android one root to own them all
play

Android: One Root to Own Them All Jeff Forristal / Bluebox Image - PowerPoint PPT Presentation

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Please Complete Speaker Feedback Survey Or else ANDROID: ONE


  1. Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com

  2. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Please Complete Speaker Feedback Survey Or else…

  3. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Logos Graphs Marketshare Ecosystem Android Overview What is Android? Google Vendors Wikipedia Quotes History Past Problems Charts

  4. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 If you haven’t heard of Android… …you’ve been living under a rock (And you’re probably in the wrong briefing)

  5. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Once Upon A Time, in a security lab not so far away

  6. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 “Let’s take an Android app, and modify it, to spoof the GPS coordinates” Challenge

  7. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Smali & Baksmali (decompiler & recompiler) Solution

  8. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Why I can haz no maps?!? Uh-Oh

  9. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Maps API is licensed … API key is tied to app signature … Changing the code breaks the signature … We need a way to change code but not change the signature Analysis

  10. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Challenge Accepted!

  11. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Where Do Sigs Come From? Time for birds & bees talk…

  12. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Where do apps get signatures? PackageManager provides them Where does PackageManager get them? Copy of signer certificate Where do those come from? Loaded after successful verified app install, from APK How does verification work? All entries in the APK are cryptographically verified against signed hashes Digging

  13. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 ZipFile & JarVerifier (java.util.zip & java.util.jar) JarSigner / SignAPK (BTW, APK = Jar = Zip)

  14. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Zip File Particulars <3 Phil Katz, RIP

  15. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 Central Directory Anatomy

  16. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 File 1 Meta-Data File 2 Meta-Data Central File 3 Meta-Data Directory File 4 Meta-Data End Of Central Directory Anatomy

  17. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Anatomy

  18. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Anatomy

  19. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 ZipFile.java “ AndroidManifest.xml ” HashMap “ classes.dex ” AndroidManifest.xml Central classes.dex “ resources.arsc ” resources.arsc Directory META-INF/Manifest.MF “META -INF/Manifest.MF ” End Of Central Directory Parsing

  20. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Parsing

  21. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Parsing

  22. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Parsing

  23. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF File 2 File 3 File 1: Hash File 2: Hash File 3: Hash File 4 File 4: Hash Central Directory Verifying

  24. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF *.SF File 2 File 3 File 1: Hash File 1: Hash File 2: Hash File 2: Hash File 3: Hash File 3: Hash File 4 File 4: Hash File 4: Hash Central Directory Verifying

  25. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF *.SF *.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash Central Directory Verifying

  26. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF *.SF *.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash Central Directory Verifying

  27. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Verification failure: jeff$ adb install evil.apk 3063 KB/s (7776463 bytes in 2.479s) pkg: /data/local/tmp/evil.apk Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES] File 1 MANIFEST.MF *.SF *.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash File 5 Central Directory Verifying

  28. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Verification failure: jeff$ adb install evil.apk 3063 KB/s (7776463 bytes in 2.479s) pkg: /data/local/tmp/evil.apk Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES] File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 3 File 1: Hash File 1: Hash E/PackageParser( 440): Package com.victim.app has no PKCS7 File 2: Hash File 2: Hash certificates at entry extra_file.bin; ignoring! Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash File 5 Central Directory Verifying

  29. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 1: Hash File 3 File 1: Hash File 2: Hash PKCS7 File 2: Hash File 3: Hash Pub Cert File 3: Hash File 4 File 4: Hash Signed Hash File 4: Hash File 5: Hash Central Directory Verifying

  30. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 1: Hash W/PackageParser( 440): java.lang.SecurityException: File 3 File 1: Hash File 2: Hash PKCS7 META-INF/CERT.SF has invalid digest for some-file.bin File 2: Hash File 3: Hash Pub Cert in /data/app/vmdl-2023482334.tmp File 3: Hash File 4 File 4: Hash Signed Hash File 4: Hash File 5: Hash Central Directory Verifying

  31. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 1: Hash File 3 File 1: Hash File 2: Hash PKCS7 File 2: Hash File 3: Hash Pub Cert File 3: Hash File 4 File 4: Hash Signed Hash File 4: Hash File 5: Hash Central Directory Verifying

  32. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash Central Directory (I manually tried all of these variations) Verifying

  33. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 But then I tried something else (and I didn’t get a verification error!) Surprise

  34. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Android liked it! jeff$ adb install doublefile.apk 4167 KB/s (7776562 bytes in 2.478s) pkg: /data/local/tmp/doublefile.apk File 1 Success File 2 Hmmmm …… File 3 File 4 File 4 … … Central … Directory “ classes.dex ” “ classes.dex ” Surprise

  35. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Jarsigner is happy… jeff$ jarsigner – verify evil.apk jar verified. File 1 Android, not so much… File 2 jeff$ adb install evil.apk 3063 KB/s (7776463 bytes in 2.479s) pkg: /data/local/tmp/evil.apk File 3 Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES] File 4A File 4B … … Central … Directory “ classes.dex ” “ classes.dex ” Attempt

Recommend


More recommend