Pulling a John Connor Defeating Android Charlie Miller

Pulling a John Connor: Defeating Android Charlie Miller Independent Security Evaluators cmiller@securityevaluators. com

About me Former National Security Agency First to hack the i. Phone and Android G 1 phone Won Mac. Book Air at Pwn 2 Own competition with Safari 0 day Author of “Fuzzing for Software Security Testing and Quality Assurance” Author of “The Mac Hackers Handbook” Due out in a few weeks

Outline Phone hacking Android security model Attack surface Bug hunting Exploit dev After access is achieved

Smart phone hacking is fun! Small but capable computers Always on Always connected to the Internet (Wi-Fi, EDGE, 3 G) Cellular capabilities

Personal information Contacts Voicemail Pictures and movies Web credentials and cookies Email and text messages Calendar and events GPS information

Good hacker asset “Smart phone DOS” Instant financial gain 1 -900 numbers, text messages, etc GPS (contrast with random compromised box on Internet) Listening device Circumvent network security protections

Smart phone DDOS

Out of band communication

Issues for defense Typically no AV on phones NIDS can be avoided with SMS Hard to determine phone has been compromised Tricky forensics Phones go to Starbucks for a break

Android basics Open source, free, mobile platform One production phone runs it, T-Mobile G 1 Consists of OS, middleware, some applications Linux kernel Webkit based browser

Smart phone 3 G / Wi. Fi / Bluetooth Web browser SMS/MMS messaging Audio/video player AOL IM client GPS, integration with google maps. . . etc

Security Architecture Linux - traditional user id Fine grained access controls

Linux based controls Each application gets its own UID (unless specifically shared) Application data is stored such that it is user readable/writable only (unless specifically shared) # ps. . . radio 81 23 101936 19552 ffff afe 0 c 534 S com. android. phoneapp_4 85 23 98352 19120 ffff afe 0 c 534 S android. process. acoreapp_8 106 23 93732 14564 ffff afe 0 c 534 S com. google. process. gappsapp_11 119 23 100048 14992 ffff afe 0 c 534 S com. android. mmsapp_0 131 23 90540 14232 ffff afe 0 c 534 S com. android. alarmclockapp_3 139 23 91668 15076 ffff afe 0 c 534 S android. process. mediaapp_1 164 23 117732 25984 ffff afe 0 b 23 c R com. android. browserapp_18 308 23 93496 16016 ffff afe 0 c 534 S net. gimite. nativeexeapp_19 701 23 91388 14448 ffff afe 0 c 534 S charlie. mygpsmedia 4908 1 17280 4064 ffff afe 0 b 45 c S /system/bin/mediaserver

Access controls Applications have install-time permissions associated with them User is informed what permissions it will require and may accept or reject “pm list permissions” Otherwise Security. Exception is (typically) thrown

Browser permissions $. /adb pull /system/app/Browser. apk. $. /aapt dump xmltree Browser. apk Android. Manifest. xml | grep 'permission. ' | cut -f 2 d"com. google. android. googleapps. permission. GOOGLE_AUTH android. permission. ACCESS_COARSE_LOCATIONandroid. permi ssion. ACCESS_DOWNLOAD_MANAGERandroid. permission. ACCE SS_FINE_LOCATIONandroid. permission. ACCESS_NETWORK_STAT Eandroid. permission. ACCESS_WIFI_STATEcom. android. launche r. permission. INSTALL_SHORTCUTandroid. permission. INTERNE Tandroid. permission. WAKE_LOCK

Permissions in action After browser exploit iduid=10001(app_1) groups=3003(inet) ls /dataopendir failed, Permission denied ls /data/com. android. providers. telephony/databases/opendir failed, Permission denied logcat. Unable to open log device '/dev/log/main': Permission denied

Application Development SDK with emulator freely available All development done in Java Only signed. apk (Java apps) may be run May use self-signed certificate Apps may run in the background

C and Android Can write C/C++ apps with a gcc ARM cross-compiler Some issues with non-standard libc (bionic) Can’t do this in a Google supported way Debugging sucks, SDK “debugger” is a Java debugger $. /arm-2007 q 3/bin/arm-none-linux-gnueabi-gcc -static -o hello. c $ file hello: ELF 32 -bit LSB executable, ARM, version 1 (SYSV), for GNU/Linux 2. 6. 14, statically linked, for GNU/Linux 2. 6. 14, not stripped # chmod 700 /data/busybox/hello# /data/busybox/hello. Hello world

