One root to own them all
This presentation is the property of its rightful owner.
Sponsored Links
1 / 44

One Root To Own Them All PowerPoint PPT Presentation


  • 45 Views
  • Uploaded on
  • Presentation posted in: General

One Root To Own Them All. Black Hat US 2013 Jeff Forristal @ Bluebox. Outline. Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process Normal Case Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference. Introduction .

Download Presentation

One Root To Own Them All

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


One root to own them all

One Root To Own Them All

Black Hat US 2013

Jeff Forristal @ Bluebox


Outline

Outline

  • Introduction

  • Android APK Overview

  • Jar and Jar Signer

  • Exploit Analyze

  • APK Install Process

    • Normal Case

    • Abnormal Case

  • Vulnerability Point

  • Patch

  • Similar Approach

  • Conclusion

  • Reference


Introduction

Introduction


Vulnerability description

Vulnerability Description


Attack surface

Attack Surface


Android apk overview

Android APK Overview


Android apk

Android APK

  • APK stands for Android application package file.

  • Just a Jar file with some other new files that Android need.


Android apk content

Android APK Content

  • Package resource files:

    • Android Manifest

    • Some Pictures, Audio files….

    • Etc…

  • classes.dex

  • META-INF/Manifest.MF


Compile android apk

Compile Android APK

  • What we usually do:

    • 1. writing code in Eclipse/ Android Studio

    • 2. press compile button

    • Simple and Easy 


Compile android apk1

Compile Android APK


Compile android apk2

Compile Android APK

  • 1. aapt will create R.java according to the following files:

    • Android Manifest

    • Recourses

    • Assets

  • 2. use javac to compile source code with some libraries

    -> generate many *.class files.

  • 3. use dx to transform Java bytecode into Dalvikbytecode

    -> many *.class files will be merged into 1 classes.dex

  • 4. use apkbuilder to generate unsigned APK with following files:

    • classes.dex

    • Package Resources Files

  • 5. use jarsigner to signed the unsigned APKinto signed APK

    • E(unsigned APK, Key) = signed APK


Jar and jarsigner

Jar and JarSigner


One root to own them all

Jar

  • Jar stands for Java Archive

  • Jar File Format is Same as Zip file

  • File Contents:

    • *.classes

    • Resources

    • META-INF/Manifest.MF


One root to own them all

Jar

Android APK


Jarsigner

JarSigner

  • Generate Signature for JAR (Java Archive)

  • Verify Signature for Signed JAR file.

  • Two Additional file placed in META-INF directory:

    • signature file with .SF as extension

    • signature block file with .DSA extension


Jarsigner signing

JarSigner - Signing

jarsigner

aapt


Jarsigner signing1

JarSigner - Signing

Integrity


Jarsigner signing2

JarSigner - Signing

Integrity


Jarsigner signing3

JarSigner - Signing

Identity


Jarsigner signing4

JarSigner - Signing

Identity


Jarsigner signing5

JarSigner - Signing

Certificate


One root to own them all

Public Key

Digital Signature

for the

Certificate


Attempts

Attempts


Attempts1

Attempts


Attempts2

Attempts


Apk install process

APK Install Process


Overview

Overview


Packagemanager

PackageManager

PackageParser

Installer

PackageHandler

Parsing Package

And

Verify

Sending Command to

installd

Handle Event


Overview1

Overview

  • Parsing

  • Verify

  • Install


Parsing

Parsing

JarEntry.Class

File 1

JarFile.Class

File 2

File 3

File 4

Central

Directory

Android APK


Parsing1

Parsing

JarEntry.Class

File 1

JarFile.Class

File 2

File 3

File 4

File 1 Meta-Data

File 2 Meta-Data

Central

Directory

File 3 Meta-Data

File 4 Meta-Data

End of Central Directory

Android APK


Parsing verify and install

Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install1

Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install2

Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install3

Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Normal case

Normal Case


One root to own them all

Parsing

……..

mEntries

Manifest.xml

Manifest.xml

META-INF

Classes.dex

res

ZipEntry

object

META-INF

classes.dex

res

1. Manifest.xml Meta-Data

2. META-INF Meta-Data

Central

Directory

3. classes.dex Meta-Data

4. res Meta-Data

Android APK

End of Central Directory


One root to own them all

Verify

……..

mEntries

Manifest.xml

META-INF

Classes.dex

res

ZipEntry

object


Install

Install

installd

Manifest.xml

META-INF

classes.dex

res

1. Manifest.xml Meta-Data

2. META-INF Meta-Data

Central

Directory

3. classes.dex Meta-Data

4. res Meta-Data

Android APK

End of Central Directory


What if

What If …

Manifest.xml

classes.dex

Manifest.xml

META-INF

META-INF

classes.dex

classes.dex

res

res

Central

Directory

Central

Directory

Android APK


One root to own them all

Parsing

……..

mEntries

Manifest.xml

classes.dex

META-INF

Manifest.xml

META-INF

Classes.dex

res

Classes.dex

ZipEntry

object

classes.dex

res

1. Manifest.xml Meta-Data

Central

Directory

2. META-INF Meta-Data

3. classes.dex Meta-Data

4. classes.dex Meta-Data

5. res Meta-Data

End of Central Directory


One root to own them all

Verify

……..

mEntries

Manifest.xml

META-INF

Classes.dex

res

Classes.dex

ZipEntry

object

!!!!!!


Install1

Install

installd

Manifest.xml

classes.dex

META-INF

classes.dex

!!!!!!

res

1. Manifest.xml Meta-Data

Central

Directory

2. META-INF Meta-Data

3. classes.dex Meta-Data

4. classes.dex Meta-Data

5. res Meta-Data

End of Central Directory


  • Login