...stuff I do and things I like...

Tuesday, March 31 2015

Mobile Security News Update March 2015

Back from CanSec! Here the mobile update for March (barely made it!).

Conferences
    RSA Conference has a mobile track (link points to track) but I'm not going to list each talk here.

    Black Hat Mobile Security Summit London, UK. Believe it or not it's all mobile talks! Mostly Android, one iOS and one Windows Phone talk and like 2 generic talks.


CFPs

Android 5.1 / Nexus 5 issues: I recently updated to Android 5.1 (so did my friend Michael). Now we both have massive stability issues with our phones. Michael actually doesn't have stability issues his phone refuses to boot up. It boots until the first colored dots appear and then reboots again. The reason for this bootloop are unknown. Some people say this is due to issues with the phones power button. Michael indeed had some power button issues before the bootloop happened. My phone just started to randomly reboot. The issue seems known (search for Android 5.1 random reboot and you will find many reports).

Official Chinese translation of The Android Hacker's Handbook available on April 10th.

Dimple is a small NFC sticker with four or two buttons for Android devices. You are the one who chooses the button functionality. It makes doing everyday tasks quicker and saves your precious time. <-- from their website. This is basically a set of actual buttons (as in hardware) that you can stick on your Android. The buttons likely just activate a RFID tag that is picked up by your phone that then will perform some action. Very simple technology. Should be farely easy to hack (without physically pressing the button). Let's see, maybe I will order a sample just for fun. I have a pending Android NFC blog post anyway (but not time).

Links

Friday, March 06 2015

Load time DLL Injection via QueueUserAPC

This is hopefully my last post on DLL injection. See here Injecting a DLL into a process on load time with the ability to hook the process' entrypoint from the DLL for my initial goal and a follow up post.

After reading up on QueueUserAPC I implemented it for the use with pydbg (I use pydbg for other parts so it made sense to do this).

The trick of QueueUserAPC is that the function is called before the application's main thread is started. Basically what you have to do is:
dbg.load(exe_name)
injectdll_apc(dbg, dll_name)
dbg.run()

You can download the code for injecdll_apc() here: inject_dll_queueuserapc_pydbg.py.

Now I can finally continue working on my actual project!

DLL Injection followup

Yesterday I wrote about load time DLL injection and of course somebody (Jurriaan Bremer of cuckoo sandbox) pointed out that there is of course a pre existing tool. Specifically his inject tool that is part of cuckoo sandbox. The tool uses QueueUserAPC as the way to execute code within the process to call LoadLibrary.

updated: March 6th 2015
    I couldn't figure out what the exact difference is between QueueUserAPC and CreateRemoteThread in terms of when it is executed. The RemoteThread only executes while the program is running and if it is running it will execute code. I don't see the obvious difference for QueueUserAPC. I will read up on this but so far I will just continue with my actual project. For my project I need the guarantee that I can run my code first. That is why I went through all this hassle.

The important information from the QueueUserAPC documentation is:
    If an application queues an APC before the thread begins running, the thread begins by calling the APC function. After the thread calls an APC function, it calls the APC functions for all APCs in its APC queue.

This means: if you start the process in suspended mode and call QueueUserAPC before resuming the process the APC function will be called before the thread starts executing.

Wednesday, March 04 2015

Injecting a DLL into a process on load time with the ability to hook the process' entrypoint from the DLL

In my recent adventures into MS Windows land I needed to inject a DLL into a process at load time. The DLL should hook the program's entrypoint so that it can take control over certain aspects of the process before the actual program executes any instruction.

I thought that this must be a long solved problem and searched the web for an answer. I found 1001 ways to implement DLL injection but most of them do not support load time injection and non of them supported load time injection and hooking the entrypoint.

One solution that is very close to what I need is the AppInit_DLL mechanism. Also various sources on the Internet claim that AppInit_DLL is unstable I didn't have any issues with it in the last couple of month. The issue with AppInit_DLL is that it relies on User32.dll to be used by a particular application. Most applications use it but if User32.dll is not in the application's import list in the PE file but the application loads it manually using LoadLibraryX the AppInit_DLL injection happens too late.

When I started looking into load time DLL injection I had a hard time finding anything useful. The most useful information I found was this blog post on Injecting DLL into process on load. Their technique worked by overwriting the program's entrypoint with an endless loop (JMP $-2) to get the process running without executing any code. While the process is looping they attach a remote thread that calls LoadLibrary to inject the their DLL.

The problem with their approach is that the injected code can't take control over the entrypoint itself. Simply overwriting the endless loop with a jump to DLL code is possible but creates a race condition that mostly leads to NOT being able to hijack the entrypoint from the injected DLL.

The second problem is ASLR. Their code didn't support randomized processes.

The solution I came up with uses pydbg to load the process and carry out the injection. I also use an endless loop that I place at the program's entrypoint. But my endless loop has a defined exit, it checks if a register value is non zero and the jumps to the address in the register. The injected library's DLL main function just needs to write the address of it's entrypoint hook to the specific memory address to over write zero in the load register instruction (mov eax, 0x00000000).
loop:
  mov eax, 0x00000000;
  cmp eax, 0x00000000;
  je loop;
  jmp eax;

The second novel part is to resolve the ASLR problem. I do that by adding a small feature to pydbg that allows to set a callback for the initial breakpoint on application load. The tiny patch for pydbg is here: pydbg.patch. That breakpoint is late enough that we can call enumerate_modules() to determine the load address of our executable.

