Celil ÜNÜVER, SignalSEC Inc.

Similar documents
Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Bypassing Memory Protections: The Future of Exploitation

Hotpatching and the Rise of Third-Party Patches

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Custom Penetration Testing

Bypassing Browser Memory Protections in Windows Vista

Reverse Engineering and Computer Security

Defense in Depth: Protecting Against Zero-Day Attacks

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Using fuzzing to detect security vulnerabilities

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

Smartphone Hacks and Attacks: A Demonstration of Current Threats to Mobile Devices

Fuzzing in Microsoft and FuzzGuru framework

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

What Happens In Windows 7 Stays In Windows 7

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

The Mobile Malware Problem

Defending Behind The Device Mobile Application Risks

Digital Forensic analysis of malware infected machine Case study ***

Windows Operating Systems. Basic Security

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Learn Ethical Hacking, Become a Pentester

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Will Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.

Advanced Attacks Against PocketPC Phones

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Windows XP SP3 Registry Handling Buffer Overflow

Penetration Testing with Kali Linux

The Advantages of Block-Based Protocol Analysis for Security Testing

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

TACKYDROID. Pentesting Android Applications in Style

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Security A to Z the most important terms

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

Malware: Malicious Code

WINDOWS UPDATES AND MAJOR BUILDS

WHITEPAPER. Nessus Exploit Integration

Adobe Systems Incorporated

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Moritz Jodeit

The Leader in Cloud Security SECURITY ADVISORY

Medical Device Security Health Group Digital Output

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) Twitter: Dave_ReL1K

The Hacker Strategy. Dave Aitel Security Research

Vulnerability Assessment and Penetration Testing

Analysis of advanced issues in mobile security in android operating system

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

============================================================= =============================================================

Professional Penetration Testing Techniques and Vulnerability Assessment ...

ERNW Newsletter 51 / September 2015

CERTIFIGATE. Front Door Access to Pwning hundreds of Millions of Androids. Avi Bashan. Ohad Bobrov

Hi and welcome to the Microsoft Virtual Academy and

Complete Patch Management

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Bruh! Do you even diff? Diffing Microsoft Patches to Find Vulnerabilities

protocol fuzzing past, present, future

Smart home appliance security and malware

Sandbox Roulette: Are you ready for the gamble?

Exception and Interrupt Handling in ARM

1 Intel Smart Connect Technology Installation Guide:

Web Application Security

Database's Security Paradise. Joxean Koret

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

A Link Layer Discovery Protocol Fuzzer

Android Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold

Using Windows Update for Windows Me

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Cyber Threats in Physical Security Understanding and Mitigating the Risk

Printed Exception strings - what do all

Injecting SMS Messages into Smart Phones for Security Analysis

Using Process Monitor

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Web Application Report

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Transcription:

Threats On Your Smartphone Celil ÜNÜVER, SignalSEC Inc.

What is a smartphone?

info@signalsec.com$ whoami Celil Ünüver Security Researcher @ SignalSEC Interests: Vulnerability Research, Mobile etc. Student at Marmara University, Istanbul/Turkey Contact: info[at]signalsec.com www.signalsec.com

Agenda Windows Mobile Operating System Vulnerabilities and Shellcodes on Windows Mobile Vulnerability hunting in windows mobile A few example vulnerabilities(0day) which effect windows mobile 6.x Mobile Malwares Analysis of Terdial and ZeuS Mobile Malwares Demo

Windows Mobile System Current version is Windows Phone 7 (just released) 6.5 and 6.1 versions are common in the windows mobile market for now We are looking at 6.5 and 6.1 32 Bit WinCE based WinCE supports multi platforms (x86, ARM) Usually smartphones are ARM based devices.

Vulnerabilities on Windows Mobile Most of softwares were developed in C++ (outlook, messenger etc.) So known programming errors are valid! - Buffer overflow, format string etc. There's no Microsoft's online/auto update support for 6.5 and 6.1 versions!!!!!!warning!!!! OEMs are responsible to update. (HTC, Samsung etc) Windows Phone 7 has the online update future :]

ARM Processor RISC CPU for embedded devices Commonly used in the Smartphones/PDA, Embedded Devices - %90 of all embedded devices Supported by lots of embedded operating systems such as Symbian, Android, Windows CE etc.

ARM Assembly Similar to X86 Assembly MOV = MOV BL(arm)=CALL(x86) B(arm)=JMP(x86) etc.. 37 Register at the total R0 to R3: used to hold arguments R4 to R10: used to hold local variables PC Register Program Counter (equivalent to EIP on x86) LR Register Link Register, holds the return address SP Register Stack Pointer MOV = Move data, LDR = Load data, BL = Call subroutine/program etc.

