2009 Hack.lu Slides WM6 Rootkit

8/9/2019 2009 Hack.lu Slides WM6 Rootkit

1/59

When E.T. comes into Windows Mobile 6a.k.a. PoC(k)ET

Cedric HalbronnSogeti / ESEC R&D

cedric(at)security-labs.org

Hack.lu 2009
http://goforward/http://find/http://goback/


2/59

Context / ObjectivesTechnical aspects of WM6

ImplementationDemo

Conclusion

1 Context / Objectives

2 Technical aspects of WM6

3 ImplementationGeneral architectureInjectionProtectionBackdoorServices

4 Demo

C. Halbronn When E.T. comes into Windows Mobile 6 2/35
http://find/http://goback/http://www.esec.fr.sogeti.com/


3/59


ImplementationDemo

Conclusion

Context

Who am I?Security researcher working at Sogeti ESEC R&D labFocusing on mobile security

A smartphone?

Mobile phone - smartphoneVarious services

PDA, Web, camera, GPS, microphone, etc.Current OS :

Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android

Studies on mobile phones rootkits capabilities still limited



4/59


ImplementationDemo

Conclusion

Context

Who am I?Security researcher working at Sogeti ESEC R&D labFocusing on mobile security

A smartphone?

Mobile phone - smartphoneVarious services

PDA, Web, camera, GPS, microphone, etc.Current OS :

Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android

Studies on mobile phones rootkits capabilities still limited



5/59


ImplementationDemo

Conclusion

Objectives

TODO listDevelop a rootkit for WM6

What is a rootkit?

Post-exploitationComponents:

InjectionProtectionBackdoorServices

Taking into account...Embedded constraints / mobile environment

Services on the tableC. Halbronn When E.T. comes into Windows Mobile 6 4/35

C / Obj i


6/59


ImplementationDemo

Conclusion

Objectives


What is a rootkit?





C t t / Obj ti


7/59


ImplementationDemo

Conclusion

Objectives


What is a rootkit?





Context / Objectives


8/59


ImplementationDemo

Conclusion




4 Demo




9/59


ImplementationDemo

Conclusion

Virtual Memory Address Space

Global Virtual Memory Address Space (4GB)




10/59


ImplementationDemo

Conclusion

Loading DLLs

Loading DLLs under Windows Mobile 6




11/59


ImplementationDemo

Conclusion

Security policies

Where?Registry: [HKLM \ Security \ Policies \ Policies]

Some examplesPolicy ID DescriptionAuto Run Policy 2 0 (allowed to run automatically), 1 (restricted)Unsigned Applications Policy 1006 1 (allowed to run), 0 (not allowed to run)Unsigned Prompt Policy 101A 0 (user will be prompted), 1 (user will not be prompted)Password Required Policy 1023 0 (a password is required), any other (a password is not required)




12/59

jTechnical aspects of WM6

ImplementationDemo

Conclusion

Security policies

Where?Registry: [HKLM \ Security \ Policies \ Policies]

Some examplesPolicy ID DescriptionAuto Run Policy 2 0 (allowed to run automatically), 1 (restricted)Unsigned Applications Policy 1006 1 (allowed to run), 0 (not allowed to run)Unsigned Prompt Policy 101A 0 (user will be prompted), 1 (user will not be prompted)Password Required Policy 1023 0 (a password is required), any other (a password is not required)




13/59


ImplementationDemo

Conclusion

Application signing

Stores for code executionPrivileged store: privileged execution trust authoritiesUnprivileged store: unprivileged execution trust authorities

SPC (Software Publisher Certicates) store: trust authoritiesfor CAB installation- sign DLLs, EXEs or CABs and put certicate in right store

Stores for SSL chain validation, NOTHING to do with codeexecution

MY: end-user personal certicatesCA: intermediary certication authorities certicatesROOT: root (self-signed) certicates




14/59


ImplementationDemo

Conclusion

Application signing

Stores for code executionPrivileged store: privileged execution trust authoritiesUnprivileged store: unprivileged execution trust authorities

SPC (Software Publisher Certicates) store: trust authoritiesfor CAB installation- sign DLLs, EXEs or CABs and put certicate in right store

Stores for SSL chain validation, NOTHING to do with codeexecution

MY: end-user personal certicatesCA: intermediary certication authorities certicatesROOT: root (self-signed) certicates


