Android Serialization Vulnerabilities Revisited
-
Upload
priyanka-aash -
Category
Technology
-
view
359 -
download
4
Transcript of Android Serialization Vulnerabilities Revisited
![Page 1: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Roee HayAndroid Serialization Vulnerabilities Revisited
MBS-F03
X-Force Application Security Team LeadIBM Security
@roeehay
Joint work with Or Peles
![Page 2: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/2.jpg)
#RSAC
We will see how this Android SDK class
2
public class OpenSSLX509Certificateextends X509Certificate {
private final long mContext;…
}
MISSING MODIFIERBEFORE OURDISCLOSURE!
(NOW PATCHED)
![Page 3: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/3.jpg)
#RSAC
Led to malware capable of this…
3
REPLACEMENT OF APPS
SELINUX
BYPASS
ACCESS TO APPS’ DATA
KERNEL CODE EXEC
(on select devices)
![Page 4: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/4.jpg)
#RSAC
Introduction
4
![Page 5: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/5.jpg)
#RSAC
Serialization
5
class foo{int bar;String baz;long *qux;
}
SENDER RECIPIENT
MEDIA
= 1234= “hi”= 0x1f334233
![Page 6: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/6.jpg)
#RSAC
Serialization
6
001010…0110
SENDER
SerializeMEDIA
class foo{int bar;String baz;long *qux;
}
= 1234= “hi”= 0x1f334233
RECIPIENT
![Page 7: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/7.jpg)
#RSAC
Serialization
7
001010…0110
SENDER
Serialize DeserializeMEDIA
class foo{int bar;String baz;long *qux;
}
= 1234= “hi”= 0x1f334233
class foo{int bar;String baz;long *qux;
}
= 1234= “hi”= 0x14d3e2c3
RECIPIENT
![Page 8: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/8.jpg)
#RSAC
Vulnerability Root Cause
8
ObjectInputStream ois = new ObjectInputStream(insecureSource);
Foo t = (Foo)ois.readObject();
DESERIALIZATION OF UNTRUSTED DATA
![Page 9: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/9.jpg)
#RSAC
Vulnerability Root Cause
9
class dangerous{
…
}
class dangerous{
…
}
001010…0110
ATTACKER
Serialize DeserializeMEDIA
VICTIM
![Page 10: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/10.jpg)
#RSAC
Example of a vulnerability
10
class dangerous{
int *ptr;
}
class dangerous{
int *ptr;
}
001010…0110
ATTACKER
Serialize DeserializeMEDIA
VICTIM
![Page 11: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/11.jpg)
#RSAC
Example of a vulnerability
11
class dangerous{
int *ptr;
}
class dangerous{
int *ptr;
}
001010…0110
ATTACKER
Serialize DeserializeMEDIA
= 0x66666666 = 0x66666666
VICTIM
![Page 12: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/12.jpg)
#RSAC
Vulnerability Root Cause
12
ObjectInputStream ois = new ObjectInputStream(insecureSource);
dangerous t = (dangerous)ois.readObject();
callNative(t.ptr)
RECIPIENT CODE
![Page 13: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/13.jpg)
#RSAC
History of Serialization Vulnerabilities
13
2009 - Shocking News in PHP Exploitation2011 - Spring Framework Serialization-based remoting vulnerabilities2012 - AtomicReferenceArray type confusion vulnerability2013 - Apache Commons FileUpload Deserialization Vulnerability
- Ruby on Rails YAML Deserialization Code Execution2014 - Android <5.0 Privilege Escalation using ObjectInputStream2015 - Android OpenSSLX509Certificate Deserialization Vulnerability
- Apache Groovy Deserialization of Untrusted Data- Apache Commons Collections Unsafe Classes
![Page 14: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/14.jpg)
#RSAC
History of Serialization Vulnerabilities
14
2009 - Shocking News in PHP Exploitation2011 - Spring Framework Serialization-based remoting vulnerabilities2012 - AtomicReferenceArray type confusion vulnerability2013 - Apache Commons FileUpload Deserialization Vulnerability
- Ruby on Rails YAML Deserialization Code Execution2014 - Android <5.0 Privilege Escalation using ObjectInputStream2015 - Android OpenSSLX509Certificate Deserialization Vulnerability
- Apache Groovy Deserialization of Untrusted Data- Apache Commons Collections Unsafe Classes
![Page 15: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/15.jpg)
#RSAC
Android Inter-App Communication
![Page 16: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/16.jpg)
#RSAC
Android Inter-App Communication 101
Intent { play:// …}
Intent { sms:// …}
![Page 17: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/17.jpg)
#RSAC
An Intent can also contain
Bundle
StringsPrimitives
Arrays
![Page 18: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/18.jpg)
#RSAC
An Intent can also contain
Bundle
StringsPrimitives
Arrays
SerializableObjects
![Page 19: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/19.jpg)
#RSAC
Motivation
19
![Page 20: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/20.jpg)
#RSAC
Previous work
CVE-2014-7911 (Jann Horn):
Non-SerializableClasses can be Deserializedon target.