How to write Shellcodes? What is a shellcode? In which kind of attacks can we use it? What we need to write it? - ARM Assembler - Dumpbin - ARM Assembly and DLL Loading knowledge

Phone Call/Dialer Shellcode Do you remember 56k /dial-up connection days? The old days of dialer attacks are back for mobile!!!! EXPORT start AREA.text, CODE start ldr R12, =0x3f6272c adr r0, lib mov lr, pc mov pc, r12 ldr r12, =0x2e806dc adr r0, num mov r3, #0 mov r2, #0 mov r1, #0 mov lr, pc mov pc, r12 @ LoadLibrary @ cellcore.dll @ tapirequestmakecall @ Number - 31337 lib dcb "c",0,"e",0,"l",0,"l",0,"c",0,"o",0,"r",0,"e",0,0,0,0,0 num dcb "3",0,"1",0,"3",0,"3",0,"7",0,0,0 ALIGN END

Bug Hunting There is no difference Fuzzing is the best way!

Case 1 : Windows Mobile 6.x Double Free Vuln Effected versions :Windows Mobile 6.5 and 6.1 It's still not patched! (0day) Occurs while parsing vcard (vcf) files Vulnerability type : Double Free A common vulnerability in C/C++ Occurs when free() is called twice on the same pointer. Can be triggered by bluetooth or mms

Case 1: Crash

Case 1:Analysis of Crash (Binary Analysis)

Case 1:Analysis of Crash

Case 1:Analysis of Crash

Case 2 : Internet Explorer Mobile BoF Vuln Effected versions :Windows Mobile 6.5 0day and exploitable issue Discovered by Fuzzing

Case 2 : Internet Explorer Mobile BoF Vuln

Case 3 :Internet Explorer Mobile Stack Exhaustion Effected versions :Windows Mobile 6.5 and 6.1 Discovered by Fuzzing again... There are lots of stack exhaustion(dos) bugs... (these kind of bugs are not exploitable.)

Fuzzing Media Files Why Media Formats? Supported media files can be attached to MMS! (3gp,asf etc.) That gives an opportunity to trigger the vulnerability via a MMS! Easy to find crashes! Just use file fuzzers! My a few line dumb file fuzzer found lots of crashes! Mobile media players can be hackers' new target!

Case 4 :Windows Media Player Mobile Null Pointer Fuzzed an ASF file sample for a few minutes. Hunted a crash! Overwrited to Registers... But it's actually unexploitable, null pointer bug...

Case 4 :Windows Media Player Mobile Null Pointer

Case 4 :Windows Media Player Mobile Null Pointer

Case 5 :Fuzzing 3GP Video Files Fuzzed just for a few minutes again Found lots of crashes.. One of them causes freeze the phone. (will be shown in Demo part)

Mobile Malwares Why? - Money - Hobby - Spying Results? - A high bill $$$ - An empty bank account - Information leak

Terdial Malware A dialer trojan which is embedded inside a game. (3D Anti Terrorist) It makes expensive call regularly. - +8823460777, +88213213214, +2392283261 Causes very high bills!!!

Analysis of Terdial Malware creates a subkey which is named Status in current registry.

Analysis of Terdial It copies itself (smart32.exe) to windows directory.

Analysis of Terdial It calls these international numbers in several time.

Zitmo (Zeus in the mobile) Malware Mobile version of ZeuS Trojan It's aimed to defeating SMS-Based authentication of Online Banking!! Hackers stole more than $200 Million via ZeuS Coded for Symbian OS and BlackBerry

Analysis of Zitmo C&C Future! It gets remote commands via SMS. Creates a database that named Numbersdb.db and save the stole informations (incoming sms etc.) into it. Creates database, tables via RdbNamed, TdbCol etc. It uses Symbian APIs to sniff incoming SMS without notifying the user. Basically, It opens a SMS socket, hooks the SMS stack and sniffs the incoming SMS.

Analysis of Zitmo Command List of Zitmo

Analysis of Zitmo Intercepting SMS Silently.

Analysis of Zitmo SQL Commands...

DEMO Freezing the Windows Mobile with an MMS (0-day) User interaction is required :(

Conclusion Smartphones are the new target of Hackers! Exploits and malwares for smartphones are already published! Mobile Media Player vulnerabilities are important. Also Flash Lite/Mobile, Adobe Reader Mobile and Mobile Browsers are delicious targets too!

References Collin Mulliner's great research! - www.mulliner.org Www.securityarchitect.org http://www.securityarchitect.org/mobile.pdf (Terdial analysis) Thanks to suspectfile.com for malware samples

Thanks Thanks for your attention. info[at]signalsec.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information