wp8
TRANSCRIPT
PWNING A WINDOWS
PHONE
From shadow to light
NICOLAS JOLY – MOSEC 2015
@n_joly, but I only tweet cat pics
Exploiter, mostly focused on client
vulnerabilities
Did some tourism in Vancouver, opened a
laptop store
Like shopping for clothes too
NICO WHO? No XP at Phone hacking!
Missing Nokia 1520 here
Can’t stand iTunes
No XP with Android
I like that one
PWN2OWN MOBILE 2014 – SHOOT LIST
Let’s pwn IE Mobile!
Finding a crash
Debugging the device
Polishing the exploit
Writing a payload
Getting stuck within the sandbox (!)
SO WHAT’S HERE TODAY?
Does not fit in the pocket,
but the camera is badass!
WINDOWS PHONE SECURITY – SOME
PREVIOUS RESEARCH
Alex Plaskett – Blue Hat v11 Technical – Windows Pwn 7 OEM –
Owned Every Mobile?
Alex Plaskett and Nick Walker – Syscan 2014 – Navigating a sea of
pwn
Dmitriy Evdokimov and Andrey Chasovskikh – HackInParis 2013 –
Windows Phone 8 Application Security
IE MOBILE
Definitely not IE 6 :/
IE 11 running on WP 8.1
In ARM, run in AppContainer
Lots of « missing » legacy features
IE MOBILE
Can’t spawn scientific calc.exe, a bad idea :/
No flash, vml, vbscript, activex, no default pdf viewer etc.
Still accept the compatibility modes
Any public exploit somewhere?
Not to my knowledge
Any private exploit? For sure!
Someone here maybe???
IE MOBILE
Ran a stupid fuzzer
Got a few crashes on IE 11 desktop
Got one with a write-something-where condition
Exploit looks doable, object easy to replace
Does crash IE Mobile!
But does it really crash the way I want No idea, I can’t debug it :/
IE MOBILE – GETTING A POC
Forget ollydbg, use Visual Studio 2013
Yes we can debug IE Mobile
Hum, actually just the javascript
IE MOBILE – DEBUGGING THE THING
= debug something else
= debug IE for WP
Debugging IE just tells you there’s an Access Violation somewhere
With VS 2012 it was possible to debug IE10 on a Surface RT
The same Remote Debugging Tools do not work anymore on Windows 8.1
The new ones do not let you attach to IE :/
Worst case scenario, develop an exploit for IE10 / Win RT and hope it works
on IE11 / WP 8.1. Good luck with that.
IE MOBILE – DEBUGGING THE THING
Idea! What about creating an app embedding IE?
WebView control
IE MOBILE – DEBUGGING THE THING
This is your app so you can debug it!
Fuzz case crashed with 0xC0000005
IE MOBILE – DEBUGGING THE THING
That says something bad happened
Missing symbols
Just a null pointer
IE MOBILE – DEBUGGING THE THING
Original poc does not work :/
Only pages in edge mode are rendered in WebView
Forget the compatibility modes
But great to debug an HTML5 vuln
If you like the VS environment of course
IE MOBILE – DEBUGGING THE THING
An emulator maybe?
Emulators available for WP 8 and 8.1
Run in a VM in Hyper-V
Run in x86, not ARM
Pretty old versions
8.10.14141.167 (before April 2014)
Symbols not available
mshtml and jscript changed a lot between April and November
IE MOBILE – DEBUGGING THE THING
So we can’t debug but maybe we can find the remote dlls?
There’s no app to browse the WP drive (unless you want to see your pics)
APIs are limited but we can still call CreateFile2 to read the system files
Link that to a socket!
You can loadLib too. Just think about kernel32legacy.dll:
IE MOBILE – RETRIEVING THE DLLS
IE MOBILE – RETRIEVING THE DLLS
Previous research on IE exploitation involving write-what-where
COleScript::CanObjectRun by Yuki Chen, @guhe120
No ActiveX
« Vital Point Strike », by Yang Yu, @tombkeeper
No jscript.dll :/
No ArrayBuffer in compatibility mode
But still we can corrupt an array length and get an absolute read/writecondition
Did I say WP 8.1 ran in ARM 32 bits?
Heap Spray allowed!
IE MOBILE – EXPLOITING IE
Two phones to test
HTC 8S – 1GHz, Ram 512MB
Nokia 930 – 2,2 GHz, Ram 2GB (~= Nokia 1520)
Ideally, exploit would:
Work! (first things first)
Work on the emulators and the phones
Have a good success rate
Should not crash (so we can output debug results on the web page)
IE MOBILE – GETTING AN EXPLOIT
Exploit first developed on Windows 8.1 x86 desktop
Corrupt the length of an Array
Use it to get absolute R/W and locate a JS object in memory
Copy a vtable and overwrite the function at offset 0x104
Call obj.someProperty to crash with EIP controlled in Js::JavascriptOperators::GetItem
Call VirtualProtect to unlock the payload
Call obj.someProperty again to redirect the flow to the payload
Worked on the x86 emulators :)
IE MOBILE – GETTING AN EXPLOIT
Magic VirtualProtect gadget
IE MOBILE – GETTING AN EXPLOIT
Same idea on the ARM device
Corrupt the length of an Array
Use it to get absolute R/W and locate a JS object in memory
Corrupt offset 0xFC in the vtable (formerly 0x104)
Call obj.someProperty to crash with PC controlled in
Js::JavascriptOperators::GetItem
Failed! Does not work (as always…)
Can’t debug, no idea what’s happening here
Corrupt instead offsets 0x130 / 0x138 depending on the WP version
Call typeOf(obj) to crash in Js::JavascriptOperators::Typeof
IE MOBILE – GETTING AN EXPLOIT
We never get there!
