Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
PORTING TO ANDROID
PORTING YOUR FAVOURITE CMDLINE TOOL
TO ANDROID
Vlatko Kosturjak (@k0st), Droidcon Zagreb, 30th of April
AGENDA
Introduction
Native code
Toolchains
Things I wish I knew in advance
Calling native executables
Issues and implicati...
ABOUT ME
Security Consultant in Diverto
Linux and FLOSS enthusiast
Open source developer
Have code in OpenVAS, Nmap, Metas...
ABOUT ME IN PICTURES
ABOUT ME IN PICTURES
INTRODUCE ELEPHANT
Talk will cover
producing standalone binaries
executing standalone binaries
Talk is mostly about Nmap e...
NATIVE CODE
NOT your Java code :)
It's mostly about
C/C++
Assembler
Not portable across platforms
For each platform, you n...
WHY BOTHER WITH NATIVE CODE?
performance
legacy code
code reuse
you just need that tool
WHAT'S THE PROCESS?
compiling
compiling on same machine
cross-compiling
compiling on (host) machine for other (target) mac...
TOOLCHAINS
Android NDK
Commercial
Open Source
Custom
CUSTOM TOOLCHAIN
Your own version of compiler
Your own version of build scripts
Custom
COMMERCIAL
Embarcadero
Good old Borland...
Xamarin
Native apps in C#
...
OPEN SOURCE / FREE
Crystax
drop-in replacement for Google's NDK
WCHAR, locales, full C+11 standard library...
Buildroot
St...
ANDROID NDK
Android official toolchain
Available for free from developer.android.com
Bionic
No full ANSI C support
locale
...
WHAT'S THE FUZZ?
Download NDK
Download tool you want to port
./configure --host=arm-linux-androideabi
make
make install
It...
IN CASE IT IS HELLO WORLD...
/* Hello World program */
#include <stdio.h>
void main()
{
printf("Hello World");
}
It works ...
IN REAL WORLD
Code isn't perfect
Not portable
Endianess
Path Separators
Dependencies
Extensions
3rd party libraries
TWO WAYS TO INVOKE COMPILER
Calling with sysroot
export CC="$NDK/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/b...
NDK PLATFORMS
NDK platform Platforms 32/64 bit
3 ARM 32
9 ARM/MIPS/Intel 32
21 ARM/MIPS/Intel 64
PROCESS OF CROSS COMPILING
Compile and fix as you go :)
sorry, no single recipe
Standard problems
stdout bug
old autoconf/...
STATIC VS DYNAMIC LINKING
Dynamic
small size
run-time dependency
Static
large size
no dependencies
LIFE IS PERFECT
Static binaries working like a charm
“until resolv.conf disappeared :) ”
DNS PROBLEMS
int main(int argc,char *argv[]) {
int i;
struct hostent *hp;
for ( i=1; i<argc; ++i ) {
hp = gethostbyname(ar...
DNS AND RESOLV.CONF
#ifdef ANDROID_CHANGES /* READ FROM SYSTEM PROPERTIES */
dns_last_change_counter = _get_dns_change_cou...
DYNAMIC VS STATIC
Type Size Dependency DNS OOTB
Dynamic smaller yes yes
Static bigger no no
Mixed medium yes (basic) yes
HERE COMES LOLIPOP
error: only position independent executables (PIE) are supported.
Position Independent Executable (PIE)...
WHAT'S PIE?
Position Independent Executable (PIE)
Security protection
better Address Space Layout Randomization (ASLR)
Exp...
PIE EXAMPLE
#include <stdio.h>
int global;
int checkadr (int *bla)
{
int local;
printf("bla adr = %pn", &bla);
printf("glo...
PIE SUPPORT
Android version Supported Required
1,2,3 no no
4 yes no
5 yes yes
PIE WORKAROUND
Way to run PIE executables on non supported systems
if system suppports PIE
just run executable
if system d...
CALLING NATIVE EXECUTABLES
p = Runtime.getRuntime().exec(command);
p.waitFor();
BufferedReader reader = new BufferedReader...
BETTER WAY - USING
PROCESSBUILDER
ProcessBuilder processBuilder = new ProcessBuilder(shellToRun);
processBuilder.redirectE...
RUNNING BINARIES AS ROOT
Not needed to set any new android permission
Historic references to SUPERUSER permissions
Not muc...
ROOT IMPLICATIONS
Killing run away root processes
Hard as it can be due to blocking nature
UI does not have root access
Ki...
SECURITY IMPLICATIONS
Native binary problems
Memory corruption attacks (Buffer overflows, ...)
Format string problems...
....
SECURITY IMPLICATIONS -
PERMISSIONS
Setting insecure permissions to executables/libraries
Very common when something does ...
SECURITY IMPLICATIONS -
UNTRUSTED INPUT
Passing untrusted/unvalidated input to shell
Running native executables can lead t...
UNTRUSTED INPUT EXAMPLE
Bundle b = getIntent().getExtras();
configFilePath = b.getString("path");
[..]
ShellExecuter exe =...
UNTRUSTED INPUT EXPLOITATION
public void onBtnClick(View view) {
Intent intent = new Intent();
intent.setClassName("com.he...
ON THE END..
You get bad comments :)
Don't use ratings for bug reports ;)
Please submit VERBOSE bug reports to author dire...
FORTUNATELY
Fortunately, there are good comments ;)
Thanks on these
SUMMARY
Porting is quite possible
Not as easy as marketing says
You can't configure; make; make install in most cases
Expe...
THANKS ON LISTENING
?
ANY QUESTIONS?
Upcoming SlideShare
Loading in …5
×

