bridge attack - media.defcon.org con china 1/def con... · Ø android: javascript in webview ......
TRANSCRIPT
Zidong Han
Bridge Attack —Double-edged Sword in MobileSec
Self Introduction l Mobile Security researcher
-Tencent Mobile Security Labs Razor Team l Focuses on App vulnerability and IOT related security l GeekPwn 2018 winner in “Hacker Pwn in House”
l HITB-SECCONF-2018-Beijing
Agenda
Ø What is Bridge Attack
Ø Why a Bridge Attack
Ø Bridge Attack and Exploit Cases
Ø Defense the Bridge Attack
Ø Conclusion
What is Bridge Attack
Develop Fast Without Risk?
What is Abstract Bridge
AbstractBridge
MobileApp IoTDevice
Browser l Mobile App Ø Android: Javascript in WebView
Ø IOS:UIWebView/WKWebView l IoT Device
Ø DLNA/Upnp/WebSocket
“UnOffical”definition of Bridge Attack
Browser Attack
User
URL Payload Abstract Bridge
Parse Url
Send Expolit Result JsBridge
IotBridge
…
Mobile Application
Lan IOT Device
Why a Bridge Attack
WebView Attack in Past
l Using addJavascriptInterface to RCE Ø CVE-2012-6336
l WebView Cross-domain Risk Ø setAllowFileAccess Ø setAllowFileAccessFromFileURLs Ø setAllowUniversalAccessFromFileURLs
l URL Scheme Attack Ø <scheme>://<host>:<port>/<path>?<query> with exported
component
Difference in Bridge Attack
l More Attack Surface
l Vulnerability effect with Bridge Ability
l Both Mobile Apps & IoT devicves
Bridge Attack and Exploit Cases
Bridge Attack Surface in Mobile Application
MaliciousRequest
BridgeInApplication&Webview Browser
SchemeParse
BypassRecognize
IdentificationCheck
FakeFun-Call
ActionDispatch
MobileDevice
Bypass Identification Check
Ø XSS attack from url
Ø InSecure domain check(CSRF)
Ø JS Bridge(@JavascriptInterface) Man-in-the-Middle Attack
Insecure Check Case I
str.contains("safe.com")str.endsWith("safe.com") 123safe.com
Expolit JsBridge Ability
Ø Custom JsApi better or worse?
Ø Easy Web attack can csrf in apps
Insecure Check Case II
http://xxx.com/mobile/middle_page/index.html?url=javascript:alert(document.cookie);//m2.mobike.com
What Can we do except stealing cookie??
Insecure Check Case II
Payload Question: Ø import js file from outer url Ø exec any Sensitive JsApi Ø send user sensitive data to malicious url
Import jsapi file
Call getUserInfo jsapi
sendRequest jsapi to get pay info
Steal user pay info
Insecure Check Case II
Attack From A Malicious Url
CompleteExploit
PayloadUrL
Load
WebviewContainer
H5
JsBridge
Pay
NativeJsAPI
Attacker UserSpace JsBridgeAbility
InfoApi
NativeEvent
StealInfo RCE/LCE Worm
NativeCode
Exec
Javascript
ParseUri
LCE
WhatDifferenceinIotBridge
Ø Penetrate LAN from WAN Attack
-DNS Rebinding -Bridge Attack in Brain App -Other remote attack entries’
Ø Persistent attack during the exploiting -More Broiler can be chosen in a LAN -More attack mode can be designed and used
IOTInPrivateNetworks
CloudServer
Application
AbstractIoTBridge
CommandRequest CommandResponse
IoTBridgeWithCloudServer
IoTBridgeWithoutCloudServer
IOTInPrivateNetworks Application
AbstractIoTBridge
UPnP
WebSocket
OtherProtocal
Bridge Attack Surface in IoT Devices
DNSRebinding
BridgeInIOTDevice
Browser
PrivateNetwork
Open-PortAnalyze
BridgeProtocal
SendRequest
ActionDispatch
IOTInPrivateNetworks
IoT Bridge Attack Case I
DLNAAction
Ø ExposesomeInterfacewithnoidentifychecking
Ø Basicallycontrolmediaplayability
Ø SpeciallyinjectbackdoorintoTv
IoT Bridge Attack Case I
Ø SensitiveUpnpActionmakesecurityworseØ RemoteDownload->InstallApp->LaunchAppØ AttackerEnteringprivatenetwork
IoT Bridge Attack Case II
Ø CenterAppwithnoCodeProtectionØ CommunicatewithTvwithnoIdentifycheckØ RemoteattackSmartTvimitateCenterAppAction
Defense the Bridge Attack l For Jsbridge:
Ø Check identification seriously
Ø Constraint the permission of bridge ability
Ø Ensure the communication security with encryto channel(etc. https)
l For IoTbridge:
Ø Same security policy with JsBridge Ø Be cautious in expanding and abusing the bridge ability
Ø Make sure your command action with authentication tickets
Conclusion
l MoreTarget:MobileAppsandIoTdevices
l AttackSurface:IntegrateWebattackswithApp/IoTattacks
l Easy-to-use:Byonlyamaliciousurl,evenspreadquicklyandwidely
l ExpolitAbility:RCE/LCE,SensitiveInformationLeak,APT
Thanks