SlideShare a Scribd company logo

Media Files : Android's New Nightmare

Oguzhan Topgul
Oguzhan Topgul

My #hacktrickconf presentation about Joshua Drake's Stagefright vulnerability. This is the English version of my presentation: http://www.slideshare.net/oguzhantopgul/androidin-yeni-kabusu-medya-dosyalari-media-files-androids-new-nightmare-52578473 I tried to explain the details of CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution vulnerability

Mobile
1 of 50
Download to read offline
ANDROID’S NEW NIGHTMARE: Media Files 08.09.15 Oğuzhan Topgül @oguzhantopgul www.oguzhantopgul.com
2
STAGEFRIGHT VULNERABILITY 3 • Result of a research conducted by Joshua Drake a.k.a @jduck • Presented at 2015 BLACKHAT USA security conference with the title Stagefright: Scary Code in the Heart of Android* • Most of the Android devices are still vulnerable * https://www.blackhat.com/us-15/briefings.html#stagefright-scary-code-in-the-heart-of-android
STAGEFRIGHT • Android’s Multimedia library • Processes video and audio files • Extracts meta-data of media files • Added to AOSP with Android 2.0 • Runs inside MediaServer 4
STAGEFRIGHT 5 frameworks/base/media/java/android/media/MediaPlayer.java frameworks/base/media/jni/android_media_MediaPlayer.cpp * https://android.googlesource.com/platform/frameworks/base/+/master/media/
STAGEFRIGHT 6 frameworks/base/media/jni/android_media_MediaPlayer.cpp frameworks/av/media/mediaserver/main_mediaserver.cpp frameworks/av/media/libmediaplayerservice/MediaPlayerService.cpp frameworks/av/media/libstagefright/MediaSource.cpp frameworks/av/media/libstagefright/MediaExtractor.cpp frameworks/av/media/libstagefright/AwesomePlayer.cpp * https://android.googlesource.com/platform/frameworks/av/+/master/media
MEDIASERVER mediaserver is run by init process 7 It is a native service which is defined in /init.rc file
MEDIASERVER 8 mediaserver runs with high privileges mediaserver restarts when crashes * * https://android.googlesource.com/platform/system/core/+/master/init/readme.txt
STAGEFRIGHT 9 • libstagefright processes media files inside mediaserver service • mediaserver is a privileged native service - In some devices it also runs even with system privileges * https://android.googlesource.com/platform/system/core/+/master/init/readme.txt
STAGEFRIGHTVULNERABILITY • Lots of attack vectors present (11+) • MMS, <video> tag in a web page, downloaded the media file, e-mail, chat and messaging apps, NFC, Bluetooth, SDCard … • Exploited via playback or meta-data parse • Binary parsers are mostly vulnerable • It is possible to exploit with different media formats like MP4, 3GPP, etc… • Can be triggered with different ways • Rotating the screen, opening up the chat app, browsing the Gallery etc… 10
STAGEFRIGHTVULNERABILITY 11
12 • CVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1538, P0004, Google Stagefright ‘ctts’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1539, P0007, Google Stagefright ‘esds’ MP4 Atom Integer Underflow Remote Code Execution • CVE-2015-3827, P0008, Google Stagefright ‘covr’ MP4 Atom Integer Underflow Remote Code Execution • CVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread • CVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution • CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-3829, P0012, Google Stagefright ‘covr’ MP4 Atom Integer Overflow Remote Code Execution
MPEG-4 • MPEG-4 files are made of units which are called Atom or Box 13 * http://www.adobe.com/content/dam/Adobe/en/devnet/flv/pdfs/video_file_format_spec_v10.pdf
MPEG-4 • Atom type (BoxType) is a value which contains 4 characters (4 Byte): • E.g. : ftyp, moov, trak, covr, esds, mvhd… • This 4 byte value is called FourCC (Four Character Code) 14 * http://www.adobe.com/content/dam/Adobe/en/devnet/flv/pdfs/video_file_format_spec_v10.pdf
MPEG-4 • moov atom contains some nested atoms 15 ftyp mdatmoov File Type encoders compatibility Header Media Data * http://www.adobe.com/content/dam/Adobe/en/devnet/flv/pdfs/video_file_format_spec_v10.pdf
MOOV ATOM 16
17 • CVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1538, P0004, Google Stagefright ‘ctts’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-1539, P0007, Google Stagefright ‘esds’ MP4 Atom Integer Underflow Remote Code Execution • CVE-2015-3827, P0008, Google Stagefright ‘covr’ MP4 Atom Integer Underflow Remote Code Execution • CVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread • CVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution • CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution • CVE-2015-3829, P0012, Google Stagefright ‘covr’ MP4 Atom Integer Overflow Remote Code Execution
‘STTS’ATOM INTEGER OVERFLOW 18 • PoC mp4 files: https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Crash-PoC.zip • sf-003.mp4 PoC mp4 file triggers ‘stts’ integer overflow. <video> tag is introduced with HTLM5