![Page 21: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/21.jpg)
#RSAC
Exploiting CVE-2014-7911
21
MALWARE
TARGET
Step 1. Find an interesting target.
![Page 22: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/22.jpg)
#RSAC
The Target
22
SYSTEM_SERVER
![Page 23: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/23.jpg)
#RSAC
Exploiting CVE-2014-7911
23
MALWARE
SYSTEM_SERVER
Step 2. Send target a ‘serialized’ object in a Bundle
Serialized Objectof
non-Serializable class
![Page 24: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/24.jpg)
#RSAC
The Serialized Object
24
final class BinderProxy implements IBinder {
private long mOrgue; POINTER…
private native final destroy();
@Overrideprotected void finalize() throws Throwable{
try { destroy(); }finally { super.finalize(); }
}
![Page 25: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/25.jpg)
#RSAC
Android Apps are not just Java…
25
App
Java
Native (C/C++)
![Page 26: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/26.jpg)
#RSAC
Android Apps are not just Java…
26
App
Java
Native (C/C++)
JNI
![Page 27: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/27.jpg)
#RSAC
Pointers may pass back and forth
27
App
Java
Native (C/C++)
JNI
pointers
![Page 28: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/28.jpg)
#RSAC
Pointers may pass back and forth
28
App
Java
Native (C/C++)
JNI
pointers
![Page 29: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/29.jpg)
#RSAC
The Serialized Object
29
final class BinderProxy implements IBinder {
private long mOrgue; POINTER…
private native final destroy();
@Overrideprotected void finalize() throws Throwable{
try { destroy(); }finally { super.finalize(); }
}
![Page 30: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/30.jpg)
#RSAC
Exploiting CVE-2014-7911
30
MALWARE
SYSTEM_SERVER
Step 3. Make it deserialize on the target
Deserializedobject
![Page 31: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/31.jpg)
#RSAC
Make it deserialize automatically
31
public String getString(String key)}
unparcel(); DESERIALIZES ALLfinal Object o = mMap.get(key);try { return (String) o; }catch (ClassCastException e)
{typeWarning…} }
All Bundle members are deserialized with a single ‘touch’ without type checking before deserialization
e.g.
![Page 32: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/32.jpg)
#RSAC
Exploiting CVE-2014-7911
32
MALWARE
SYSTEM_SERVER
Step 4. Make one of its methods execute on target.
Executed Method of object
![Page 33: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/33.jpg)
#RSAC
The Serialized Object
33
final class BinderProxy implements IBinder {
private long mOrgue; …
private native final destroy();
@Overrideprotected void finalize() throws Throwable{
try { destroy(); }finally { super.finalize(); }
}
EXECUTEDAUTOMATICALLY BY THE GC
![Page 34: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/34.jpg)
#RSAC
A Word about Garbage Collection
34
Object A(root)
Object C
Object B
App’s Memory
![Page 35: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/35.jpg)
#RSAC
A Word about Garbage Collection
35
Object A(root)
Object C
Object B
App’s Memory
![Page 36: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/36.jpg)
#RSAC
A Word about Garbage Collection
36
Object A(root)
Object B
App’s Memory
![Page 37: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/37.jpg)
#RSAC
The Serialized Object
37
final class BinderProxy implements IBinder {
private long mOrgue; …
private native final destroy();
@Overrideprotected void finalize() throws Throwable{
try { destroy(); }finally { super.finalize(); }
}
EXECUTEDAUTOMATICALLY BY THE GC
![Page 38: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/38.jpg)
#RSAC
The Serialized Object
38
final class BinderProxy implements IBinder {
private long mOrgue; …
private native final destroy();
@Overrideprotected void finalize() throws Throwable{
try { destroy(); }finally { super.finalize(); }
}
NATIVE METHODTHAT USES THE PTR
![Page 39: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/39.jpg)
#RSAC
Google’s Patch for CVE-2014-7911
39
Do not DeserializeNon-Serializable
Classes
![Page 40: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/40.jpg)
#RSAC
Our 1st contribution: The Android Vulnerability
CVE-2015-3825/37
40
![Page 41: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/41.jpg)
#RSAC
Our Research Question
41
Class Foo implements Serializable {
private long mObject;…private native final destroy();
@Overrideprotected void finalize() throws Throwable{try { destroy(); }finally { super.finalize();
}}
CONTROLLABLEPOINTER
POINTER USED IN NATIVE CODE.
