better watch your apps - mj keith
Post on 14-Sep-2014
3.809 views
DESCRIPTION
My HouSecCon presentation on android applications security and arm exploitation [email protected]TRANSCRIPT
Better watch your apps!
November 4 ,2010
MJ Keith GCIA, GCIHAlert Logic - Security Researcher
Smart phones
Blackberry Iphone Android Windows mobile
Markets
Iphone market Open to developers Apps are reviewed and approved by apple
Tethering apps disguised as flashlight makes it in!
Android market Open to developers Moderated by users
Some restriction from wireless provider.
Blackberry market Hoping to get market share back.
Who is writing these apps?
Focus on Malware
How can malware affect you? Blackhat 2010
these arn't the permissions your looking for... App attack Several others
Why are we only looking at malware? Is ADOBE software malware?
Well maybe...
Size doesn't matter
Size doesn't matter
Do you allow users to install untrusted apps? Every program installed presents a risk
Patch management required
Do you allow users to connect personal laptops? Policies are in place but can you really stop it?
If users can connect, they will connect Mac filtering helps but not a complete fix
Android
Architecture Arm 32 bit
OS Linux
Bionic.libc
Apps Dalvik JVM (kinda) All apps written in java
Permissions
Each app creates its own user - linux style cache data can be stored in apps directory or in the
sdcard cache data is sandboxed / sdcard is accessible to
everyone Intents can request data or actions from other apps
Granular control of certain privileged actions Making phone calls / sending sms /access to
personal data
Where I started
Bugs in your pocket Anyone can submit an application - no assumption
that QA has taken place. How many android apps do nothing but crash?
Tons of bugs apps crashing = exploitable
Theory Apps will be easy to hack They will not be protecting user data Apps create aggregation points that can be used to
attack users
Target app profile
WEB API
Attacker
Testing begins
Targeting smaller distribution apps that make calls to internets – yeah both of them Basic server client setup
Online storage Financial data = checks > 1,000 users Contact data = Addressbook PRO > 6,000 users Scoreboards = Speedx > 500,000 users
Checks > 1,000 users
Cloud storage Allows you to store purchases and payments data. Password protected
Checks
Uses HTTP json API Easy to sniff with ariodump Password only used on phone User id (this is just an int) used to access cloud
server Guess the user number
Full access to rw data Can reset password but who cares
ChecksPOST /cloud/ HTTP/1.1X-Requested-With: XMLHttpRequestUser-Agent: Content-Length: 65Content-Type: application/x-www-form-urlencodedHost: checks.linein.orgConnection: Keep-Alive
json=%7B%22user_id%22%3A%22680%22%2C%22action%22%3A%22import%22%7DHTTP/1.1 200 OKDate: Sat, 28 Aug 2010 01:41:26 GMTServer: Apache/1.3.41 Ben-SSL/1.59X-Powered-By: PHP/5.2.14Keep-Alive: timeout=2, max=200Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html
193{"message":"imported
successfully","cloud_data":"[{\"id\":\"1\",\"amount\":\"222\",\"cleared\":null,\"desc\":\"qqq\",\"check_date\":\"1282959385\",\"dateadded\":null},{\"id\":\"2\",\"amount\":\"333\",\"cleared\":null,\"desc\":\"ppp\",\"check_date\":\"1282959385\",\"dateadded\":null},{\"id\":\"3\",\"amount\":\"111\",\"cleared\":null,\"desc\":\"ooo\",\"check_date\":\"1282959385\",\"dateadded\":null}]"}
0
Addressbook PRO > 6,000 users
Sync and backup contact/locations to cloud HTTP json API
Password protected – here we go again... Same exact problem. Password only used on
phone Costs $4.99 – kinda pricey to get data stolen Guess username and you have full control
You also get the users MEID lol
Addressbook PRO
POST /apofasyncaddressbook.php HTTP/1.1content-type: application/x-www-form-urlencodedcontent-length: 10cache-control: no-store,no-cacheUser-Agent: Dalvik/1.1.0 (Linux; U; Android 2.0.1; Droid Build/ESD56)Host: www.apofa.comAccept: *, */*Connection: Keep-Alive
&n=testHTTP/1.1 200 OKDate: Fri, 27 Aug 2010 16:38:12 GMTServer: Apache/2.2.16 (CentOS) mod_ssl/2.2.16 0.9.8l DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635X-Powered-By: PHP/5.2.13Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
193{"address":[{"id":"164","db_id":"2","title":"test","address":"blah.;'\";:)*&=%","picon":"null\r\n\r\
n","visit":"0","category":"Family","userid":"test","createdDate":"1282925803271","deviceid":"A00000555553"},{"id":"163","db_id":"1","title":"narf","address":"gggg gfggggg","picon":"null","visit":"0","category":"Family","userid":"test","createdDate":"1282925678434","deviceid":"A00000555553"}]}
MEID/IMEI/ESN
Value your wireless provider uses to auth your phone on the network
Could be called the phones MAC or SSN Not really intended to auth to anything except the
wireless network. Often a target as it is used in cloning
cdma sniffing techniques have been used by cloners for years
Speedx > 500,000 users
Game that uses a web API for scoring Pretty simple
Scores get posted to scoreboard Scoreboard is read and displayed to user
What fun could be had here?