19 • Crash Logs are sent to logcat and recorded under /data/tombstones/ directory with the naming tombstone_xx • Attack vector in sf-003.mp4 file is Meta-data parsing ‘STTS’ATOM INTEGER OVERFLOW
20 ‘STTS’ATOM INTEGER OVERFLOW StageFrightMetadataRetriever.cpp
21 ‘STTS’ATOM INTEGER OVERFLOW MPEG4Extractor.cpp
22 ‘STTS’ATOM INTEGER OVERFLOW MPEG4Extractor.cpp
23 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp
24 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 Attacker Controlled
25 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 Memory allocation for the array Allocated memory for the array is mTimeToSampleCount * 2 * sizeof(uint32_t) mTimeToSampleCount * 2 * 4
26 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 Fill the array
27 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 Endian Swapping
28 ‘STTS’ATOM Header Version Flags mTimeToSampleCount A regular mp4 file
29 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 mTimeToSampleCount = 1 Allocated memory for mTimeToSample 1 * 2 * 4 = 8 Loop bound mTimeToSampleCount * 2 = 2 So, mTimeToSampleCount < Loop Bound < Array size
30 ‘STTS’ATOM Header Version Flags mTimeToSampleCount sf-003.mp4 PoC file
31 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 mTimeToSampleCount = 0x40000002 Allocated memory for mTimeToSample 0x40000002 * 4 *2 = 0x200000010 Loop bound 0x40000002 * 2 = 0x80000004 Lets check: mTimeToSampleCount < Loop Bound < Array size ✔
32 ‘STTS’ATOM INTEGER OVERFLOW
33 ‘STTS’ATOM INTEGER OVERFLOW … if you multiply two 32-bit integers, you get a 32-bit integer again, losing the upper 32 bits of the result mTimeToSampleCount = 0x40000002 Allocated memory for mTimeToSample 0x40000002 * 4 *2 = 0x200000010 = 0x00000010 / * http://www.fefe.de/intof.html
34 ‘STTS’ATOM INTEGER OVERFLOW … if you multiply two 32-bit integers, you get a 32-bit integer again, losing the upper 32 bits of the result mTimeToSampleCount = 0x40000002 Allocated memory for mTimeToSample Loop bound 0x40000002 * 2 = 0x00000010 = 0x80000004 Check again: mTimeToSampleCount < Loop Bound < Array size ✗ * http://www.fefe.de/intof.html
35 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp < Android 4.4 Loop bound is too high, but size of the array is too small
36 ‘STTS’ATOM INTEGER OVERFLOW Maximum value of a 32bit Unsigned Integer: 0xFFFFFFFF If mTimeToSampleCount >= 0x20000000 integer overflow occurs 0x20000000 * 4 * 2 = 100000000/
37 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp Android 5.0 This check fails to catch Integer Overflow
38 ‘STTS’ATOM INTEGER OVERFLOW SampleTable.cpp Android 5.1.1 r5 Android 5.0 Android 5.1.1 r5
STAGEFRIGHTVS ASLR • ASLR is introduced with Android 4.0 Ice Cream • Stagefright can be successfully exploited for Ice Cream Sandwich • ASLR Bypass is required for the versions >= Android 4.0 39
STAGEFRIGHTVULNERABILITY 40
41
42
HANGOUT OPTIONS SETTINGS SMS HOWTO PROTECT • Update your device for the latest Android version which must be >= 5.1.1_r5 • Disable MMS auto-fetch feature (For Hangouts and Messages) 43 MESSAGES MORE SETTINGS MORE SETTINGS MMS
UPDATES REALLY SOLVETHE PROBLEM? • EXODUS Intelligence does not agree with that 44 • Problem related to “CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution” remained unfixed * https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/
STAGEFRIGHT PUBLIC EXPLOIT? • @jduck put the PoC Exploit code in his private repo and… 45 • Update 09.09.15: @jduck’s private repo is publicly available https://github.com/jduck/cve-2015-1538-1
MORE READING ON STAGEFRIGHT 46 https://mobile-security.zeef.com/oguzhan.topgul
47
OWASPTURKEY MOBILE SECURITY WORKSHOP • 14 October 2015 48 * http://www.webguvenligi.org/haberler/mobile-security-workshop-2015.html
RERERENCES • StageFright - Zimperium Blog: https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ • StageFright Vulnerability Details: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/ • Stagefriht Detailed Explanation: http://blog.fortinet.com/post/cryptogirl-on-stagefright-a-detailed-explanation • FTYP Atom: http://www.ftyps.com/what.html • F4V/MP4 File Format: http://www.adobe.com/content/dam/Adobe/en/devnet/flv/pdfs/video_file_format_spec_v10.pdf • StageFrightMetadataReceiver.cpp: https://android.googlesource.com/platform/frameworks/av/+/android-4.4.2_r2.0.1/media/libstagefright/ StagefrightMetadataRetriever.cpp • MPEG4Extractor.cpp: https://android.googlesource.com/platform/frameworks/av/+/android-4.4.2_r2.0.1/media/libstagefright/MPEG4Extractor.cpp • SampleTable.cpp: https://android.googlesource.com/platform/frameworks/av/+/android-4.4.2_r2.0.1/media/libstagefright/SampleTable.cpp • Android 5.0 Integer Overflow Fix : https://android.googlesource.com/platform/frameworks/av/+/f106b19%5E!/ • Android’s StageFright Media Player Architecture: https://quandarypeak.com/2013/08/androids-stagefright-media-player-architecture/ 49
THANKS ? Oğuzhan Topgül @oguzhantopgul www.oguzhantopgul.com

