Week 7 Flashcards
Generic Exploit Mitigation Protections
Memory corruption issues in operating systems, including Android, have been exploited by attackers.
Security measures are introduced to prevent and respond to such exploits, aiming to make exploitation more difficult.
Android’s exploit mitigations are derived from the Linux kernel.
Android applications can include native code, which can be exploited if accessible.
Android’s exploit mitigations have been in place since version 4.0 (Ice Cream Sandwich).
Stack Cookies - EM
Detects stack-based overflows.
safe_iop - EM
Mitigates integer overflows.
dlmallocextensions - EM
Prevents vulnerabilities like double free() in heap management.
callocextensions - EM
Addresses integer overflows during memory allocations.
Format String Protections - EM
Guards against format string vulnerabilities exploitation.
NX - EM
Blocks execution of code on the stack or heap.
Partial ASLR - EM
Randomizes memory segment locations to thwart ROP attacks.
PIE Support - EM
Randomizes all memory components for ASLR, including app_process and linker.
RELRO and BIND_NOW - EM
Makes process data sections read-only to prevent GOT overwrites.
FORTIFY_SOURCE L1 - EM
Substitutes vulnerable C functions to prevent memory corruption.
FORTIFY_SOURCE L2 - EM
Enhances protection with fortified function versions.
SELinux Permissive - EM
Implements access control policies, logging without enforcement.
SELinux Enforcing - EM
Actively enforces specified security policies.
Understanding the Security Model
The security model requires a definition of authorized actions for apps.
Apps must know what they can do and whether other apps are authorized for specific actions.
This requires a clearly defined concept of app identity.
Rooting
Methods include placing an ‘su’ binary in /system/bin or xbin.
In code:
Runtime.getRuntime().exec(new String[]{“su”, “-c”, “id”});
Android root manager applications prompt the user for permission.
Post-exploit custom version of ‘su’, for persistence: provided by drozer in the ‘tools.setup.minimalsu’ module.
^^ Uses setuid(0) & setgid(0) for no user prompts.
Rooting Methods
Common rooting methods involve using exploits or leveraging unlocked bootloaders.
Using an Exploit - Gingerbreak
The Gingerbreak exploit targets the Volume Manager (vold) in Android versions 2.2 to 3.0.
It involves an array access error and manipulation of the Global Offset Table (GOT) to execute the ‘sh’ binary as root.
Users need to have ‘log’ group access to exploit this vulnerability.
Using an Exploit – Exynos Abuse – Exploiting Custom Drivers
Custom drivers for hardware can contain vulnerabilities.
An exploit found in Samsung Galaxy S3 devices with Exynos.
Involved a block device, /dev/exynos-
mem, which allowed mapping kernel memory to user
space.
The exploit altered code comparisons (setresuid), granting root access.
Bypassed kptr_restrict, which normally prevents applications from reading kernel pointers.
Using an Exploit – Samsung Admire Vulnerability via Symlinks
Loose file permissions in Samsung Admire allowed root access.
An attacker created a symlink and triggered an app crash to write files with world-writable permissions.
This exploit was specific to Samsung Admire.
Using an Exploit – Acer Iconia – Exploiting SUID Binaries
SUID binaries owned by root and executable by anyone are prime targets for root exploit developers.
A vulnerability in the Acer Iconia A100’s SUID binary named cmdclient allowed command injection, enabling arbitrary command execution with root privileges.
Reverse-Engineering Applications
Reverse-engineering is the process of analyzing and understanding applications without source code.
Tools like Dexdump, Smali, Baksmali, Dex2jar, JD-GUI, and Apktool help with disassembling and decompiling applications.
Disassembling DEX Bytecode
DEX files contain Dalvik bytecode, which can be converted into a low-level assembly format.
The ‘dexdump’ tool is used for disassembling DEX files.
Smali and Baksmali are tools that help convert DEX files into more readable class files.
Decompiling DEX Bytecode
Decompiling DEX files can be more informative than disassembled code.
Dex2jar is a tool for converting DEX files to Java Class files.
JD-GUI can decompile JAR files back into Java source code.
Decompiling Optimized DEX Bytecode
DEX files for system apps are typically pre-optimized and stored as ODEX files.
The ‘oatdump’ tool can disassemble OAT files.
Tools like ‘oat2dex’ can extract DEX files from OAT files.
Reversing Native Code in Android
Native components in Android apps are often in machine code for ARM, x86, or MIPS.
Tools like IDA, Apktool, Jadx, and JAD assist in reverse-engineering native code.
Android’s ART system converts DEX files into OAT files, which can also be reverse-engineered.
Dealing with ART
The ‘oatdump’ tool can disassemble OAT files, similar to ‘dexdump’ for DEX files.
‘oat2dex’ is a script that extracts DEX files from OAT files for reverse engineering.