Context / Objectivesh l f

General architecture


15/59

Technical aspects of WM6Implementation

DemoConclusion





4 Demo


Context / ObjectivesT h i l t f WM6

General architectureI j ti


16/59


DemoConclusion


Plan



3 ImplementationGeneral architectureInjectionProtection

BackdoorServices

4 Demo



General architectureInjection


17/59


DemoConclusion


Technical choices

ArchitectureHide its presence from phones user

Expatriate information

Technical choices

32-process limit - Single .EXE multi-threads

DLLs impact-

limit their sizeBattery usage - limit actions when neededHeterogeneous environment





18/59


DemoConclusion


Technical choices

ArchitectureHide its presence from phones user

Expatriate information

Technical choices

32-process limit - Single .EXE multi-threads

DLLs impact-

limit their sizeBattery usage - limit actions when neededHeterogeneous environment





19/59


DemoConclusion


Architecture

Rootkit general architectureC. Halbronn When E.T. comes into Windows Mobile 6 13/35




20/59


DemoConclusion


Plan




BackdoorServices

4 Demo





21/59

ec ca aspects o W 6Implementation

DemoConclusion

ject oProtectionBackdoorServices

Rootkit injection

Injection methodsSmartphone accessVulnerability exploit-

Ex: MMS handler in WM2003WAP Push messageWeb link- Ex: Etisalat operator in the UnitedArab Emirates (UAE) for Blackberries

OTA provisioning

Our contextSmartphone accessUnsigned CAB - Pop-up

Pop-up





22/59

pImplementation

DemoConclusion

jProtectionBackdoorServices

Rootkit injection

Injection methodsSmartphone accessVulnerability exploit- Ex: MMS handler in WM2003WAP Push message

Web link- Ex: Etisalat operator in the UnitedArab Emirates (UAE) for Blackberries

OTA provisioning

Our contextSmartphone accessUnsigned CAB - Pop-up

Pop-up





23/59

ImplementationDemo

Conclusion

ProtectionBackdoorServices

Plan




BackdoorServices

4 Demo





24/59

ImplementationDemo

Conclusion


Automatic startup for an application

Auto-start methods[HKLM \ Init]

\ Windows \ Startup Create a service- DLL loaded byServices.exe

Our choice\ Windows \ Startup



I l i

General architectureInjectionP i


25/59

ImplementationDemo

Conclusion


Automatic startup for an application

Auto-start methods[HKLM \ Init]

\ Windows \ Startup Create a service- DLL loaded byServices.exe

Our choice\ Windows \ Startup



I l t ti

General architectureInjectionP t ti


26/59

ImplementationDemo

Conclusion


Hide unsigned apps (1/2)

By defaultNecessary so we do NOT alert the phone user

First attemptDisable the unsigned prompt policy[HKLM \ Security \ Policies \ Policies] 0000101a=dword:1

ResultNot good, because all external unsigned applications will runwithout alerting the user


Context / ObjectivesTechnical aspects of WM6Implementation

General architectureInjectionProtection


27/59

ImplementationDemo

Conclusion










28/59

ImplementationDemo

Conclusion










29/59

ImplementationDemo

Conclusion



Second attemptBetter to have our own certicateWe can sign our binaries and put

our certicate in Privileged store

Visible stores on the deviceMY, CA, ROOTOther stores are NOT visible

ResultOur own certicate will not be visibleon the device

Visible certicate stores





30/59

ImplementationDemo

Conclusion












31/59

pDemo

ConclusionBackdoorServices











32/59

pDemo

ConclusionBackdoorServices

Hide processes (1/2)

First attemptBy default, not needed. Task Manager does NOT show themApparently, it does not show processes that do not have avisible window.

WM6 TaskManager TaskM anagerCE by K. Varma (c)





33/59

DemoConclusion

BackdoorServices


Second attemptFor better results, possible to hide them a little bit more.Using method from Petr Matousek (2007).

DetailsNo doubly-linked list here32 processes are stored in a PPROCESS table[32];

Function listing the processesBrowses this tableVeries a condition on the process name to consider the slotusedPutting the name to NULL - it is NOT listed



D

General architectureInjectionProtectionB kd


34/59

DemoConclusion

BackdoorServices



DetailsNo doubly-linked list here32 processes are stored in a PPROCESS table[32];Function listing the processes

Browses this tableVeries a condition on the process name to consider the slotusedPutting the name to NULL - it is NOT listed



D

General architectureInjectionProtectionB kd


35/59

DemoConclusion

BackdoorServices

Hide les

First attemptAt rst, not needed, who browse les on mobile phones?


