A framework for on-device privilege escalation exploit execution on Android

Similar documents
The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Safety measures in Linux

Adobe Flash Player and Adobe AIR security

Security Issues in Android Custom ROMs

Example of Standard API

Mobile Operating Systems. Week I

A Perspective on the Evolution of Mobile Platform Security Architectures

Analysis of advanced issues in mobile security in android operating system

BlackBerry 10.3 Work and Personal Corporate

Securely Yours LLC We secure your information world. www. SecurelyYoursllc.com

Security for Mac Computers in the Enterprise

Smartphone Security Overview

Security Enhanced (SE) Android: Bringing Flexible MAC to Android

...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language)

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Tutorial on Smartphone Security

Android Programming and Security

PARALLELS SERVER 4 BARE METAL README

Into The Droid. Gaining Access to Android User Data DEF CON 20

MOBILE SECURITY. As seen by FortConsult. Lars Syberg Head of Security Services

A Perspective on the Evolution of Mobile Platform Security Architectures

PARALLELS SERVER BARE METAL 5.0 README

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

IT6204 Systems & Network Administration. (Optional)

Android Physical Extraction - FAQ

Advanced ANDROID & ios Hands-on Exploitation

Android Architecture For Beginners

Overview. The Android operating system is like a cake consisting of various layers.

Android for the Enterprise Ge#ng from Here to There

Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

Take Your Mac OS X Security to NSA Standards June 19, 2014 by Larry Chafin

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION

RedHat (RHEL) System Administration Course Summary

Computer Security: Principles and Practice

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Pentesting Mobile Applications

Mobile Vulnerability Assessment: There's an App for That!

Version 1.0. File System. Network Settings

Lecture 2 PLATFORM SECURITY IN ANDROID OS

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Mobile Platform Security Architectures A perspective on their evolution

Programming Android Smart Phones. Tom Chothia Internet Computing Workshop

Guidance End User Devices Security Guidance: Apple OS X 10.9

CIS 551 / TCOM 401 Computer and Network Security

Reminders. Lab opens from today. Many students want to use the extra I/O pins on

Security Enhanced Linux and the Path Forward

Unit 4 Objectives. System Software. Component 4: Introduction to Information and Computer Science. Unit 4: Application and System Software Lecture 2

Pentesting iphone & ipad Apps Hack In Paris 2011 June 17

IBM Endpoint Manager for Mobile Devices

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Top 8 Steps for Effective Mobile Security

CloudPassage Halo Technical Overview

What Happens When You Press that Button? Explaining Cellebrite UFED Data Extraction Processes

SSL Tunnels. Introduction

Chapter 1 Hardware and Software Introductions of pcduino

Salesforce1 Mobile Security Guide

Fourteenforty Research Institute, Inc.

Mandatory Access Control in Linux

Parallels Cloud Server 6.0 Readme

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

ENTERPRISE LINUX SYSTEM ADMINISTRATION

How to Install Applications (APK Files) on Your Android Phone

Mobile Application Security and Penetration Testing Syllabus

BYOD Guidance: BlackBerry Secure Work Space

Parallels Cloud Server 6.0

ADB (Android Debug Bridge): How it works?

SUSE LINUX Enterprise Server for SGI Altix Systems

End User Devices Security Guidance: Apple OS X 10.10

Practical Mac OS X Insecurity. Security Concepts, Problems and Exploits on your Mac

Android vs. Apple ios Security Showdown Tom Eston

Five standard procedures for building the android system. Figure1. Procedures for building android embedded systems

J-202. IT 4823 Information Security Administration. Linux Security Model. Linux Security. In Room. Linux Security April 23

A Look through the Android Stack

Legal notices. Legal notices. For legal notices, see

Table of Contents. Chapter 2: ios in the Enterprise ios Configuration Management Mobile Device Management Summary

Android Operating System

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Silk Test Testing Mobile Applications

Smartphone Pentest Framework v0.1. User Guide

Plan 9 Authentication in Linux

(U)SimMonitor: A New Malware that Compromises the Security of Cellular Technology and Allows Security Evaluation

Guidance End User Devices Security Guidance: Apple ios 7

AllJoyn Android Environment Setup Guide

Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.1 R4)

CloudPassage Halo Technical Overview

Embedded Linux Platform Developer

Developing for MSI Android Devices

Computer Security: Principles and Practice

Open Network Install Environment

Android Security (and Not) Internals

Laptop Encryption. Tom Throwe. 1 August RHIC and ATLAS Computing Facility. (Brookhaven National Laboratory) Laptop Encryption 8/1/07 1 / 17

