Document

Download Report

Transcript Document 

By: Chuqing He
Android Overview
- Purchased by Google in 2005
- First Android Phone was sold in
Oct. 2008
- Linux-based
- Holds 75% of the worldwide
smartphone market
CVE Entries for
Android
Use-After-Free
Remote ShellCode
Execution on WebKit
•
•
•
•
•
Discovered by MJ Keith
CVE-2010-1807
Cvss: 9.3
Allows Remote attacker to
execute arbitrary code or cause
a denial of service via crafted
HTML document
Affects Android 2.1 and earlier
WebKit
• Layout engine software designed to
allow web browsers to render web
pages
• Default browser in Apple iOS, Android,
BlackBerry, etc.
Background
• Remote Shellcode provide the attacker access
to the target machine across the network
• Use after free
 A pointer to memory that was deallocated,
reallocating the memory can lead to control
• Android protects stack from being overwritten
• Randomized stack layout prevents attacker
relying on specific addresses
• We target the heap
Attack Overview
• Make references to the element in 2 different ways
• Remove the element using our second reference, unlocking
the memory. First reference retains its pointer to the deallocated spot in memory
• We can reallocate the memory to the first reference.
• Using a for loop we can create the same string over and
over until we collect garbage and refill the memory with our
new data
• We can now request data from our original variable
• Break before we crash.
Continued
Continued
• We control the address in r0
• We need to send it to an address that
will point to our shellcode
• We need to control heap memory
Android Data
Stealing Vulnerability
Discovered by Thomas Cannon
CVE-2010-4804
Cvss Score 4.3
Allows remote attackers to obtain SD
contents via crafted URL
Affects Android 2.3.3 and earlier
Attack Overview:
• The Android Browser doesn’t prompt the
user when downloading a file
 for file “payload.html”, it
automatically downloads to
/sdcard/download/payload.html
• It is possible to automatically open this
payload using JavaScript, causing the
browser to render the local file.
Attack Overview
• When opening an HTML within this local
context, the Android browser will run
Javascript without prompting the user.
• While in this local context, the Javascript
is able to read the contents of files
Mitigation
•
Disable Javascript in the browser
•
Use another browser: it prompts you
before downloading the payload
•
Watch for HTML file sent through email