when e t comes into windows mobile 6
play

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric - PowerPoint PPT Presentation

Mar 16, 2024 •265 likes •859 views

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&D cedric(at)security-labs.org Hack.lu 2009 Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1

  1. When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&D cedric(at)security-labs.org Hack.lu 2009

  2. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 2/35

  3. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context Who am I? Security researcher working at Sogeti ESEC R&D lab Focusing on mobile security A smartphone? Mobile phone ✲ smartphone Various services PDA, Web, camera, GPS, microphone, etc. Current OS : Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android Studies on mobile phones rootkits capabilities still limited C. Halbronn When E.T. comes into Windows Mobile 6 3/35

  4. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context Who am I? Security researcher working at Sogeti ESEC R&D lab Focusing on mobile security A smartphone? Mobile phone ✲ smartphone Various services PDA, Web, camera, GPS, microphone, etc. Current OS : Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android Studies on mobile phones rootkits capabilities still limited C. Halbronn When E.T. comes into Windows Mobile 6 3/35

  5. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Objectives TODO list Develop a rootkit for WM6 What is a “rootkit”? Post-exploitation Components: Injection Protection Backdoor Services Taking into account... Embedded constraints / mobile environment Services on the table C. Halbronn When E.T. comes into Windows Mobile 6 4/35

  6. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Objectives TODO list Develop a rootkit for WM6 What is a “rootkit”? Post-exploitation Components: Injection Protection Backdoor Services Taking into account... Embedded constraints / mobile environment Services on the table C. Halbronn When E.T. comes into Windows Mobile 6 4/35

  7. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Objectives TODO list Develop a rootkit for WM6 What is a “rootkit”? Post-exploitation Components: Injection Protection Backdoor Services Taking into account... Embedded constraints / mobile environment Services on the table C. Halbronn When E.T. comes into Windows Mobile 6 4/35

  8. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 5/35

  9. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Virtual Memory Address Space Global Virtual Memory Address Space (4GB) C. Halbronn When E.T. comes into Windows Mobile 6 6/35

  10. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Loading DLLs Loading DLLs under Windows Mobile 6 C. Halbronn When E.T. comes into Windows Mobile 6 7/35

  11. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Security policies Where? Registry: [HKLM \ Security \ Policies \ Policies] Some examples Policy ID Description Auto Run Policy ”2” 0 (allowed to run automatically), 1 (restricted) Unsigned Applications Policy ”1006” 1 (allowed to run), 0 (not allowed to run) Unsigned Prompt Policy ”101A” 0 (user will be prompted), 1 (user will not be prompted) Password Required Policy ”1023” 0 (a password is required), any other (a password is not required) C. Halbronn When E.T. comes into Windows Mobile 6 8/35

  12. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Security policies Where? Registry: [HKLM \ Security \ Policies \ Policies] Some examples Policy ID Description Auto Run Policy ”2” 0 (allowed to run automatically), 1 (restricted) Unsigned Applications Policy ”1006” 1 (allowed to run), 0 (not allowed to run) Unsigned Prompt Policy ”101A” 0 (user will be prompted), 1 (user will not be prompted) Password Required Policy ”1023” 0 (a password is required), any other (a password is not required) C. Halbronn When E.T. comes into Windows Mobile 6 8/35

  13. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Application signing Stores for code execution Privileged store: privileged execution trust authorities Unprivileged store: unprivileged execution trust authorities SPC (Software Publisher Certificates) store: trust authorities for CAB installation ✲ sign DLLs, EXEs or CABs and put certificate in right store Stores for SSL chain validation, NOTHING to do with code execution MY: end-user personal certificates CA: intermediary certification authorities certificates ROOT: root (self-signed) certificates C. Halbronn When E.T. comes into Windows Mobile 6 9/35

  14. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Application signing Stores for code execution Privileged store: privileged execution trust authorities Unprivileged store: unprivileged execution trust authorities SPC (Software Publisher Certificates) store: trust authorities for CAB installation ✲ sign DLLs, EXEs or CABs and put certificate in right store Stores for SSL chain validation, NOTHING to do with code execution MY: end-user personal certificates CA: intermediary certification authorities certificates ROOT: root (self-signed) certificates C. Halbronn When E.T. comes into Windows Mobile 6 9/35

  15. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 10/35

  16. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Plan Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 11/35

  17. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Technical choices Architecture Hide its presence from phone’s user Expatriate information Technical choices 32-process limit ✲ Single .EXE multi-threads DLLs impact ✲ limit their size Battery usage ✲ limit actions when needed Heterogeneous environment C. Halbronn When E.T. comes into Windows Mobile 6 12/35