Recommended

Stagefright (1)
Stagefright (1)Stagefright (1)
Stagefright (1)Mamoon Ismail Khalid
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 

Recommended

Stagefright (1)
Stagefright (1)Stagefright (1)
Stagefright (1)Mamoon Ismail Khalid
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
A commercial open source project in Python
A commercial open source project in PythonA commercial open source project in Python
A commercial open source project in Pythonjbrendel
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalIsao Takaesu
 
First python project
First python projectFirst python project
First python projectNeetu Jain
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
PyParis 2017 / Unicode and bytes demystified, by Boris Feld
PyParis 2017 / Unicode and bytes demystified, by Boris FeldPyParis 2017 / Unicode and bytes demystified, by Boris Feld
PyParis 2017 / Unicode and bytes demystified, by Boris FeldPôle Systematic Paris-Region
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
The FatRat
The FatRatThe FatRat
The FatRatAjilSunny
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Oguzhan Topgul
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)Oguzhan Topgul
 

More Related Content

What's hot

A commercial open source project in Python
A commercial open source project in PythonA commercial open source project in Python
A commercial open source project in Pythonjbrendel
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalIsao Takaesu
 
First python project
First python projectFirst python project
First python projectNeetu Jain
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
PyParis 2017 / Unicode and bytes demystified, by Boris Feld
PyParis 2017 / Unicode and bytes demystified, by Boris FeldPyParis 2017 / Unicode and bytes demystified, by Boris Feld
PyParis 2017 / Unicode and bytes demystified, by Boris FeldPôle Systematic Paris-Region
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 