Dynamically linking is harder Download and build android source code (including bionic) Use the prebuilt toolchain (for Linux or Mac OS X) Use “agcc” wrapper to set all the flags you need Get it from: http: //plausible. org/andy/agcc $. /arm-2007 q 3/bin/arm-none-linux-gnueabi-gcc -o hello. c # /data/busybox/hello: not found $. /agcc. pl -o hello. c # /data/busybox/hello hi

Tale of firmwares RC 19 - Original factory install (old Webkit bug) RC 28 - a few people got this before RC 29 rolled out RC 29 - Fixed Webkit bug, had local root bug RC 30 - No more root 1. 1/RC 33 - Feature upgrade, all bugs fixed ; ) RC 7 - UK version of RC 29 RC 8 - UK version of RC 30 ADP 1 - Android Dev Phone 1. 0 ~ RC 28?

Flashing Download firmware https: //android. clients. google. com/updates/signed-kila-ota-115247 prereq. TC 4 -RC 19+RC 28. zip https: //android. clients. google. com/updates/signed-RC 30 -from-RC 29 fat. 1582 cace. zip Put firmware on SD card as update. zip Hold Home+End keys to enter system recovery Alt-S to start installing firmware http: //forum. xda-developers. com/showthread. php? t=466455 Found by Dark. Rift (January 2009)

Rooting your own phone Flash the phone with RC 29 Exploit local privilege escalation bug init. rc: service console /system/bin/shconsole Upgrade to modified latest firmware See: http: //android-dls. com/wiki/index. php for details

Attack surface Server side Client side

Server side Bluetooth, wireless, network stack, etc Nothing listening on TCP/UDP : ( Sometimes you’ll see port 5555 - Android Debug Bridge (adb) # /data/busybox/netstat -an. Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 127. 0. 0. 1: 5037 0. 0: * LISTEN tcp 0 0 0. 0: 5555 0. 0: * LISTEN tcp 0 0 10. 0. 2. 15: 5555 10. 0. 2. 2: 50587 ESTABLISHED

Client side - much nicer Web browser Email client IM client SMS/MMS Multimedia player Android Market apps etc

Java - safety? In theory these are all Java applications - and thus should be immune to memory corruption However the JVM is built on top of many C/C++ libraries Some API functions pass data to C/C++ daemons for processing

Android libraries Bionic - custom libc implementation open. Core - multimedia functionality SGL - image rendering Web. Kit - HTML, JS rendering All this is open source and C/C++

Bug hunting Static analysis Dynamic analysis

Static Analysis Source code freely available http: //source. android. com/download Can build, read, run through tools, etc

Browser File Formats libsgl code is interesting (and buggy) From external/skia/libsgl/ports/Sk. Image. Decoder_Fa ctory. cpp static const Codec. Format g. Pairs[] = { { Sk. Image. Decoder_GIF_Factory, Sk. Image. Decoder: : k. GIF_Format }, { Sk. Image. Decoder_PNG_Factory, Sk. Image. Decoder: : k. PNG_Format }, { Sk. Image. Decoder_ICO_Factory, Sk. Image. Decoder: : k. ICO_Format }, { Sk. Image. Decoder_WBMP_Factory, Sk. Image. Decoder: : k. WBMP_Format }, { Sk. Image. Decoder_BMP_Factory, Sk. Image. Decoder: : k. BMP_Format }, { Sk. Image. Decoder_JPEG_Factory, Sk. Image. Decoder: : k. JPEG_Format }};

Read the source Here is an indication of the code quality from external/skia/libsgl/images/Sk. Image. Decoder_libico. cpp bool Sk. ICOImage. Decoder: : on. Decode(Sk. Stream* stream, Sk. Bitmap* bm, Sk. Bitmap: : Config pref, Mode mode). . . if (stream->read((void*)buf, length) != length) { return false; }. . . int offset = read 4 Bytes(buf, 18 + i*16); int bit. Count = read 2 Bytes(buf, offset+14);

Fuzzing The Android comes with an Emulator QEMU-based, ARM processor emulated Full Android stack Not updated as frequently as devices The Web. Kit bug still crashes the emulator Can fuzz emulator or device

Emulator Fuzzing the emulator is convenient Don’t need device Can stick it in VMware and snapshot it Can even do exploit dev on it - to a point If things get hosed do: . /emulator -wipe-data

ADB Android debugging bridge Allows to push files on off emulator/device Gives shell on emulator/device Gives root on emulator, “shell” on device Can watch system logs

