one root to own them all
DESCRIPTION
One Root To Own Them All. Black Hat US 2013 Jeff Forristal @ Bluebox. Outline. Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process Normal Case Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference. Introduction . - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/1.jpg)
1
One Root To Own Them All
Black Hat US 2013Jeff Forristal @ Bluebox
![Page 2: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/2.jpg)
2
Outline• Introduction• Android APK Overview• Jar and Jar Signer• Exploit Analyze • APK Install Process
– Normal Case– Abnormal Case
• Vulnerability Point• Patch• Similar Approach• Conclusion• Reference
![Page 3: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/3.jpg)
3
Introduction
![Page 4: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/4.jpg)
4
Vulnerability Description
![Page 5: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/5.jpg)
5
Attack Surface
![Page 6: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/6.jpg)
6
Android APK Overview
![Page 7: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/7.jpg)
7
Android APK
• APK stands for Android application package file.
• Just a Jar file with some other new files that Android need.
![Page 8: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/8.jpg)
8
Android APK Content
• Package resource files:– Android Manifest– Some Pictures, Audio files….– Etc…
• classes.dex• META-INF/Manifest.MF
![Page 9: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/9.jpg)
9
Compile Android APK
• What we usually do:– 1. writing code in Eclipse/ Android Studio– 2. press compile button– Simple and Easy
![Page 10: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/10.jpg)
10
Compile Android APK
![Page 11: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/11.jpg)
11
Compile Android APK• 1. aapt will create R.java according to the following files:
– Android Manifest– Recourses– Assets
• 2. use javac to compile source code with some libraries -> generate many *.class files.• 3. use dx to transform Java bytecode into Dalvik bytecode -> many *.class files will be merged into 1 classes.dex• 4. use apkbuilder to generate unsigned APK with following files:
– classes.dex– Package Resources Files
• 5. use jarsigner to signed the unsigned APK into signed APK– E(unsigned APK, Key) = signed APK
![Page 12: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/12.jpg)
12
Jar and JarSigner
![Page 13: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/13.jpg)
13
Jar
• Jar stands for Java Archive• Jar File Format is Same as Zip file• File Contents:– *.classes– Resources– META-INF/Manifest.MF
![Page 14: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/14.jpg)
14
JarAndroid APK
![Page 15: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/15.jpg)
15
JarSigner
• Generate Signature for JAR (Java Archive)• Verify Signature for Signed JAR file.• Two Additional file placed in META-INF
directory:– signature file with .SF as extension– signature block file with .DSA extension
![Page 16: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/16.jpg)
16
JarSigner - Signing
aapt jarsigner
![Page 17: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/17.jpg)
17
JarSigner - Signing
Integrity
![Page 18: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/18.jpg)
18
JarSigner - Signing
Integrity
![Page 19: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/19.jpg)
19
JarSigner - Signing
Identity
![Page 20: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/20.jpg)
20
JarSigner - Signing
Identity
![Page 21: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/21.jpg)
21
JarSigner - Signing
Certificate
![Page 22: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/22.jpg)
22
Public Key
Digital Signature for the Certificate
![Page 23: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/23.jpg)
23
Attempts
![Page 24: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/24.jpg)
24
Attempts
![Page 25: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/25.jpg)
25
Attempts
![Page 26: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/26.jpg)
26
APK Install Process
![Page 27: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/27.jpg)
27
Overview
![Page 28: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/28.jpg)
28
PackageManager
PackageParser Installer PackageHandler
Parsing Package And
Verify
Sending Command to
installdHandle Event
![Page 29: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/29.jpg)
29
Overview
• Parsing• Verify• Install
![Page 30: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/30.jpg)
30
Parsing
JarFile.ClassJarEntry.Class
Android APK
File 1
File 2
File 3
File 4
CentralDirectory
![Page 31: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/31.jpg)
31
Parsing
JarFile.ClassJarEntry.Class
Android APK
File 1
File 2
File 3
File 4
CentralDirectory
File 1 Meta-Data
File 2 Meta-Data
File 3 Meta-Data
File 4 Meta-Data
End of Central Directory
![Page 32: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/32.jpg)
32
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
![Page 33: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/33.jpg)
33
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
![Page 34: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/34.jpg)
34
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
![Page 35: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/35.jpg)
35
Parsing, Verify and Install
• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put
into mEntries HashMap.– The index is calculate by :
• secondHash(String entry name)
• 4. JarVerifier will verify each entries according to the mEntries.
• 5. After Verify, find classes.dex entry and install it.
![Page 36: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/36.jpg)
36
Normal Case
![Page 37: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/37.jpg)
37
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data4. res Meta-Data
End of Central Directory
Android APK
Manifest.xml
META-INF
res
CentralDirectory
classes.dex
Parsing
![Page 38: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/38.jpg)
38
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
Verify
![Page 39: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/39.jpg)
39
Install
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data4. res Meta-Data
End of Central Directory
Android APK
Manifest.xml
META-INF
res
CentralDirectory
installd
classes.dex
![Page 40: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/40.jpg)
40
What If …
Android APK
Manifest.xml
META-INF
res
CentralDirectory
classes.dex
classes.dex
res
CentralDirectory
Manifest.xml
META-INF
classes.dex
![Page 41: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/41.jpg)
41
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
Parsing
classes.dex
res
CentralDirectory
Manifest.xml
META-INF
classes.dex
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data
5. res Meta-DataEnd of Central Directory
4. classes.dex Meta-Data
Classes.dex
![Page 42: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/42.jpg)
42
Manifest.xml
ZipEntry object
Classes.dex
META-INF res
……..mEntries
Classes.dex
Verify
!!!!!!
![Page 43: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/43.jpg)
43
Install
classes.dex
res
CentralDirectory
Manifest.xml
META-INF
classes.dex
1. Manifest.xml Meta-Data2. META-INF Meta-Data
3. classes.dex Meta-Data
5. res Meta-DataEnd of Central Directory
4. classes.dex Meta-Data
installd
!!!!!!
![Page 44: One Root To Own Them All](https://reader035.vdocument.in/reader035/viewer/2022081512/56815ede550346895dcd7dec/html5/thumbnails/44.jpg)
44