Speedx – the hacks
Scoreboard API is easy to inject Uses hmac but only
value this protects is time
Numeric values are still stored as strings If strings ever make it to
native code possible BOF Fake scoreboard test
May not be able to get that many chars in real scoreboard
( 987): pid: 5860, tid: 5860 >>> com.beepstreet.speedx <<< ( 987): signal 11 (SIGSEGV), fault addr f142a741 ( 987): r0 00414141 r1 00000000 r2 f142a741 r3 ffffffff ( 987): r4 b000f448 r5 00004141 r6 00000000 r7 00119dc8 ( 987): r8 ad00ee40 r9 0000bd18 10 4186bc38 fp 00000000 ( 987): ip 00000000 sp bec737b0 lr b000099f pc 0003d6bc cpsr 80000030I/DEBUG ( 987): #00 pc 0003d6bc /system/lib/libdvm.soI/DEBUG ( 987): #01 pc 00055f94 /system/lib/libdvm.so
Speedx – the hacks
The scoreboard stores the data submitted and then does a “select * from scores” (I think) to provide the scores to the user.
What the user sees
Speedx – the hacks
What is really there..{"alltime":{"new":{"place":1,"percents":99},"table":
[{"aid":"22a0000015s079eb","name":"narf","comment":"narf","date":"1270335048557","score":"999999"},{"aid":"22a1030007c697eb","name":"Justin","comment":"for kat","date":"1268933296866","score":"102835"},{"aid":"200149694edadfc","name":"guilou","comment":"au calme...","date":"1268771950965","score":"97028"},{"aid":"22a1500007c697eb","name":"Justin","comment":"for kat","date":"1267511769050","score":"83541"},{"aid":"20016203ca460ead","name":"Fred","comment":"\u013a\u0093\u008e~~~~~~","date":"1267684428484","score":"71843"},{"aid":"2006659695197d84","name":"cjd313","comment":"\u0107\u0083\u00a8!\u00e7\u017c\u0165\u0107\u02db\u009f\u00e9\u0087\u008c\u0107\u00ad\u0165\u00e4\u015f\u0086\u0103\u0080\u0082My QQ:502202","date":"1267113644819","score":"70690"},{"aid":"200145969662417e","name":"John Black","date":"1267368779421","score":"63475"},{"aid":"200145969662710","name":"Hans_97","comment":"alles gut","date":"1268503563353","score":"58040"},{"aid":"2001455554fea233","name":"prophetu","comment":"salutare..!","date":"1267806544079","score":"52352"},{"aid":"200145966534e904","name":"Ecloud.ShangHai","comment":"\u8349\u6ce5\u9a6c","date":"1270101863661","score":"48931"},{"aid":"null","name":"shanghai min","comment":"shanghai min","date":"1269935680096","score":"48399"},{"aid":"2001459964de306a","name":"dantist","comment":"Russian Federation 4pda :)","date":"1267518905207","score":"46980"},{"aid":"200145eee4fea233","name":"prophetu","comment":"salutare..!","date":"1267458383257","score":"46896"},{"aid":"2001459554de306a","name":"dantist","comment":"Russian Federation 4pda :)","date":"1267614148830","score":"46455"},{"aid":"null","name":"David","comment":"\u7ffb\u6c9f\u91cc\u2026","date":"1269871815973","score":"46374"},{"aid":"22a00666rd5f502","name":"jeff","comment":"aaaaaaaah! i died!","date":"1270272256156","score":"44884"},{"aid":"20014666c29b96a","name":"egi","date":"1267711523732","score":"42208"},{"aid":"null","name":"\u8d85\u97e6\u8d85\u9038\u662f\u5c0f\u7acb\u7684\u7238","comment":"\u97e6\u8d85\u9038\u662f\u5927\u5927\u795e","date":"1269335458359","score":"41503"},{"aid":"2044441f4a86b8e65","name":"Soaa-","comment":"omai!","date":"1267660861088","score":"40826"},{"aid":"22a5550007c697eb","name":"Justin","comment":"for kat","date":"1268320628749","score":"40505"},{"aid":"2006669694f24ea3","name":"RMB","comment":"HTC Hero","date":"1270246209401","score":"40360"},
Conclusion – so far...
