...stuff I do and things I like...

Monday, May 18 2015

Mobile Security News Update May 2015 part 2

    SourceBoston Mat 2015: A Swift Teardown by Jared Carlson; iOS App Analytics VS Privacy: An analysis of the use of analytics by Guillaume Ross. (they still have TBD slots)

    ReCon Montreal, Canada (June): Building a Better Bluetooth Attack Framework by Chris Weedon


    CONFidence Krakow: iOS Hacking: Advanced Pentest & Forensic Techniques by Omer S. Coskun; Abusing apns for profit by Karol Wiesek

    Defcon Extracting the Painful (blue)tooth by Matteo Beccaro and Matteo Collura; Build a free cellular traffic capture tool with a vxworks based femoto by Yuwei Zheng and Haoqi Shan

    Android Security Symposium Vienna, Austria, from 9-11 September 2015. Only Androdi security talks!
Some of the upcoming conferences I covered in earlier month (e.g. HITB Amsterdam).

    Breakpoint Melbourne, Australia, October 22th-23th

    SEC-T Stockholm 17-18:th of September 2015


    The Chaos Communication Camp cfp just closed yesterday.

iPhone: I bought an iPhone 5c (as a tryout device) like two weeks ago. I used to have a iPhone 3G back in 2009. I'm pretty happy with it, usability is great and the radio/antenna seems way better then the one in the Nexus 5. One thing I noticed is that most major apps are much better on the iPhone. There are exceptions like Dropbox. The Dropbox client is missing features compared with the android version. I'm missing the text editor! Also inter-app communication is really a weakness of iOS and a strength of Android. Other annoying stuff: I can't set Chrome to be the default browser. I can't have Signal as the default SMS app. One of the most annoying things are notifications. Many apps don't support privacy friendly notifications on the lock screen. I want to see if there are new emails in an account but I don't want the sender, subject, or content to be shown. The same is true with a lot of apps. It is either no notification or notification with content. Not happy with this! But I'm a big fan of handover.

I total I'm still happy with my tryout iPhone 5c. Let's see how long.

Mobile Killswitch: The mobile killswitch now has it's first possibility for abuse: So this killswitch tech in mobile phones now, kinda scary, especially when I can lock you out from your phone from an app w/ no root by @jcase.


Wednesday, May 06 2015

Mobile Security News Update May 2015

This is actually a delayed April update!

    CircleCityCon Indianapolis. ZitMo NoM - Clientless Android Malware Control by David Schwartzberg. Making Android's Bootable Recovery Work For You by Drew Suarez. Hacking the Jolla: An Intro to Assessing A Mobile Device by Vitaly McLain and Drew Suarez.

    ShakaCon Hawaii. Making Android's Bootable Recovery Work for You by Drew Suarez.

    PhDays Moscow. Fighting Payment Fraud Within Mobile NetworksTech by Denis Gorchakov and Nikolai Goncharov. GSM Signal Interception ProtectionFast Track by Sergey Kharkov and Artyom Poltorzhitsky. RFID/NFC for the MassesHands-on Labs by Nahuel Grisolia. iOS Application Exploitation by Prateek Gianchandani.

In the last weeks I went to RSA Conference to hangout with a few people. I met the good guys from NowSecure and Zimperium as well as the fellows of DuoSecurity.

The week after I attended Qualcomm Mobile Security Summit 2015. Again this was a super interesting mobile security focused event, most likely the best one of the year. Good talks and good people. There is no general posting of slides but some presenters published their slide deck. Tim and jcase posted their slides here: Android APP Protection. It was good to meet some guys from @K33nTeam. Their presentation was pretty good too.

If you are interested in learning about Android security take Jduck's and Zach's training at DerbyCon. They know what they are talking about.

This picture is sadly very true. I really dislike the trend going towards big smartphones or phablets.