The actual steps are listed below:
  • load executable (pydbg)
  • register initial breakpoint callback (pydbg)
  • when initial break happens
    • retrieve the base address of the executable module to calculate entrypoint (needed if ASLR is present)
    • save entrypoint code to disk (12 bytes)
    • write endless loop to entrypoint (12 bytes)
    • set breakpoint on entrypoint
    • *let process continue*
  • entrypoint breakpoint is reached
    • register "user callback"
    • *let process continue* (process starts looping on entrypoint)
  • user callback is executed
    • create remote thread to inject DLL
    • detach from process
  • dllmain from injected DLL is called
    • write address of entrypoint hook into loop code at entrypoint (see dllexample.c)
    • *let process continue*
  • endless loop at entrypoint breaks and entrypoint hook of injected DLL is called
    • ... some entrypoint hook action ...
    • restore entrypoint code from file (see dllexample.c)
    • jump to entrypoint and let the process finally run


The injection tool and the example DLL that takes care of hooking and un-hooking the entrypoint is available here together with the tiny patch for pydbg. Files: injection.py dllexample.c pydbg.patch.

I hope I didn't just miss something and did all this work for nothing.

Happy Injecting!

Friday, February 27 2015

Mobile Security News Update February 2015 part 2

Conferences
    BruCon 5-7 October: Daan Raman - A distributed approach to mobile malware scanning, Markus Vervier - Stealing a Mobile Identity Using Wormholes


CFPs
My good friend Nick has started a campaign to support Android users in risk and will provide free iPhones to them

Nice captures of what happens with the cellular service when the President is around: 1 2.

Inside a StingRay. Matt Blaze would take your spare StingRay base unit.

The Gemalto hack by GSHQ/NSA makes a lot of sense and is pretty interesting. Stories by Wired and The Register.


Links

Wednesday, February 11 2015

Mobile Security News Update February 2015

Conferences
    TelcoSecDay @ Troopers Markus Vervier: Borrowing Mobile Network Identities - Just Because We Can, Tobias Engel: Securing the SS7 Interconnect, Ravishankar Borgaonkar - TelcoSecurity Mirage: 1G to 5G, Dieter Spaar - How to Assess M2M Communication from an Attacker's Perspective.

    CanSecWest Timur Yunusov & Kirill Nesterov - Bootkit via SMS: 4G access level security assesment. Team Pangu Userland Exploits of Pangu 8, the first untethered iOS8 jailbreak.

    Hack in the Box Amsterdam The Savage Curtain: Mobile SSL Failures; Eight Ou Two Mobile; Mobile Authentication Subspace Travel; Fuzzing Objects d'ART: Digging Into the New Android L Runtime Internals; Relay Attacks in EMV Contactless Cards with Android OTS Devices; Bootkit via SMS: 4G Access Level Security Assessment

TelcoSecDay @ Troopers looks pretty awesome. Too bad that I can't go because of the 100% overlap with CanSec. Sadly this seems to be a new trend that a number of top conferences overlap or are so close to each other that it is impossible to attend both.

Somebody is selling fake versions of the Android Hacker's Handbook on Amazon. Indicators are missing pictures or the white book backside (original one is black).

We recently presented BabelCrypt at Financial Crypto. I would love to see a usable implementation of this. Unfortunately I don't have the time to make this happen. I would pay money for this app.


Links

Tuesday, January 20 2015

Mobile Security News Update January 2015

Conferences
    SyScan Singapore, March. Dmitry Kurbatov: Attacks on telecom operators and mobile subscribers using SS7: from DoS to call interception. Peter Fillmore: Crash & Pay: Owning and Cloning NFC Payment cards. Stefan Esser: iOS 678 Security - A Study in Fail.

    Black Hat Asia Singapore, March. (IN)SECURITY OF MOBILE BANKING by Eric Filiol & Paul Irolla. ATTACKING SAP MOBILE by Vahagn Vardanyan & Dmitry Chastuhin. DABID: THE POWERFUL INTERACTIVE ANDROID DEBUGGER FOR ANDROID MALWARE ANALYSIS by Jin-hyuk Jung & Jieun Lee. HIDING BEHIND ANDROID RUNTIME (ART) by Paul Sabanal. RELAYING EMV CONTACTLESS TRANSACTIONS USING OFF-THE-SHELF ANDROID DEVICES by Jordi Van den Breekel. RESURRECTING THE READ_LOGS PERMISSION ON SAMSUNG DEVICES by Ryan Johnson & Angelos Stavrou. THE NIGHTMARE BEHIND THE CROSS PLATFORM MOBILE APPS DREAM by Marco Grassi & Sebastian Guerrero. WE CAN STILL CRACK YOU! GENERAL UNPACKING METHOD FOR ANDROID PACKER (NO ROOT) by Yeonung Park.


This year's SyScan unfortunatelly is the last one. Very sad to see this conference go away. SyScan was the first industry conference I spoke at!

There is a new mobile specific venu Black Hat Mobile Security Summit taking place in London in June.

The problem with unpatched bugs in Android continues: Google No Longer Provides Patches for WebView Jelly Bean and Prior. This is really one of the major issues of Android security in my opinion. In 2013 I was working on a system that helps to address this issue. Details can be found here: 1 2.

Links