Porting your favourite cmdline tool to Android

1,127 views

Published on

Porting to Android - Porting your favourite cmdline tool to Android

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Porting your favourite cmdline tool to Android

  1. 1. PORTING TO ANDROID PORTING YOUR FAVOURITE CMDLINE TOOL TO ANDROID Vlatko Kosturjak (@k0st), Droidcon Zagreb, 30th of April
  2. 2. AGENDA Introduction Native code Toolchains Things I wish I knew in advance Calling native executables Issues and implications Summary Questions and answers 45 minutes
  3. 3. ABOUT ME Security Consultant in Diverto Linux and FLOSS enthusiast Open source developer Have code in OpenVAS, Nmap, Metasploit, ... Android "developer" since 2010 started counting from first Market app mostly focused on NDK and ADK https://github.com/kost
  4. 4. ABOUT ME IN PICTURES
  5. 5. ABOUT ME IN PICTURES
  6. 6. INTRODUCE ELEPHANT Talk will cover producing standalone binaries executing standalone binaries Talk is mostly about Nmap experience Most Nmap frontends on playstore are using this port in source or binary form Talk will NOT cover producing libraries or JNI integrating with Android Studio https://github.com/kost/nmap-android https://github.com/kost/NetworkMapper
  7. 7. NATIVE CODE NOT your Java code :) It's mostly about C/C++ Assembler Not portable across platforms For each platform, you need different binary x86 arm mips
  8. 8. WHY BOTHER WITH NATIVE CODE? performance legacy code code reuse you just need that tool
  9. 9. WHAT'S THE PROCESS? compiling compiling on same machine cross-compiling compiling on (host) machine for other (target) machine
  10. 10. TOOLCHAINS Android NDK Commercial Open Source Custom
  11. 11. CUSTOM TOOLCHAIN Your own version of compiler Your own version of build scripts Custom
  12. 12. COMMERCIAL Embarcadero Good old Borland... Xamarin Native apps in C# ...
  13. 13. OPEN SOURCE / FREE Crystax drop-in replacement for Google's NDK WCHAR, locales, full C+11 standard library... Buildroot Standard embedded cross compilation toolchain ARM, x86, MIPS Scratchbox ARM, x86, MIPS (experimental) Anyone remembers Maemo? :) ...
  14. 14. ANDROID NDK Android official toolchain Available for free from developer.android.com Bionic No full ANSI C support locale different threads Patch as you grow standalone binary support/bugs stdout symbol bug WCHAR support standard library support
  15. 15. WHAT'S THE FUZZ? Download NDK Download tool you want to port ./configure --host=arm-linux-androideabi make make install It works - go home!
  16. 16. IN CASE IT IS HELLO WORLD... /* Hello World program */ #include <stdio.h> void main() { printf("Hello World"); } It works pretty well indeed.
  17. 17. IN REAL WORLD Code isn't perfect Not portable Endianess Path Separators Dependencies Extensions 3rd party libraries
  18. 18. TWO WAYS TO INVOKE COMPILER Calling with sysroot export CC="$NDK/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/bin/a export CFLAGS="--sysroot=$SYSROOT" $CC $CFLAGS -o hello hello.c Producing directory for target $NDK/build/tools/make-standalone-toolchain.sh --platform=android-3 --install- /opt/ndk3/bin/arm-linux-androideabi-gcc -o hello hello.c
  19. 19. NDK PLATFORMS NDK platform Platforms 32/64 bit 3 ARM 32 9 ARM/MIPS/Intel 32 21 ARM/MIPS/Intel 64
  20. 20. PROCESS OF CROSS COMPILING Compile and fix as you go :) sorry, no single recipe Standard problems stdout bug old autoconf/automake support files arm-linux-androideabi missing In short nothing that google/stackoverflow can't help :)
  21. 21. STATIC VS DYNAMIC LINKING Dynamic small size run-time dependency Static large size no dependencies
  22. 22. LIFE IS PERFECT Static binaries working like a charm “until resolv.conf disappeared :) ”
  23. 23. DNS PROBLEMS int main(int argc,char *argv[]) { int i; struct hostent *hp; for ( i=1; i<argc; ++i ) { hp = gethostbyname(argv[i]); if ( !hp ) { fprintf(stderr, "%s: host '%s'n", hstrerror(h_errno), argv[i]); continue; } printf("Host:t%sn" ,argv[i]); printf("tResolves to:t%sn", hp->h_name); } } Original at gist
  24. 24. DNS AND RESOLV.CONF #ifdef ANDROID_CHANGES /* READ FROM SYSTEM PROPERTIES */ dns_last_change_counter = _get_dns_change_count(); [..] #else /* !ANDROID_CHANGES - IGNORE resolv.conf in Android */ #define MATCH(line, name) [..] Original at https://code.google.com/p/android-source- browsing
  25. 25. DYNAMIC VS STATIC Type Size Dependency DNS OOTB Dynamic smaller yes yes Static bigger no no Mixed medium yes (basic) yes