DetailsInject a DLL into the process handling the le systemfunctionsHook the le listing functions: FindFirstFileW ,FindNextFileW



Demo

General architectureInjectionProtectionBackdoor


36/59

DemoConclusion

BackdoorServices

Hide les






Demo



37/59

DemoConclusion

BackdoorServices

Hide les






Demo



38/59

DemoConclusion

BackdoorServices

Hide CAB installation (1/3)

Add/Remove Programs

CAB installation management[HKLM \ Security \ AppInstall] A key is created in it for the installed app



Demo



39/59

DemoConclusion

BackdoorServices


Add/Remove Programs

CAB installation management[HKLM \ Security \ AppInstall] A key is created in it for the installed app



Demo



40/59

Conclusion Services


First attemptMethod taken from Airscanner Mobile FirewallWhen putting the value Role to 0, it disappear from the list

Airscanner MobileFirewall (c)



Demo



41/59

Conclusion Services


Second attemptIn visual studio, specify theNoUninstalloption in CAB project

ResultDo not create a key in

[HKLM \ Security \ AppInstall] No way to detect it in the registry NoUninstall option



Demo



42/59

Conclusion Services


Second attemptIn visual studio, specify theNoUninstalloption in CAB project

ResultDo not create a key in

[HKLM \ Security \ AppInstall] No way to detect it in the registry NoUninstall option



Demo



43/59

Conclusion Services

Plan




BackdoorServices

4 Demo



DemoC l i

General architectureInjectionProtectionBackdoorS i


44/59

Conclusion Services

TCP/IP communication

Means of communicationData networks: GPRS, Edge, 3GWi-Fi

ActiveSync

How to do it?Phone is behind a NAT- A TCP/IP server on the attackers side

Save battery life

Detect a connection - then, use it.

Communication Manager



DemoC l i

General architectureInjectionProtectionBackdoorS i


45/59

Conclusion Services



ActiveSync


Save battery life





DemoConclusion

General architectureInjectionProtectionBackdoorServices


46/59

Conclusion Services



ActiveSync


Save battery life





DemoConclusion



47/59

Conclusion Services

An alternative means?

ProblemHow to control the device when there is no Data connectivity?- Necessary to nd an alternative means of communication

SMS messages

Command SMS - intercepted

Standard COM registration HKEY CLASSES ROOT\ CLSID\ \ InProcServer32@=SMSIntercept.dll

MAPI Inbox HKEY LOCAL MACHINE\ Software \ Microsoft \ Inbox \ Svc \ SMS\ Rules=dword:1

represents the COM objects class ID GUID.

Registry keys dened to intercept SMS messages

Side effectWhen intercepting an SMS, the phone automatically switches on.



DemoConclusion



48/59

Conclusion Services



SMS messages









ImplementationDemo

Conclusion



49/59

Conclusion Services



SMS messages









ImplementationDemo

Conclusion



50/59



SMS messages









ImplementationDemo

Conclusion



51/59

Protocol

Communication protocol



ImplementationDemo

Conclusion



52/59

Plan




4 Demo



ImplementationDemo

Conclusion



53/59

Services

Services on the tableContacts : last name, rst name, mobile phoneSMS : delivery time, sender, contentE-mails : sender, recipients, delivery time, subject, contentGPS : latitude, longitude

Registers to the OSNotication when data are available



ImplementationDemo

Conclusion


54/59



3 ImplementationGeneral architectureInjectionProtectionBackdoor

Services4 Demo



ImplementationDemo

Conclusion


55/59

Demo



ImplementationDemo

Conclusion


56/59

Conclusion

ResultsNot detected by AVsOnly detectable if we know where to look for

Limits / enhancementDLLs, registry keys, network connectionsCompression / encryption of communicationsServices : phone-tapping, microphone,

camera...

Attacker point of viewWin32 APIs but embedded constraints

What about the other mobile OS?

AirscannerAntivirus



ImplementationDemo

Conclusion


57/59

Conclusion



camera...



AirscannerAntivirus



ImplementationDemo

Conclusion


58/59

Conclusion



camera...



AirscannerAntivirus



ImplementationDemo

Conclusion


59/59

Questions?

Thank you for your attention


Documents

2009 Hack.lu Slides WM6 Rootkit