Pentesting Android Mobile Application

BYOD: End-to-End Security

End User Devices Security Guidance: Apple ios 8

IoT BBQ Carve Systems

Transcription:

1 A framework for on-device privilege escalation exploit execution on Android IWSSI/SPMU 2011 at Pervasive 2011 12. June 2011, San Francisco, CA, US Sebastian Höbarth, Rene Mayrhofer Fachhochschule Hagenberg, AT rene.mayrhofer@fh-hagenberg.at 2011-06-12 Android Exploit

Comparing mobile platforms Restricted to App Store Sandbox for applications Signed applications Capabilities for applications Garbage collection Exploit prevention On-device encryption Android ios Blackberry Symbian no yes no no yes some (Safari) no (unknown) yes yes yes yes yes (all-or-nothing) yes (Java) no NX no ASLR no no no (Objective C) NX stack+heap no ASLR yes, but problematic yes (configurable) yes (Java) unknown yes no yes (configurable) no (C++) no NX no ASLR no 2011-06-12 Android Exploit Rene Mayrhofer 2

Comparing exploit prevention techniques Table by Nicolas Economou and Alfredo Ortega, Presentation Smartphone (in)security at CanSecWest 2009 2011-06-12 Android Exploit Rene Mayrhofer 3

iphone vs. Android security concepts Closed eco-system All applications need to go through Apple Store, checked by Apple unless device has been jailbroken... Sandboxing restricted to few applications (e.g. MobileSafari) Some exploit protection measures No further security measures Open eco-system Arbitrary applications can be installed by the user (may need to enable USB debugging for installation from PC or download on-device and install) All applications are sandboxed No further security measures no ASLR, no DEP no on-device encryption Data Execution Prevention (DEP) using ARM XN feature but no ASLR in kernel 2011-06-12 Android Exploit Rene Mayrhofer 4

Android Architecture 2011-06-12 Android Exploit Rene Mayrhofer 5

Architecture Applications must be signed for installation may be self-signed by the developer, therefore no requirement for centralized application Q/A or control signature allows non-repudiability (if the public key/certificate is known) signature by same private key allows applications to share data and files automatic application updates possible when signed by same private key Upon installation, the package manager creates a dynamic user ID for each application Application sandbox all application files and processes are restricted to this UID enforced by Linux kernel and therefore same restrictions for all code (Java + native) by default, even the user and debugging shells are restricted to a special UID (SHELL) permissions granted at installation time allow to call services outside the application sandbox rooting to gain root access (super user / system level access on UNIX without further restrictions) 2011-06-12 Android Exploit Rene Mayrhofer 6

What can be done after rooting? Development Installing custom root, recovery, and system images [on devices without NAND lock] changing files on the /system partition General Reading all files on /system and /data partitions (including centralized system databases, e.g. accounts) Changing kernel settings, e.g. CPU over-/underclocking, IPv6 address privacy custom routing, WiFi/3G connection sharing on devices that do not support tethering out of the box or have it disabled by the manufacturer/carrier Installing/using applications that require root access, e.g. Backup/restore, OpenVPN, Webkey, SSH daemon, etc. 2011-06-12 Android Exploit Rene Mayrhofer 7

Rooting Overview (1)Achieve temporary root privileges on developer devices (Google ADP1 / G1, Nexus One, Nexus S) simply with fastboot oem unlock booting into recovery mode on devices that allow this without restriction exploiting an implementation bug either during normal system run-time (2)Achieve permanent root privileges or in the boot loader code to get into recovery mode (see above) e.g. flawed signature checking allows booting custom recovery image and from within that running image, flashing a new system image by flashing a new system image with pre-installed binaries for root access by installing a /system/(x)bin/su binary with setuid Bit set and the SuperUser application that will ask the user on each (first-time) access by modifying the root image, e.g. to set the global property ro.secure=0 (3)Secure system against abuse by other applications 2011-06-12 Android Exploit Rene Mayrhofer 8

Details: Linux kernel root is the super-user, equivalent to system-level access kernel implements DAC (Discretionary Access Control) on filesystem (includes kernel virtual files, e.g. /proc, /sys, etc.) optional MAC (Mandatory Access Control) schemes available in upstream kernel SELinux (NSA, flexible, comprehensive, but complex) SMACK (simpler, path-based, used on MeeGo) TOMOYO (path-based, more flexible than AppArmor) AppArmor (simpler, path-based, used on Novell and Ubuntu servers) could all be used to further restrict root user, often based on application context But none of them used in Android at this time! goal is therefore to achieve root privileges 2011-06-12 Android Exploit Rene Mayrhofer 9

