Proof-of-Concept
• Reported the vulnerability to vendors • Patched in 2.2
• However • Any WebKit vulnerability will do
• Not patched in most Phones
![Page 61: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/61.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
61
![Page 62: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/62.jpg)
62
Conclusion
• Understand the Threats • Android Sandbox
• Fairly Reasonable • Many bugs introduced by:
• Vendors, Carriers • 3rd Party Apps
• Testing and Assurance • For Phones • Not just OS
![Page 63: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/63.jpg)
• Demo • Introduction • Android Sandbox • Android IPC • Vulnerabilities • Demo • Conclusion • Q&A
63
![Page 64: Nils Black Hat Abu Dhabi 2010 - Black Hat Briefings · PDF fileNils Black Hat Abu Dhabi 2010 MWR ... android.permission.READ_SMS, com.htc.socialnetwork.permission.useprovider, ...](https://reader031.fdocuments.net/reader031/viewer/2022022504/5ab68a777f8b9adc638e11d8/html5/thumbnails/64.jpg)
64
Questions?