  26. 26. HERE COMES LOLIPOP error: only position independent executables (PIE) are supported. Position Independent Executable (PIE) PIE support appeared in API level 16 Finally they implemented it :) Too bad binaries does not work
  27. 27. WHAT'S PIE? Position Independent Executable (PIE) Security protection better Address Space Layout Randomization (ASLR) Exploitation mitigation technique Harder return-to-libc exploitation Requirements PIE required for dynamic executables PIE not required for static executables
  28. 28. PIE EXAMPLE #include <stdio.h> int global; int checkadr (int *bla) { int local; printf("bla adr = %pn", &bla); printf("global adr = %pn", &global); printf("local adr = %pn", &global); } int main (void) { int c; printf("c adr = %pn", &c); printf("checkadr adr = %pn", &checkadr);
  29. 29. PIE SUPPORT Android version Supported Required 1,2,3 no no 4 yes no 5 yes yes
  30. 30. PIE WORKAROUND Way to run PIE executables on non supported systems if system suppports PIE just run executable if system does not suppport PIE use run_pie.c run_pie your_proggy args CFLAGS +=-fvisibility=default -fPIE LDFLAGS += -rdynamic -pie https://gist.github.com/kost/5fd4628f45a4995bec28
  31. 31. CALLING NATIVE EXECUTABLES p = Runtime.getRuntime().exec(command); p.waitFor(); BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputSt String line; while ((line = reader.readLine()) != null) { output.append(line).append("n"); }
  32. 32. BETTER WAY - USING PROCESSBUILDER ProcessBuilder processBuilder = new ProcessBuilder(shellToRun); processBuilder.redirectErrorStream(true); scanProcess = processBuilder.start(); outputStream = new DataOutputStream(scanProcess.getOutputStream()); inputStream = new BufferedReader(new InputStreamReader(scanProcess.getInputSt while (((pstdout = inputStream.readLine()) != null)) { output.append(pstdout).append("n"); }
  33. 33. RUNNING BINARIES AS ROOT Not needed to set any new android permission Historic references to SUPERUSER permissions Not much different than executing as normal user Have to Runtime.getRuntime().exec("su") Write commands to stdin of process Loop the output
  34. 34. ROOT IMPLICATIONS Killing run away root processes Hard as it can be due to blocking nature UI does not have root access Killing spawned root processes parse ps output spawn su shell kill process
  35. 35. SECURITY IMPLICATIONS Native binary problems Memory corruption attacks (Buffer overflows, ...) Format string problems... ... Permissions Command injections
  36. 36. SECURITY IMPLICATIONS - PERMISSIONS Setting insecure permissions to executables/libraries Very common when something does not work Dangerous and heroic Other apps can write to your bin or library Exploitation Find insecure .so library, inject your code Find insecure binary, replace it with your version! echo "#!/bin/sh" > /data/data/com.heroic.app/bin/mybinary echo "echo '0wned!'" >> /data/data/com.heroic.app/bin/mybinary
  37. 37. SECURITY IMPLICATIONS - UNTRUSTED INPUT Passing untrusted/unvalidated input to shell Running native executables can lead to command injections Extremely dangerous if running as user Extremely heroic and dangerous if running as root Pay special attention to exported activities other apps can call that intent which means they can execute commands as your app!!
  38. 38. UNTRUSTED INPUT EXAMPLE Bundle b = getIntent().getExtras(); configFilePath = b.getString("path"); [..] ShellExecuter exe = new ShellExecuter(); return exe.Executer("cat " + configFilePath); <activity android:name=".MyHeroicActivity" .... android:exported="true" />
  39. 39. UNTRUSTED INPUT EXPLOITATION public void onBtnClick(View view) { Intent intent = new Intent(); intent.setClassName("com.heroic.app", "com.heroic.app.MyHeroicActivit intent.putExtra("path", "/system/etc/hosts; echo 'Owned' > /data/data startActivity(intent); }
  40. 40. ON THE END.. You get bad comments :) Don't use ratings for bug reports ;) Please submit VERBOSE bug reports to author directly
  41. 41. FORTUNATELY Fortunately, there are good comments ;) Thanks on these
  42. 42. SUMMARY Porting is quite possible Not as easy as marketing says You can't configure; make; make install in most cases Expect you'll have to patch if project is bigger Not that hard If you know requirements upfront Have listened to this lecture carefully Be aware of security implications!
  43. 43. THANKS ON LISTENING ? ANY QUESTIONS?

×