Original theory proved! Phones abstraction layer hides the vulns from users Plenty of data to steal Scoreboards can be used as attack vector
But... Limited targets/victims Unrealistic attacks (too many chars) Too easy and kinda boring
Stepping it up
New plan Target the most popular apps
Still need apps that connect out Funnier attacks
I will happily waste a zero day to rickroll someone :) Need serious pwnage not just weak API attacks
Back to the market
MyBackup PRO > 1,000,000 users
3rd Most popular paid app Cloud storage for data and
apps (root only) HTTPS – higher difficulty level Password protected
we shall see
MyBackup PRO
Setup phone for MITM ssl Turned out to be pointless, their cert was invalid
My username is my #@!% MEID! It sends this to my email It does authenticate to the API and provides a basic auth
token.POST /MyBackup/BackupsExec/UploadFiles4.aspx HTTP/1.0
Cache-Control: no-cache
Pragma: no-cache
Authorization: Basic bWJwcm86bWJwcm80dUFuZG1lQW5kQWxs
ty: 0
v: 252
MyBackup PRO
Finally an app that really uses the password! Authorization: Basic
bWJwcm86bWJwcm80dUFuZG1lQW5kQWxs W00T! My stuff is actually safe!
MyBackup PRO
SIKE!!! Authorization: Basic
bWJwcm86bWJwcm80dUFuZG1lQW5kQWxs un-Base64'd =
mbpro:mbpro4uAndmeAndAll I think they used alternating case to
make it more secure Get the users MEID and upload
whatever you want to the backups directory
MyBackup PRO
Backup file Zip file includes several sqlite db's plus other files
Sqlite for instructions and settings Files for images and apps
Trojan the backup – root user attack Just trojan you own phone and create a backup Upload backup to victims storage ??????? profit!
MyBackup PRO
NOT SO FAST!!! The user has to approve the
apps No worries ;) notatrojan (sms forwarder) The user gets one more
conformation request but why would they stop now?
MyBackup PRO
Attacking regular users. Same basic method but this time we focus on
settings Bookmarks can be altered to go to other sites System (icon) bookmarks can be changed to point at
other apps Network settings...JACKPOT!
All your DNS are belong to me. If settings conflict with network it falls back to dhcp
Bump > 10,000,000 users
Appaliscious Bump Android app is the new business card
Gizmodo Bump 2.0 Scores With Facebook, Twitter, And
LinkedIn Capabilities Entrepreneur
Entrepreneur's Annual 100 Brilliant Ideas - Mobile Tech top 10
WSJ PayPal Bumps iPhone Payments to New Level
Bump – from their site
Q. What is bump? A. Bump is a quick and easy way to connect two phones, simply bump them together.
Share contacts info, pictures, calendar events, and even connect on social networks with just a bump.
Q. How does it work? A. We use various techniques to limit the pool of potential matches, including location
information and characteristics of the bump event. If you are bumping in a particularly dense area (ex, at a conference), and we cannot resolve a unique match after a single bump, we'll just ask you to bump again. Our CTO has a PhD in Quantum Mechanics and can show the math behind that, but we suggest downloading Bump and trying it yourself!
Q. is bump secure? A. When we built Bump, our number one priority was creating the best possible user
experience we could. Security of your personal information is a huge part of that experience. First, all communications between your phone and our servers are encrypted and sent using https - the same encryption that is used for online banking. Second, the nice thing about Bump is that *you* are in control of deciding with whom you share your information. You don't have to worry about anyone being able to get at your information unless you physically bump your phone with theirs.
Bump – My opinion
Q. What is bump? A. another silly way to get owned and break your
phone. Q. How does it work?
A. your phone sends gps data and time of bump to their servers. If another bump matches you get an offer to connect. Took about 2 hrs.
Q. Is bump secure? A. Online Banking encryption standards have really
fallen.
Bump
A “mailbox” is created on the server using the MEID and the path App checks “mailbox” about once a second When bumped the time and location are sent to the
bump servers If a match is found the server leaves the connect data in
the box and is retrieved on the next status check No authentication is used No unique values until data the other phone approves it
Bump server
Bump
Bump Sent
Status ok
Status check
Bump matched
Confirm + data
Other user confirms
Status check
Other user data
Status check
Bump
Problems Phone sets location and time
This also includes fault tolerance Change gps accuracy from feet to miles Submit multiple bumptimes at once ( discussed later)
Since no auth is needed We can intercept anything meant for victims phone
After we grab it we sleep so that they can re-bump We can create several bumpers
Multi threaded bumpers can intercept all bumps in a location Target Conferences or dense population areas
Bump
So... We can intercept anything on a specific target We can flood an area with bump to catch all data
We could also flood users with a payload Images are the obvious target but other options are available
Still no massive pwnage :( What else can be done?
