1
One Root To Own Them All
Black Hat US 2013Jeff Forristal @ Bluebox
2
Outline• Introduction• Android APK Overview• Jar and Jar Signer• Exploit Analyze • APK Install Process
– Normal Case– Abnormal Case
• Vulnerability Point• Patch• Similar Approach• Conclusion• Reference
3
Introduction
4
Vulnerability Description
5
Attack Surface
6
Android APK Overview
7
Android APK
• APK stands for Android application package file.
• Just a Jar file with some other new files that Android need.
8
Android APK Content
• Package resource files:– Android Manifest– Some Pictures, Audio files….– Etc…
• classes.dex• META-INF/Manifest.MF
9
Compile Android APK
• What we usually do:– 1. writing code in Eclipse/ Android Studio– 2. press compile button– Simple and Easy
10
Compile Android APK
11
Compile Android APK• 1. aapt will create R.java according to the following files:
– Android Manifest– Recourses– Assets
• 2. use javac to compile source code with some libraries -> generate many *.class files.• 3. use dx to transform Java bytecode into Dalvik bytecode -> many *.class files will be merged into 1 classes.dex• 4. use apkbuilder to generate unsigned APK with following files:
– classes.dex– Package Resources Files
• 5. use jarsigner to signed the unsigned APK into signed APK– E(unsigned APK, Key) = signed APK
12
Jar and JarSigner
13
Jar
• Jar stands for Java Archive• Jar File Format is Same as Zip file• File Contents:– *.classes– Resources– META-INF/Manifest.MF
14
JarAndroid APK
15
JarSigner
• Generate Signature for JAR (Java Archive)• Verify Signature for Signed JAR file.• Two Additional file placed in META-INF
directory:– signature file with .SF as extension– signature block file with .DSA extension
16
JarSigner - Signing
aapt jarsigner
17
JarSigner - Signing
Integrity
18
JarSigner - Signing
Integrity
19
JarSigner - Signing
Identity
20
JarSigner - Signing
Identity
21
JarSigner - Signing
Certificate
22
Public Key
Digital Signature for the Certificate
23
Attempts
24
Attempts
25
Attempts
26
APK Install Process
27
Overview
28
PackageManager
PackageParser Installer PackageHandler
Parsing Package And
Verify
Sending Command to
installdHandle Event
29
Overview
• Parsing• Verify• Install
30
Parsing
JarFile.ClassJarEntry.Class
Android APK
File 1
File 2
File 3
File 4
CentralDirectory
31
Parsing
JarFile.ClassJarEntry.Class
Android APK
File 1
File 2
File 3
File 4
CentralDirectory
File 1 Meta-Data
File 2 Meta-Data
File 3 Meta-Data
File 4 Meta-Data
End of Central Directory
32
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
33
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
34
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
35
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
36
Normal Case
37
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data4. res Meta-Data
End of Central Directory
Android APK
Manifest.xml
META-INF
res
CentralDirectory
classes.dex
Parsing
38
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
Verify
39
Install
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data4. res Meta-Data
End of Central Directory
Android APK
Manifest.xml
META-INF
res
CentralDirectory
installd
classes.dex
40
What If …
Android APK
Manifest.xml
META-INF
res
CentralDirectory
classes.dex
classes.dex
res
CentralDirectory
Manifest.xml
META-INF
classes.dex
41
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
Parsing
classes.dex
res
CentralDirectory
Manifest.xml
META-INF
classes.dex
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data
5. res Meta-DataEnd of Central Directory
4. classes.dex Meta-Data
Classes.dex
42
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
Classes.dex
Verify
!!!!!!
43
Install
classes.dex
res
CentralDirectory
Manifest.xml
META-INF
classes.dex
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data
5. res Meta-DataEnd of Central Directory
4. classes.dex Meta-Data
installd
!!!!!!
44