EXECUTED AUTOMATICALLY BY THE GC
![Page 42: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/42.jpg)
#RSAC
Experiment 1
42
![Page 43: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/43.jpg)
#RSAC
Experiment 1
43
boot.art
![Page 44: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/44.jpg)
#RSAC
Experiment 1
44
boot.art
~13K Loadable
Java Classes
![Page 45: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/45.jpg)
#RSAC
Experiment 1
45
boot.artApp: Loaded classes using
Reflection
~13K Loadable
Java Classes
![Page 46: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/46.jpg)
#RSAC
Experiment 1
46
boot.artApp: Loaded classes using
Reflection
~13K Loadable
Java Classes
Dumped classes:1. Serializable2. Finalize method3. Controllable fields
![Page 47: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/47.jpg)
#RSAC
The Result
47
OpenSSLX509Certificate
![Page 48: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/48.jpg)
#RSAC
public class OpenSSLX509Certificateextends X509Certificate {
private final long mContext;
@Overrideprotected void finalize() throws Throwable{...
NativeCrypto.X509_free(mContext);...
}}
The Result
48
![Page 49: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/49.jpg)
#RSAC
public class OpenSSLX509Certificateextends X509Certificate {
private final long mContext;
@Overrideprotected void finalize() throws Throwable{...
NativeCrypto.X509_free(mContext);...
}}
The Result
49
(1) SERIALIZABLE
![Page 50: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/50.jpg)
#RSAC
public class OpenSSLX509Certificateextends X509Certificate {
private final long mContext;
@Overrideprotected void finalize() throws Throwable{...
NativeCrypto.X509_free(mContext);...
}}
The Result
50
(1) SERIALIZABLE
(2) CONTROLLABLEPOINTER
![Page 51: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/51.jpg)
#RSAC
public class OpenSSLX509Certificateextends X509Certificate {
private final long mContext;
@Overrideprotected void finalize() throws Throwable{...
NativeCrypto.X509_free(mContext);...
}}
The Result
51
(1) SERIALIZABLE
(2) CONTROLLABLEPOINTER
(3) EXECUTED AUTOMATICALLY BY THE GC
![Page 52: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/52.jpg)
#RSAC
Arbitrary Decrement
52
NativeCrypto.X509_free(mContext)
X509_free(x509);
ASN1_item_free(x509, ...)
asn1_item_combine_free(&val, ...)
if (asn1_do_lock(pval, -1,...) > 0)return;
// x509 = mContext
// val = *pval = mContext
// Decreases a reference counter (mContext+𝟎𝐱𝟏𝟎) // MUST be POSITIVE INTEGER (MSB=𝟎)
![Page 53: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/53.jpg)
#RSAC
Arbitrary Decrement
53
ref = mContext+0x10if (*ref > 0)*ref--
elsefree(…)
![Page 54: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/54.jpg)
#RSAC
Proof-of-Concept Exploit
Arbitrary Code Execution in system_server
54
![Page 55: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/55.jpg)
#RSAC
Exploit Outline
55
MALWARE
SYSTEM_SERVER
Malicious Serialized Object(s) w/ payload
buffer
![Page 56: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/56.jpg)
#RSAC
Exploit Outline
56
MALWARE
SYSTEM_SERVER
shellcode
![Page 57: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/57.jpg)
#RSAC
First Step of the Exploit
57
Own the Program Counter (PC)
![Page 58: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/58.jpg)