Js::JavascriptOperators::Typeof:
Two additional gadgets to reach VirtualProtect
IE MOBILE – GETTING AN EXPLOIT
Did that work???
MS devs thought of that and added a boolean to the function
See that 1?
IE MOBILE – GETTING AN EXPLOIT
It worked :)
Issue with versions!
We can’t rollback the WP image to a previous one
My HTC phone is still locked with the July version. Send me your
exploits :)
Some WP versions:
8.10.12400.899 16 July 2014 <= my phone
8.10.12397.895 12 June 2014 <= the pwn2own device
8.10.14147.180
(GDR1)
4 August 2014 <= the nokia 930 I
bought
IE MOBILE – GETTING AN EXPLOIT
So I couldn’t test on the system running their device, was too old! :/
Idea! Do a dynamic ROP, just in case…
Looking at the IE11 desktop versions since April, it seems the gadgets I
used have always been there
« It seems ». Had a bad night about that!
Looks like it worked!
Well, on the 2nd try :D
IE MOBILE – GETTING AN EXPLOIT
Some words about the payload
VS 2013 comes with armasm.exe
Build your payload with armasm test.asm test.obj
The generated output does not resolve symbols
Compile a valid exe and extract the shellcode from:
IE MOBILE – WRITE YOUR PAYLOAD
Create an app in VS 2013 and debug step by step the machine code:
IE MOBILE – WRITE YOUR PAYLOAD
What to do in the sandbox?
Not much. AppContainer only lets you read files under the INTERNETEXPLORER directory
We can still dump the cookie database
IE MOBILE – WHAT TO DO WITH YOUR
PAYLOAD?
IE MOBILE – WHAT TO DO WITH YOUR
PAYLOAD?
But don’t browse too much or exploit fails :/
Potential buffer
overflow :S
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Not that « surprising »
Can we prison break?
Yes we can! We always can!
Tried for two weeks and…
… clearly failed that part!
So I can’t :/
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Angry cat stuck in
the sandbag
Many undocumented features or code rewrite
CoreApplicationShim.dll
CoreUIComponents.dll
Ole32_wp.dll
Minuser.dll
There must be a broker somewhere
But who??
Let’s try with CoCreateUserBroker and SetClipboardData
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
MSHTML.dll Desktop
MSHTML.dll Mobile IE
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Spot the diff!
MSHTML.dll Desktop – Imports
MSHTML.dll IE Mobile – Imports
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Spot the diff!
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Let’s have a look at the clipboard:
in minuser.dll
Wrong turn!
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Let’s have a look at the clipboard:ie_shims.dll actually
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Let’s have a look at the clipboard:
Never heard of that.
Idea someone?
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Let’s have a look at the clipboard:
Looks like there’s a COM here.
But who? where?? how???
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
There’s a « save picture » feature too:
Save a picture to the screenshots folder
But who handles that??
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
Attack the kernel maybe?
WP 8.1 does not let you allocate at 0
IE MOBILE – CAN WE GET OUT OF THE
SANDBOX?
And even if you have a kernel panic…Who?
What?
Where?How?
Why?
That means we crashed. And badly!
IE MOBILE – RECAP
IE Mobile
Built on a robust system
Perhaps too much obscurity?
Can still be pwned
Things I haven’t done
Play with the Windows Phone Kits
Not free (~ $100)
Not even sure we can properly debug IE / WP kernel
Load malicious fonts, or mess with windows and menus
Play with a WP 10 (Windows 10 Mobile)
THANKS!
NEXT TIME I’LL TEACH HIM HOW
TO BREAK SANDBOXES!
IE MOBILE – REFERENCES
https://labs.mwrinfosecurity.com/system/assets/128/original/mwri
_wp7-bluehat-technical_2011-11-08.pdf
http://andreycha.info/files/hip-13/Windows-Phone-8-application-
security-slides.pdf
https://labs.mwrinfosecurity.com/system/assets/651/original/mwri
_wp8_appsec-whitepaper-syscan_2014-03-30.pdf
http://hitcon.org/2014/downloads/P1_06_Chen%20Zhang%20-
%20Smashing%20The%20Browser%20-
%20From%20Vulnerability%20Discovery%20To%20Exploit.pdf
https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSe
cWest_2014.pdf