What's hot (20)

A commercial open source project in Python
A commercial open source project in PythonA commercial open source project in Python
A commercial open source project in Python
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
 
First python project
First python projectFirst python project
First python project
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
PyParis 2017 / Unicode and bytes demystified, by Boris Feld
PyParis 2017 / Unicode and bytes demystified, by Boris FeldPyParis 2017 / Unicode and bytes demystified, by Boris Feld
PyParis 2017 / Unicode and bytes demystified, by Boris Feld
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
The FatRat
The FatRatThe FatRat
The FatRat
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 

Viewers also liked

Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Oguzhan Topgul
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)Oguzhan Topgul
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...Priyanka Aash
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessPriyanka Aash
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
A slightly deeper dive into Stagefright
A slightly deeper dive into StagefrightA slightly deeper dive into Stagefright
A slightly deeper dive into StagefrightAlexy Joseph
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 

Viewers also liked (7)

Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response Process
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
A slightly deeper dive into Stagefright
A slightly deeper dive into StagefrightA slightly deeper dive into Stagefright
A slightly deeper dive into Stagefright
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 

Similar to Media Files : Android's New Nightmare

F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
A Peek into Google's Edge TPU
A Peek into Google's Edge TPUA Peek into Google's Edge TPU
A Peek into Google's Edge TPUKoan-Sin Tan
 
WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspectiveshwetank
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
“Seamless Deployment of Multimedia and Machine Learning Applications at the E...
“Seamless Deployment of Multimedia and Machine Learning Applications at the E...“Seamless Deployment of Multimedia and Machine Learning Applications at the E...
“Seamless Deployment of Multimedia and Machine Learning Applications at the E...Edge AI and Vision Alliance
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Lorenzo Miniero
 
Writing Fast Code - PyCon HK 2015
Writing Fast Code - PyCon HK 2015Writing Fast Code - PyCon HK 2015
Writing Fast Code - PyCon HK 2015Younggun Kim
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
DevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderDevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderMiro Wengner
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
MNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining BotsAPNIC
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesMaxwell Dayvson Da Silva
 
夜宴39期《Seven》
夜宴39期《Seven》夜宴39期《Seven》
夜宴39期《Seven》Koubei Banquet
 
GDD HTML5, Flash, and the Battle for Faster Cat Videos
GDD HTML5, Flash, and the Battle for Faster Cat VideosGDD HTML5, Flash, and the Battle for Faster Cat Videos
GDD HTML5, Flash, and the Battle for Faster Cat VideosGreg Schechter
 

Similar to Media Files : Android's New Nightmare (20)

F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
A Peek into Google's Edge TPU
A Peek into Google's Edge TPUA Peek into Google's Edge TPU
A Peek into Google's Edge TPU
 
WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspective
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
“Seamless Deployment of Multimedia and Machine Learning Applications at the E...
“Seamless Deployment of Multimedia and Machine Learning Applications at the E...“Seamless Deployment of Multimedia and Machine Learning Applications at the E...
“Seamless Deployment of Multimedia and Machine Learning Applications at the E...
 
Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019Fuzzing RTC @ Kamailio World 2019
Fuzzing RTC @ Kamailio World 2019
 
Writing Fast Code - PyCon HK 2015
Writing Fast Code - PyCon HK 2015Writing Fast Code - PyCon HK 2015
Writing Fast Code - PyCon HK 2015
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
DevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderDevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight Recorder
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
MNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining Bots
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York Times
 
夜宴39期《Seven》
夜宴39期《Seven》夜宴39期《Seven》
夜宴39期《Seven》
 
GDD HTML5, Flash, and the Battle for Faster Cat Videos
GDD HTML5, Flash, and the Battle for Faster Cat VideosGDD HTML5, Flash, and the Battle for Faster Cat Videos
GDD HTML5, Flash, and the Battle for Faster Cat Videos
 

Recently uploaded

FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 

Recently uploaded (7)

FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 

Media Files : Android's New Nightmare