#RSAC
Own the Program Counter
58
1. Override some offset / function ptr
2. Get it called.
![Page 59: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/59.jpg)
#RSAC
Creating an Arbitrary Code Exec Exploit
59
ARSENAL
1. Arbitrary Decrement
2. Controlled Buffer
![Page 60: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/60.jpg)
#RSAC
Constrained Arbitrary Memory Overwrite
60
Bundle
OpenSSLX509CertificatemContext=0𝑥11111100
∗ 0𝑥11111110 −= 1
![Page 61: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/61.jpg)
#RSAC
Constrained Arbitrary Memory Overwrite
61
Bundle
OpenSSLX509CertificatemContext=0𝑥11111100
OpenSSLX509CertificatemContext=0𝑥11111100
∗ 0𝑥11111110 −= 2
![Page 62: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/62.jpg)
#RSAC
Constrained Arbitrary Memory Overwrite
62
Bundle
OpenSSLX509CertificatemContext=0𝑥11111100
OpenSSLX509CertificatemContext=0𝑥11111100
OpenSSLX509CertificatemContext=0𝑥11111100
⋮
∗ 0𝑥11111110 −= 𝑛
![Page 63: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/63.jpg)
#RSAC
Constrained Arbitrary Memory Overwrite
63
Bundle
OpenSSLX509CertificatemContext=0𝑥11111100
OpenSSLX509CertificatemContext=0𝑥11111100
OpenSSLX509CertificatemContext=0𝑥11111100
⋮
∗ 0𝑥11111110 −= 𝑛
and If we knew the original value:
Arbitrary Overwrite
![Page 64: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/64.jpg)
#RSAC
Creating an Arbitrary Code Exec Exploit
64
ARSENAL
1. Arbitrary Decrement
2. Controlled Buffer
3. Arbitrary Overwrite
(if we knew the original value)
![Page 65: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/65.jpg)
#RSAC
Creating an Arbitrary Code Exec Exploit
65
ARSENAL DEFENSES
1. Arbitrary Decrement
2. Controlled Buffer
3. Arbitrary Overwrite
(if we knew the original value)
1. ASLR
2. RELRO
3. NX pages
4. SELinux
![Page 66: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/66.jpg)
#RSAC
Finding the original value: observation
system_server malwareroot@generic:/# cat /proc/<system_server>/maps
70e40000-72cee000 r—p ... boot.oat72cee000-74400000 r-xp ... boot.oat74400000-74401000 rw-p ... boot.oat…aa09f000-aa0c3000 r-xp ... libjavacrypto.soaa0c3000-aa0c4000 r--p ... libjavacrypto.soaa0c4000-aa0c5000 rw-p ... libjavacrypto.so…b6645000-b66d5000 r-xp ... libcrypto.sob66d6000-b66e1000 r--p ... libcrypto.sob66e1000-b66e2000 rw-p ... libcrypto.so
root@generic:/# cat /proc/<malware>/maps
70e40000-72cee000 r—p ... boot.oat72cee000-74400000 r-xp ... boot.oat74400000-74401000 rw-p ... boot.oat…aa09f000-aa0c3000 r-xp ... libjavacrypto.soaa0c3000-aa0c4000 r--p ... libjavacrypto.soaa0c4000-aa0c5000 rw-p ... libjavacrypto.so…b6645000-b66d5000 r-xp ... libcrypto.sob66d6000-b66e1000 r--p ... libcrypto.sob66e1000-b66e2000 rw-p ... libcrypto.so
![Page 67: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/67.jpg)
#RSAC
Zygote app creation model
fork()
fork()
fork()
fork()fork without execve= no ASLR!
Zygote system_server
App_1
App_N
malware
![Page 68: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/68.jpg)
#RSAC
Determining the value
fork()
fork()
<libXYZ> value
Zygote system_server
malware
<libXYZ> value
<libXYZ> value
![Page 69: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/69.jpg)
#RSAC
Creating an Arbitrary Code Exec Exploit
69
ARSENAL DEFENSES
1. Arbitrary Decrement
2. Controlled Buffer
3. Arbitrary Overwrite
(if we knew the original value)
1. ASLR
2. RELRO
3. NX pages
4. SELinux
![Page 70: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/70.jpg)
#RSAC
Using the Arbitrary Overwrite
70
Goal.
Overwite some pointer
Problem.