  18. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Technical choices Architecture Hide its presence from phone’s user Expatriate information Technical choices 32-process limit ✲ Single .EXE multi-threads DLLs impact ✲ limit their size Battery usage ✲ limit actions when needed Heterogeneous environment C. Halbronn When E.T. comes into Windows Mobile 6 12/35

  19. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Architecture Rootkit general architecture C. Halbronn When E.T. comes into Windows Mobile 6 13/35

  20. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Plan Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 14/35

  21. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Rootkit injection Injection methods Smartphone access Vulnerability exploit ✲ Ex: MMS handler in WM2003 WAP Push message Web link ✲ Ex: Etisalat operator in the United Arab Emirates (UAE) for Blackberries OTA provisioning Our context Pop-up Smartphone access Unsigned CAB ✲ Pop-up C. Halbronn When E.T. comes into Windows Mobile 6 15/35

  22. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Rootkit injection Injection methods Smartphone access Vulnerability exploit ✲ Ex: MMS handler in WM2003 WAP Push message Web link ✲ Ex: Etisalat operator in the United Arab Emirates (UAE) for Blackberries OTA provisioning Our context Pop-up Smartphone access Unsigned CAB ✲ Pop-up C. Halbronn When E.T. comes into Windows Mobile 6 15/35

  23. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Plan Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 16/35

Recommend

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile

Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile

Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile usability is pretty much an oxymoron. It's neither easy nor pleasant to use the Web on mobile devices. designing for mobile is hard

337 views • 14 slides
SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

Anil Dhawan, Program Manager Rich Internet Applications Windows Mobile [anild@microsoft.com] Geir Olsen, Program Manager Security for Windows Mobile [geiro@microsoft.com] Microsoft Corp SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON

454 views • 6 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development Many different platforms: Android, IPhone, Symbian, Windows Phone/ Mobile, MeeGo (only a few of them) Reasons for mobile web development

435 views • 31 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main

DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main

DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main Objectives Provide a brief overview of WP7 OS and the security model Allow developers / security professionals to understand the platform

1.06k views • 86 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Windows 10 Microsoft Lunch & Learn 55% SMBs support a mobile workforce Alignment with MB

Windows 10 Microsoft Lunch & Learn 55% SMBs support a mobile workforce Alignment with MB

Windows 10 Microsoft Lunch & Learn 55% SMBs support a mobile workforce Alignment with MB 81% AMI-Partners GM 2H 2013 Business Strategy SB 73% 97M devices in 2013 AMI-Partners GM 2H 2013 Growing to 147M in 2018 43% of SMB employees

303 views • 3 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
DEVICES Geoffrey Zweig Outline What is Mobile Voice search? An example: Live Search for

DEVICES Geoffrey Zweig Outline What is Mobile Voice search? An example: Live Search for

Microsoft Research ---- Lang Tech 2008 VOICE SEARCH ON MOBILE DEVICES Geoffrey Zweig Outline What is Mobile Voice search? An example: Live Search for Windows Mobile Why is it important? The Competitive Landscape Basic

913 views • 48 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System Requirements A PC running MS Windows 2000, or Windows XP Matlab (6.5, 2007a/b or 2008a/b) Python 2.5 Download the Windows installer from

288 views • 10 slides
Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Unit OS A: Windows Networking A.1. Networking Components in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.1 General Concepts - Windows Networking Domains &

443 views • 28 slides
Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass partitions | Stainless steel handrails Windows Windows , that reflect your style Window systems AWS 65 AWS 70.HI

215 views • 19 slides
Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Unit OS2: Operating System Principles 2.3. Windows on Windows - OS Personalities Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.3. Environment Subsystems System

678 views • 20 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows

Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows

Hat: Windows and WIMP Neil Mitchell Progress Updates I have: Ported the Hat tools to Windows Written Hat-make Library-fied some Hat tools Written Hat-Gui Hat Windows Port Works reasonably well Windows dislikes:

280 views • 14 slides
Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why

Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why

Windows 10: Decisions, Preparation and Boot Camp Introduction Ernie and John conversation 1. Why upgrade to Windows 10 rather than staying with Windows 7 or 8.1? a. Windows 7 is over 5 years old. There will be no new features . b. Windows 8.1 is

432 views • 6 slides
SUMMARY History End of life CLI Services Security Considerations Powershell

SUMMARY History End of life CLI Services Security Considerations Powershell

SUMMARY History End of life CLI Services Security Considerations Powershell Server Setup BRIEF HISTORY (WINDOWS CLIENT) MSDOS (1980) WINDOWS (1985) WINDOWS 3.1 (1992) Windows 95 (1995) Windows ME

725 views • 43 slides

More recommend