Forristal walked through the detailed series of events that occur when Android verifies a signed app. Each layer verifies the previous one, starting with verifying that the code models haven't been tampered and ending with a digital signature of the package as a whole. He tried attacking the system at every stage, mostly without luck.
"The APK, JAR, and ZIP formats are basically the same," noted Forristal. "JAR and APK just have additional components." His final success involved leveraging the ZIP format. When he inserted an "evil" file with the same name as an existing valid file, the verifier signed off on the valid file, but the "evil" file got launched.
Why? Because Android uses different ZIP file management code in the verifier and in the actual installer. "A discrepancy of ZIP file parsing is the source of this error," explained Forristal. "In fact, there are eight separate ZIP file parsing implementations in the Android code base."
Out of the Sandbox
"I used this trick for good," said Forristal. "Now let's take it to awesome." Like iOS, Android runs each app in its own sandbox, so an app can't access resources belonging to another app. "The only way into the sandbox is to be signed by the same developer," he explained. "That's what makes updates possible."
"The system as a whole, subscribes to the same notion," he continued. "The system sandbox enforces all the other sandboxes. It controls all your settings. It's not root, but it has all your data, apps, passwords, and settings—what's left? System is pretty powerful." Apps that access the system sandbox are typically signed by the platform maker. "I just needed to get a platform-signed app and do my little trick, and I should have system-level access. That's cooler than FourSquare maps," he concluded.
It turns out that third-party VPNs need to be platform-signed, and as a bonus they already request access to the system sandbox. Forristal displayed the three simple commands he used to insert his "evil" code into a third-party VPN, joking about "über hacking tools." The result? A Trojan with full system-level access.
Easy Exploitation
Master security technologist Saurik (Jay Freeman) took the concept to the next level, explained Forristal. His Cydia Impactor tool runs on OSX and Windows and automates the exploit. "Connect a device," said Forristal, "it figures out the right app, builds it, add the appropriate hack to get root access, and delivers it. I was gonna release some cheesy little proof of concept apps, but this is awesome."
Forristal noted that the device's processor type doesn't matter. The attack isn't affected by ASLR (Address System Layout Randomization) or DEP (Data Execution Prevention). He made one version that works on four generations of Android, and the only real skill needed is knowledge of Java. "I submitted this for Black Hat because it's easy to understand and exploit," said Forristal.
More Master Keys
Forristal ran down a number of other recently discovered bugs that could be considered "master keys." When going through the code for a feature called Authenticated Attributes, Bluebox researchers found a line commented out and marked "TODO." As a result of the missing code, no matter what changes you make the file passes verification. Not many files use this feature, noted Forristal. "If you find one, you can copy and paste the certificate file and assume the identity of the developer. If you signed an app with Authenticated Attributes, you've given your identity away." As this bug was fixed before Bluebox reported it, they don't take credit.
The "Hidden Trojan" attack reported by a Chinese researcher turns out to be just one of several possible ways to exploit Android's multiple ZIP file parsers. These attacks take advantage of the fact that one parser users signed integers and the other uses unsigned integers.
"It's not even about replacing one file," enthused Forristal. "You can use this trick to feed in a completely different ZIP file. One gets verified, the other runs. A couple tricks and tidbits in this space may show even more power to this approach."
Although malware using this technique has already been seen in the wild, it shouldn't be possible to get a Trojanized file like those described here into Google Play. You probably will be safe if you always and only install apps that have passed official scrutiny. Still, to be safe, be sure to install any available Android updates immediately.
No comments:
Post a Comment