Details: filesystem ACLs read, write, execute bits for owning user, group, and all others additional bits available, e.g. setuid and setgid binary called with privileges of owner, not privileges of caller typical combination is a file owned by root with setuid Bit set setuid binaries used on many UNIX/Linux systems to allow normal users to perform administrative tasks (e.g. passwd) or for arbitrary code elevation (e.g. su, sudo) for controlled root access, simple and effective method on Android no changes to any existing system binaries only need one additional binary installed with setuid Bit set typically /system/(x)bin/su as on standard UNIX systems, but with Android-specific GUI to ask user for permission on root access 2011-06-12 Android Exploit Rene Mayrhofer 10

Android Debug Bridge (adb) Must be enabled by user (USB Debugging) but then available over USB, WiFi, or locally on device Supports debugging, file transfer, package installation, reboot control, etc. Normally runs as user SHELL (uid 2000) Can be restarted as user root (uid 0) with global property ro.secure=0 then can call adb root to restart or use one of the known exploits to force adbd to retain root privileges will then support e.g. adb remount to remount /system with readwrite option 2011-06-12 Android Exploit Rene Mayrhofer 11

Devices with NAND-Lock Some HTC devices have a NAND lock implemented in their kernel and boot loader also called S-On in contrast to S-Off (no additional protection) Boot loader sets global flag S-On for booting into Android and S-Off for booting into recovery mode NAND access is moderated by baseband (radio) processor, application processor has to go through it Radio firmware prevents write access to system (and sometimes recovery) NAND partitions even with root privileges and when /system has been re-mounted for readwrite access Currently known devices with NAND Lock: all HTC Desire and EVO variants Other devices only have a boot loader that verifies signatures before installing updates for recovery and system and before booting a kernel (e.g. Motorola Milestone) 2011-06-12 Android Exploit Rene Mayrhofer 12

Rooting: example exploits Exploits used for gaining temporary root privileges Android <= 1.6: missing input sanitization in udev firmware loading (CVE-2009-1185) Android <= 2.2: remapping shared memory (and system properties) Android <= 2.2: overflowing limit of processes for restricted SHELL user (rageagainstthecage) Android <= 2.3: restricting access to shared memory (psneuter) http://intrepidusgroup.com/insight/2010/09/android-root-source-code-looking-at-the-c-skills/ 2011-06-12 Android Exploit Rene Mayrhofer 13

steps for permanent rooting Independent of specific exploit, as long as running code has (temporary) root privileges (1)Remount /system for write access (2)Install new binary with setuid Bit set e.g. su binary with SuperUser companion application Exploit framework binary installs itself to /system/bin with setuid Alternative: set setuid Bit on existing binary /system/bin/sh, possible due to bugs in YAFFS2 code in combination with NAND lock (3)Remove ACL restrictions from accounts and settings SQlite database files (4)Binary with setuid Bit is called at any future time when root privileges are required permanent privilege escalation 2011-06-12 Android Exploit Rene Mayrhofer 14

Future work: working around NAND lock Automate process of creating custom NAND images (1)Extract boot or recovery NAND partition to temporary files (2)For boot partition: a)extract initramfs image b)modify main boot script to set ro.secure=0 c)repack initramfs image (3)Write boot partition to NAND 2011-06-12 Android Exploit Rene Mayrhofer 15

Conclusions Android security measures are not sufficient Recommendation 1: ASLR, NX exploit prevention; audit system level code Recommendation 2: more fine-grained application permissions (e.g. Internet) Recommendation 3: allow user to choose which permissions to grant each application instead of all-or-nothing at installation time Recommendation 4: MAC (kernel policies) in addition to DAC (filesystem ACLs) at least for critical binaries, better for application sandboxing (cf. SELinux application sandbox in current Fedora distribution) + example exploits source online at http://openuat.org/android-exploit-framework 2011-06-12 Android Exploit Rene Mayrhofer 16

17 Portability is for people who cannot write new programs. Linus Torvalds, 1992-01-29, comp.os.minix Linux is currently one of the most portable operating system kernels... 2011-06-12 Android Exploit

18 Thank you for your attention! Slides: http://www.mayrhofer.eu.org/presentations Later questions: rene.mayrhofer@fh-hagenberg.at rene@mayrhofer.eu.org OpenPGP keys: 0x249BC034 (new) and 0xC3C24BDE (old) 717A 033B BB45 A2B3 28CF B84B A1E5 2A7E 249B C034 7FE4 0DB5 61EC C645 B2F1 C847 ABB4 8F0D C3C2 4BDE 2011-06-12 Android Exploit

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information