Nexus 5 issue after a long and painful struggle including factory resetting my Nexus 5 and downgrading it to Android 5.0.1 I gave up and determined that it must be a hardware fault. Most likely the power button. I also found out (via @mweissbacher) that the warranty of our Nexus 5 devices ran out in January :-(

I determined that the only decent device to buy right now is a Moto X in the Pure Edition. The pure edition is basically AOSP like shipped with the Nexus devices. So if you are looking for a normal sized smartphone that runs stock Android this might be a device for you. Motorola even states on their site that the pure edition receives more regular updates then carrier branded devices. Most likely also more frequent updates then devices that run a heavily modified Android version (shipped by most other manufacturers).

News and Links

Tuesday, March 31 2015

Mobile Security News Update March 2015

Back from CanSec! Here the mobile update for March (barely made it!).

    RSA Conference has a mobile track (link points to track) but I'm not going to list each talk here.

    Black Hat Mobile Security Summit London, UK. Believe it or not it's all mobile talks! Mostly Android, one iOS and one Windows Phone talk and like 2 generic talks.


Android 5.1 / Nexus 5 issues: I recently updated to Android 5.1 (so did my friend Michael). Now we both have massive stability issues with our phones. Michael actually doesn't have stability issues his phone refuses to boot up. It boots until the first colored dots appear and then reboots again. The reason for this bootloop are unknown. Some people say this is due to issues with the phones power button. Michael indeed had some power button issues before the bootloop happened. My phone just started to randomly reboot. The issue seems known (search for Android 5.1 random reboot and you will find many reports).

Official Chinese translation of The Android Hacker's Handbook available on April 10th.

Dimple is a small NFC sticker with four or two buttons for Android devices. You are the one who chooses the button functionality. It makes doing everyday tasks quicker and saves your precious time. <-- from their website. This is basically a set of actual buttons (as in hardware) that you can stick on your Android. The buttons likely just activate a RFID tag that is picked up by your phone that then will perform some action. Very simple technology. Should be farely easy to hack (without physically pressing the button). Let's see, maybe I will order a sample just for fun. I have a pending Android NFC blog post anyway (but not time).


Friday, March 06 2015

Load time DLL Injection via QueueUserAPC

This is hopefully my last post on DLL injection. See here Injecting a DLL into a process on load time with the ability to hook the process' entrypoint from the DLL for my initial goal and a follow up post.

After reading up on QueueUserAPC I implemented it for the use with pydbg (I use pydbg for other parts so it made sense to do this).

The trick of QueueUserAPC is that the function is called before the application's main thread is started. Basically what you have to do is:
injectdll_apc(dbg, dll_name)

You can download the code for injecdll_apc() here: inject_dll_queueuserapc_pydbg.py.

Now I can finally continue working on my actual project!

DLL Injection followup

Yesterday I wrote about load time DLL injection and of course somebody (Jurriaan Bremer of cuckoo sandbox) pointed out that there is of course a pre existing tool. Specifically his inject tool that is part of cuckoo sandbox. The tool uses QueueUserAPC as the way to execute code within the process to call LoadLibrary.

updated: March 6th 2015
    I couldn't figure out what the exact difference is between QueueUserAPC and CreateRemoteThread in terms of when it is executed. The RemoteThread only executes while the program is running and if it is running it will execute code. I don't see the obvious difference for QueueUserAPC. I will read up on this but so far I will just continue with my actual project. For my project I need the guarantee that I can run my code first. That is why I went through all this hassle.

The important information from the QueueUserAPC documentation is:
    If an application queues an APC before the thread begins running, the thread begins by calling the APC function. After the thread calls an APC function, it calls the APC functions for all APCs in its APC queue.

This means: if you start the process in suspended mode and call QueueUserAPC before resuming the process the APC function will be called before the thread starts executing.