Paypal Bump
Paypal Bump
Paypal side is very secure Until they ask you to create a pin
6 digit pin
Bump API Allows multiple bumptimes
Intended to cover timezone differences Submit 10 bumptimes ¼ sec apart
API key transferred in the clear Used as the logon for the Bump site
I did not do this. Uses SSL only after all key values sent in cleartext
Transfers MEID and phone# to other user
Demo
Fun with paypal bump
Demo
Fun with paypal bump Why does this work?
Bump API uses MEID as unique identifier Sends this value to other users app Regular bump requires a fake bump to get MEID
VZ apps all authenticate using Base64'd MEID Other values submitted
What else can we do with this?
VZ apps
My VZ
Change voice-mail password Change portal password Last 4 digits of credit card
Make a payment Get or change mailing address
Upgrade phone and have it sent somewhere else Flaw effects all VZ users Other stuff...
VZ tones
Purchase several thousand ringtones Purchase and set ringback tones
Set Rickroll ringback tones on a few thousand phones
Exposes where ringtones are hosted Download all ringtones for free
VZ
Fixing the issue by the end of the month Adding a vulnerability reporting email Very cool guys
Browser = all off them
Webkit based Permissions
Auth to google Course and fine gps Sdcard access Internet access Everything else you would expect
Breaking Android's Arm
Java app but data is passed to native back-end No advisories for webkit on android
0-days in the open CVE-2010-1807
Breaking Android's Arm
R1 gets over-written with a value of our choosing. I chose “0000b33f” just for an example.
I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys'I/DEBUG ( 28): pid: 702, tid: 714 >>> com.android.browser <<<I/DEBUG ( 28): signal 11 (SIGSEGV), fault addr 00000030I/DEBUG ( 28): r0 00000000 r1 0000b33f r2 45d320a0 r3 fffffffeI/DEBUG ( 28): r4 aa413738 r5 45357c10 r6 45d320a0 r7 0039bda0I/DEBUG ( 28): r8 45358d88 r9 426f6ed8 10 426f6ec0 fp 002e9150I/DEBUG ( 28): ip 00000006 sp 45357bd8 lr aa0479eb pc aa00c142 cpsr 60000030I/DEBUG ( 28): #00 pc 0000c142 /system/lib/libwebcore.soI/DEBUG ( 28): #01 pc 000479e6 /system/lib/libwebcore.soI/DEBUG ( 28): #02 pc 002b9d70 /system/lib/libwebcore.soI/DEBUG ( 28): #03 pc 002ba95a /system/lib/libwebcore.soI/DEBUG ( 28): #04 pc 002bad8a /system/lib/libwebcore.soI/DEBUG ( 28): #05 pc 002badba /system/lib/libwebcore.soI/DEBUG ( 28): #06 pc 002b8a2c /system/lib/libwebcore.soI/DEBUG ( 28): #07 pc 002b8a46 /system/lib/libwebcore.soI/DEBUG ( 28): #08 pc 001cba26 /system/lib/libwebcore.soI/DEBUG ( 28): #09 pc 001d22b4 /system/lib/libwebcore.so
Breaking Android's Arm
Using other registers to track pc :
I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys'I/DEBUG ( 28): pid: 737, tid: 749 >>> com.android.browser <<<I/DEBUG ( 28): signal 4 (SIGILL), fault addr 0057817cI/DEBUG ( 28): r0 0057814c r1 00578150 r2 00578154 r3 00578158I/DEBUG ( 28): r4 0057815c r5 00578160 r6 45c170f8 r7 0067c950I/DEBUG ( 28): r8 45458d80 r9 426f9ee0 10 426f9ec8 fp 002eaf68I/DEBUG ( 28): ip 00000006 sp 45457b10 lr aa00c149 pc 0057817c cpsr 00000010I/DEBUG ( 28): #00 pc 0057817c [heap]I/DEBUG ( 28): #01 pc 0000c146 /system/lib/libwebcore.soI/DEBUG ( 28): #02 pc 000479e6 /system/lib/libwebcore.soI/DEBUG ( 28): #03 pc 002b9d70 /system/lib/libwebcore.soI/DEBUG ( 28): #04 pc 002ba95a /system/lib/libwebcore.soI/DEBUG ( 28): #05 pc 002bad8a /system/lib/libwebcore.soI/DEBUG ( 28): #06 pc 002badba /system/lib/libwebcore.so
Demo 2:http://www.youtube.com/watch?v=czx_AKdj8ug
Lessons Learned
Not if but when Attacks are going to happen. Be prepared
Phones are an abstraction layer The apps behaviors are not that different from pc software from 10 years ago
Researching the apps is difficult and providers are not going to help The phones security is to keep you out, not attackers Security by obscurity only gets you so far
Phones and laptops are the same thing and should be treated that way Policies need to be put in place to at least protect the company Security teams need more tools to keep an eye on phones
Just because the developers intent was not malicious does not mean it won't be used that way by others
Better watch you apps!
Thank you