ADB in action >adb devices. List of devices attached. HT 845 GZ 52307 device >adb shell$ iduid=2000(shell) groups=1003(graphics), 1004(input), 1007(log), 1011(adb), 3003(inet) >adb logcat. D/Keyguard. View. Mediator( 52): wake. When. Ready. Locked(82)D/Keyguard. View. Mediator( 52): handle. Wake. When. Ready(82)D/Keyguard. View. Mediator( 52): poke. Wakelock(5000)D/Surface. Flinger( 52): Screen about to return, flinger = 0 x 14 f 7 e 0 D/dalvikvm( 52): GC freed 19203 objects / 913184 bytes in 256 ms. V/Wifi. Monitor( 52): Event [CTRL-EVENT-DRIVER-STATE STARTED]

Fuzzing the browser Fuzzing HTTP, Java Script, images, etc Can be done with Java. Script Meta-Refresh action Image $test_case_number : ";

Watching for crashes Use logcat to watch for crashes Examples coming

Demo: Fuzzing. ico

Fuzzing Music Player Fuzzing other apps requires actually launching them from the command line and directing them to the fuzzed test cases Remember the apps are Java bytecode Need to launch inside the virtual machine

Command line Need action and component for application Get this from Android. Manifest. xml from the. apk file $. /aapt dump xmltree Music. apk Android. Manifest. xml | grep 'intent. action' | sort -u A: android: name(0 x 01010003)="android. intent. action. CREATE_SHORTCUT" (Raw: "android. intent. action. CREATE_SHORTCUT") A: android: name(0 x 01010003)="android. intent. action. EDIT" (Raw: "android. intent. action. EDIT") A: android: name(0 x 01010003)="android. intent. action. MAIN" (Raw: "android. intent. action. MAIN") A: android: name(0 x 01010003)="android. intent. action. MEDIA_BUTTON" (Raw: "android. intent. action. MEDIA_BUTTON") A: android: name(0 x 01010003)="android. intent. action. PICK" (Raw: "android. intent. action. PICK") A: android: name(0 x 01010003)="android. intent. action. SEARCH" (Raw: "android. intent. action. SEARCH") A: android: name(0 x 01010003)="android. intent. action. VIEW" (Raw: "android. intent. action. VIEW") $. /aapt dump xmltree Music. apk Android. Manifest. xml | grep -B 3 VIEW | grep name | grep -v VIEW A: android: name(0 x 01010003)="Stream. Starter" (Raw: "Stream. Starter")

Launch the app! #!/usr/bin/env pythonimport sys, os, time, subprocessadb="~/android-sdk -mac_x 86 -1. 0_r 2/tools/adb"logdump=[adb, "logcat", "-d"]cmd=[adb, "shell", "am", "start", "android. intent. action. VIEW", "n", "com. android. music/com. android. music. Stream. Starter", sys. argv[2]] # Clear system logos. system(adb + " logcat -c") log=""cmdout = subprocess. Popen(cmd, stdout=subprocess. PIPE). stdoutstart=0 testtime=int(sys. argv[1])/1000. 0 while(time()-start < testtime or start == 0): log= subprocess. Popen(logdump, stdout=subprocess. PIPE). communicate()[0] if(start==0): start=time() time. sleep(1)print log

Demo: Fuzzing Music

An exploitable bug in RC 33 Notified Google on Jan 21, 2009 17 days ago Still a 0 -day in G 1 phones In libpvplayer. so (open. Core) In pvmp 3_huffman_parsing() from pvmp 3_huffman_parsing. cpp

The bug. . . for (i = 0; (uint 32)i < (gr. Info->big_values << 1); i += 2). . . gr. Bits = part 2_start + gr. Info>part 2_3_length; while ((p. Main. Data->used. Bits < gr. Bits) && (i < FILTERBANK_BANDS*SUBBANDS_NUMBER - 4)) { pvmp 3_huffman_quad_decoding(h, &is[i], p. Main. Data); i += 4; } if ((p. Main. Data->used. Bits < gr. Bits) && (i < FILTERBANK_BANDS*SUBBANDS_NUMBER)) { pvmp 3_huffman_q uad_decoding(h, &is[i], p. Main. Data); i += 4; . . .

The bug (cont) is is a uint array of size FILTERBANK_BANDS*SUBBANDS_NUMBER pvmp 3_huffman_quad_decoding writes dwords to is[i], is[i+1], is[i+2], is[i+3] grinfo->part 2_3_length is controllable Get 2 dword overflow

Exploitable? I/DEBUG ( 9113): *** *** *** ***I/DEBUG ( 9113): Build fingerprint: 'generic/generic/: 1. 0/119366: sdk/test-keys'I/DEBUG ( 9113): pid: 9221, tid: 9226 >>> /system/bin/mediaserver <<