Wednesday, March 04 2015

Injecting a DLL into a process on load time with the ability to hook the process' entrypoint from the DLL

In my recent adventures into MS Windows land I needed to inject a DLL into a process at load time. The DLL should hook the program's entrypoint so that it can take control over certain aspects of the process before the actual program executes any instruction.

I thought that this must be a long solved problem and searched the web for an answer. I found 1001 ways to implement DLL injection but most of them do not support load time injection and non of them supported load time injection and hooking the entrypoint.

One solution that is very close to what I need is the AppInit_DLL mechanism. Also various sources on the Internet claim that AppInit_DLL is unstable I didn't have any issues with it in the last couple of month. The issue with AppInit_DLL is that it relies on User32.dll to be used by a particular application. Most applications use it but if User32.dll is not in the application's import list in the PE file but the application loads it manually using LoadLibraryX the AppInit_DLL injection happens too late.

When I started looking into load time DLL injection I had a hard time finding anything useful. The most useful information I found was this blog post on Injecting DLL into process on load. Their technique worked by overwriting the program's entrypoint with an endless loop (JMP $-2) to get the process running without executing any code. While the process is looping they attach a remote thread that calls LoadLibrary to inject the their DLL.

The problem with their approach is that the injected code can't take control over the entrypoint itself. Simply overwriting the endless loop with a jump to DLL code is possible but creates a race condition that mostly leads to NOT being able to hijack the entrypoint from the injected DLL.

The second problem is ASLR. Their code didn't support randomized processes.

The solution I came up with uses pydbg to load the process and carry out the injection. I also use an endless loop that I place at the program's entrypoint. But my endless loop has a defined exit, it checks if a register value is non zero and the jumps to the address in the register. The injected library's DLL main function just needs to write the address of it's entrypoint hook to the specific memory address to over write zero in the load register instruction (mov eax, 0x00000000).
  mov eax, 0x00000000;
  cmp eax, 0x00000000;
  je loop;
  jmp eax;

The second novel part is to resolve the ASLR problem. I do that by adding a small feature to pydbg that allows to set a callback for the initial breakpoint on application load. The tiny patch for pydbg is here: pydbg.patch. That breakpoint is late enough that we can call enumerate_modules() to determine the load address of our executable.

The actual steps are listed below:
  • load executable (pydbg)
  • register initial breakpoint callback (pydbg)
  • when initial break happens
    • retrieve the base address of the executable module to calculate entrypoint (needed if ASLR is present)
    • save entrypoint code to disk (12 bytes)
    • write endless loop to entrypoint (12 bytes)
    • set breakpoint on entrypoint
    • *let process continue*
  • entrypoint breakpoint is reached
    • register "user callback"
    • *let process continue* (process starts looping on entrypoint)
  • user callback is executed
    • create remote thread to inject DLL
    • detach from process
  • dllmain from injected DLL is called
    • write address of entrypoint hook into loop code at entrypoint (see dllexample.c)
    • *let process continue*
  • endless loop at entrypoint breaks and entrypoint hook of injected DLL is called
    • ... some entrypoint hook action ...
    • restore entrypoint code from file (see dllexample.c)
    • jump to entrypoint and let the process finally run

The injection tool and the example DLL that takes care of hooking and un-hooking the entrypoint is available here together with the tiny patch for pydbg. Files: injection.py dllexample.c pydbg.patch.

I hope I didn't just miss something and did all this work for nothing.

Happy Injecting!

Friday, February 27 2015

Mobile Security News Update February 2015 part 2

    BruCon 5-7 October: Daan Raman - A distributed approach to mobile malware scanning, Markus Vervier - Stealing a Mobile Identity Using Wormholes

My good friend Nick has started a campaign to support Android users in risk and will provide free iPhones to them

Nice captures of what happens with the cellular service when the President is around: 1 2.

Inside a StingRay. Matt Blaze would take your spare StingRay base unit.

The Gemalto hack by GSHQ/NSA makes a lot of sense and is pretty interesting. Stories by Wired and The Register.