.got is read only (RELRO)
![Page 71: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/71.jpg)
#RSAC
A Good Memory Overwrite Target
71
A function pointer under .data
id_callback in libcrypto
Called during deserialization of:
OpenSSLECPrivateKey
![Page 72: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/72.jpg)
#RSAC
Triggering id_callback remotely
72
Bundle
system_serverOpenSSLECPrivateKey
BAD DATAthat leads to the right path
Malware
![Page 73: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/73.jpg)
#RSAC
First Step Accomplished
73
We now own theProgram Counter
![Page 74: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/74.jpg)
#RSAC
Creating an Arbitrary Code Exec Exploit
74
ARSENAL DEFENSES
1. Arbitrary Decrement
2. Controlled Buffer
3. Arbitrary Overwrite
(if we knew the original value)
1. ASLR
2. RELRO
3. NX pages
4. SELinux
![Page 75: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/75.jpg)
#RSAC
Next Steps of the PoC Exploit (simplified)
75
system_server
pc→ r-x coderw- stackrw- ROP chain rw- shellcode
sp→
![Page 76: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/76.jpg)
#RSAC
Problem 1: SP does not point at ROP chain
76
system_server
pc→ r-x coderw- stackrw- ROP chain rw- shellcode
sp→
![Page 77: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/77.jpg)
#RSAC
Solution: Stack Pivoting
77
system_server
pc→ r-x code/pivotrw- stackrw- ROP chain rw- shellcode
sp→
Our buffer happens to be pointed by fp.The Gadget: mov sp, fp; …, pop {…}
Gadget:Stack Pivot
fp→
![Page 78: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/78.jpg)
#RSAC
Solution: Stack Pivoting
78
system_server
pc→ r-x code/pivotrw- stackrw- ROP chain rw- shellcode
sp→
Our buffer happens to be pointed by fp.The Gadget: mov sp, fp; …, pop {…}
Gadget:Stack Pivot
![Page 79: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/79.jpg)
#RSAC
Allocating RWX Memory
79
system_server
pc→ r-x code/mmaprw- stackrw- ROP chain rw- shellcode
sp→
Gadget:Stack Pivot
fp→
Gadget:mmap/RWX
![Page 80: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/80.jpg)
#RSAC
Problem 2: SELinux should prohibit mmap/RWX
80
system_server
pc→ r-x code/mmaprw- stackrw- ROP chain rw- shellcode
sp→
Gadget:Stack Pivot
fp→
Gadget:mmap/RWX
![Page 81: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/81.jpg)
#RSAC
Solution: Weak SELinux Policy for system_server
81
system_server
pc→ r-x code/mmaprw- stackrw- ROP chain rw- shellcode
sp→
Gadget:Stack Pivot
fp→
Gadget:mmap/RWX
![Page 82: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/82.jpg)
#RSAC
Solution: Weak SELinux Policy for system_server
82
system_server
pc→ r-x code/mmaprw- stackrw- ROP chain rw- shellcode
sp→
Gadget:Stack Pivot
fp→
Gadget:mmap/RWX
allow system_server self:process execmem
![Page 83: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/83.jpg)
#RSAC
Allocating RWX Memory
83
system_server
pc→ r-x code/mmaprw- stackrw- ROP chain rw- shellcoderwx -
sp→
Gadget:Stack Pivot
Gadget:mmap/RWX
![Page 84: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/84.jpg)
#RSAC
Copying our Shellcode
84
system_server
pc→ r-x code/memcpy
rw- stackrw- ROP chain rw- shellcoderwx -
sp→
Gadget:Stack Pivot
Gadget:mmap/RWX
Gadget:memcpy
![Page 85: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/85.jpg)
#RSAC
Copying our Shellcode
85
system_server
pc→ r-x code/memcpy
rw- stackrw- ROP chain rw- shellcoderwx shellcode
sp→
Gadget:Stack Pivot
Gadget:mmap/RWX
Gadget:memcpy
![Page 86: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/86.jpg)
#RSAC
Executing our Shellcode
86
system_server
pc→
r-x coderw- stackrw- ROP chain rw- shellcoderwx shellcode
sp→
Gadget:Stack Pivot
Gadget:mmap/RWX
Gadget:memcpy
shellcode
![Page 87: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/87.jpg)
#RSAC
Creating an Arbitrary Code Exec Exploit
87
ARSENAL DEFENSES
1. Arbitrary Decrement
2. Controlled Buffer
3. Arbitrary Overwrite
(if we knew the original value)
1. ASLR
2. RELRO
3. NX pages
4. SELinux
![Page 88: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/88.jpg)
#RSAC
Shellcode
88
REPLACEMENT OF APPS
SELINUX
BYPASS
ACCESS TO APPS’ DATA
KERNEL CODE EXEC
(on select devices)
Runs as system, still subject to the SELinux, but can:
![Page 89: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/89.jpg)
#RSAC
Demo
89
![Page 90: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/90.jpg)
#RSAC
Google’s Patch for CVE-2015-3825
90
public class OpenSSLX509Certificateextends X509Certificate {
private transient final long mContext;…
}
MISSING MODIFIERBEFORE OURDISCLOSURE!
