1 / 44

One Root To Own Them All

One Root To Own Them All. Black Hat US 2013 Jeff Forristal @ Bluebox. Outline. Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process Normal Case Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference. Introduction .

debbie
Download Presentation

One Root To Own Them All

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. One Root To Own Them All Black Hat US 2013 Jeff Forristal @ Bluebox

  2. Outline • Introduction • Android APK Overview • Jar and Jar Signer • Exploit Analyze • APK Install Process • Normal Case • Abnormal Case • Vulnerability Point • Patch • Similar Approach • Conclusion • Reference

  3. Introduction

  4. Vulnerability Description

  5. Attack Surface

  6. Android APK Overview

  7. Android APK • APK stands for Android application package file. • Just a Jar file with some other new files that Android need.

  8. Android APK Content • Package resource files: • Android Manifest • Some Pictures, Audio files…. • Etc… • classes.dex • META-INF/Manifest.MF

  9. Compile Android APK • What we usually do: • 1. writing code in Eclipse/ Android Studio • 2. press compile button • Simple and Easy 

  10. Compile Android APK

  11. Compile Android APK • 1. aapt will create R.java according to the following files: • Android Manifest • Recourses • Assets • 2. use javac to compile source code with some libraries -> generate many *.class files. • 3. use dx to transform Java bytecode into Dalvikbytecode -> many *.class files will be merged into 1 classes.dex • 4. use apkbuilder to generate unsigned APK with following files: • classes.dex • Package Resources Files • 5. use jarsigner to signed the unsigned APKinto signed APK • E(unsigned APK, Key) = signed APK

  12. Jar and JarSigner

  13. Jar • Jar stands for Java Archive • Jar File Format is Same as Zip file • File Contents: • *.classes • Resources • META-INF/Manifest.MF

  14. Jar Android APK

  15. JarSigner • Generate Signature for JAR (Java Archive) • Verify Signature for Signed JAR file. • Two Additional file placed in META-INF directory: • signature file with .SF as extension • signature block file with .DSA extension

  16. JarSigner - Signing jarsigner aapt

  17. JarSigner - Signing Integrity

  18. JarSigner - Signing Integrity

  19. JarSigner - Signing Identity

  20. JarSigner - Signing Identity

  21. JarSigner - Signing Certificate

  22. Public Key Digital Signature for the Certificate

  23. Attempts

  24. Attempts

  25. Attempts

  26. APK Install Process

  27. Overview

  28. PackageManager PackageParser Installer PackageHandler Parsing Package And Verify Sending Command to installd Handle Event

  29. Overview • Parsing • Verify • Install

  30. Parsing JarEntry.Class File 1 JarFile.Class File 2 File 3 File 4 Central Directory Android APK

  31. Parsing JarEntry.Class File 1 JarFile.Class File 2 File 3 File 4 File 1 Meta-Data File 2 Meta-Data Central Directory File 3 Meta-Data File 4 Meta-Data End of Central Directory Android APK

  32. Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.

  33. Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.

  34. Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.

  35. Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.

  36. Normal Case

  37. Parsing …….. mEntries Manifest.xml Manifest.xml META-INF Classes.dex res ZipEntry object META-INF classes.dex res 1. Manifest.xml Meta-Data 2. META-INF Meta-Data Central Directory 3. classes.dex Meta-Data 4. res Meta-Data Android APK End of Central Directory

  38. Verify …….. mEntries Manifest.xml META-INF Classes.dex res ZipEntry object

  39. Install installd Manifest.xml META-INF classes.dex res 1. Manifest.xml Meta-Data 2. META-INF Meta-Data Central Directory 3. classes.dex Meta-Data 4. res Meta-Data Android APK End of Central Directory

  40. What If … Manifest.xml classes.dex Manifest.xml META-INF META-INF classes.dex classes.dex res res Central Directory Central Directory Android APK

  41. Parsing …….. mEntries Manifest.xml classes.dex META-INF Manifest.xml META-INF Classes.dex res Classes.dex ZipEntry object classes.dex res 1. Manifest.xml Meta-Data Central Directory 2. META-INF Meta-Data 3. classes.dex Meta-Data 4. classes.dex Meta-Data 5. res Meta-Data End of Central Directory

  42. Verify …….. mEntries Manifest.xml META-INF Classes.dex res Classes.dex ZipEntry object !!!!!!

  43. Install installd Manifest.xml classes.dex META-INF classes.dex !!!!!! res 1. Manifest.xml Meta-Data Central Directory 2. META-INF Meta-Data 3. classes.dex Meta-Data 4. classes.dex Meta-Data 5. res Meta-Data End of Central Directory

More Related