(NOW PATCHED)
![Page 91: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/91.jpg)
#RSAC
Hardened SELinux policy in the AOSP master branch
91
AOSP Commit #1: AOSP Commit #2:
![Page 92: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/92.jpg)
#RSAC
Are you patched?
92
Good news!Majority of the devices are updated
But some aren’t…
![Page 93: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/93.jpg)
#RSAC
Our 2nd Contribution: Vulnerabilities in SDKs
CVE-2015-2000/1/2/3/4/20
93
![Page 94: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/94.jpg)
#RSAC
Finding Similar Vulnerabilities in SDKs
Goal. Find vulnerable Serializable classes in 3rd-party SDKs
Why. Fixing the Android Platform Vulnerability is not enough. Apps can be exploited as well!
![Page 95: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/95.jpg)
#RSAC
Experiment 2
95
Analyzed over 32K of popular Android apps
Main Results
CVE-2015-2000 Jumio SDK Code Exec.CVE-2015-2001 MetaIO SDK Code Exec.CVE-2015-2002 Esri ArcGis SDK Code Exec.CVE-2015-2003 PJSIP PJSUA2 SDK Code Exec.CVE-2015-2004 GraceNote SDK Code Exec.CVE-2015-2020 MyScript SDK Code Exec.
![Page 96: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/96.jpg)
#RSAC
Root Cause (for most of the SDKs)
96
SWIG, a C/C++ to Java interoperability tool, can generate vulnerable classes.
public class Foo implements Bar {private long swigCPtr;protected boolean swigCMemOwn;...protected void finalize() {
delete();}public synchronized void delete() {
…exampleJNI.delete_Foo(swigCPtr); …
}...
}
CONTROLLABLEPOINTER
POINTER USED IN NATIVE CODE
POSSIBLYSERIALIZABLE
![Page 97: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/97.jpg)
#RSAC
SDK 1
SDK 2
SDK N
DEVELOPERS END USERS
Patching is problematic for SDKs
![Page 98: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/98.jpg)
#RSAC
Apps are in a bad place
Vulnerable apps are still out there.
SDKs need to be updated by app developers.
Dozens of apps still use them! (as of Feb ‘16)
New vulnerable apps can emerge
Developers can introduce their own vulnerable classes.
![Page 99: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/99.jpg)
#RSAC
Apps are in a bad place
Exploitation
Still no type-checking by Android before deserialization.
ASLR can still be defeated when malware attacks Zygote forked processes.
As opposed to system_server, The SELinux policy hasn’t been hardened for the apps domain.
![Page 100: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/100.jpg)
#RSAC
Wrap-up
100
![Page 101: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/101.jpg)
#RSAC
Summary
Found a high severity vulnerability in Android (Exp. 1).
Wrote a reliable PoC exploit against it.
Found similar vulnerabilities in 6 third-party SDKs (Exp. 2).
Patches are available for all of the vulnerabilities and also for SWIG.
Consumers: Update your Android.
Developers:
Update your SDKs.
Do not create vuln. Serializable classes. Use transient when needed!
![Page 102: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/102.jpg)
#RSAC
Thank you!
102
? ARE YOU STILL VULNERABLE?
![Page 103: Android Serialization Vulnerabilities Revisited](https://reader030.fdocuments.in/reader030/viewer/2022021416/58812f5d1a28ab00438b63ff/html5/thumbnails/103.jpg)
#RSAC
References
Paper. https://www.usenix.org/conference/woot15/workshop-program/presentation/peles
Video. https://www.youtube.com/watch?v=VekzwVdwqIY
Nexus Security Bulletin. https://source.android.com/security/bulletin/2015-08-01.html
AOSP Patch. https://android.googlesource.com/platform/external/conscrypt/+/edf7055461e2d7fa18de5196dca80896a56e3540
OpenSSLX509CertificateChecker.https://play.google.com/store/apps/details?id=roeeh.conscryptchecker