Beijing Report 2022

Transcript

1. BEIJING REPORT 2022 OWASP SAITAMA MTG. #6; TALK #1 Image

   by tomislav domes on flickr, CC-BY 2.0

2. TEXT SESSION FLAGS ▸ ࿥Իɾ࿥ըɾ಺༰ެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) 
 https://keybase.io/alterakey

   ▸ Monolith Works Inc. 
 Co-founder, CTO 
 Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ 
 ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps 
 →Financial, Games, IoT related, etc. (>200) 
 →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps 
 →POS, RAD tools etc. ▸ Network/Web penetration testing 
 →PCI-DSS etc. ▸ Search engine reconnaissance 
 (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ 
 DEF CON 25 Demo Labs (2017) 
 DEF CON 27 AI Village (2019) 
 CODE BLUE (2017, 2019) 
 CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND / RELATED WORKS ▸ ถCitizen Labs͔Βͷใࠂ ▸ ֤ࠃͱ΋બखʹݸਓͷεϚʔτϑΥϯΛ࣋ͪࠐ

   ·ͳ͍Α͏ʹͱͷݺͼֻ͚ ▸ എܠ͸ʁؔ࿈͸ʁ 
 →ੈքதͷ஫໨ΛूΊ͍ͯΔ໰୊; e.g. 
 https://github.com/jonathandata1/ 2022_beijing [1]

7. TEXT TARGET ▸ ʮౙԞ௨ 2022ʯ 
 (com.systoon.dongaotoon) ▸ 2.0.2 (2111271430)

   - 12/17

8. TEXT TOOLCHAINS ▸ Trueseeing: Non-decompiling vuln. scanner (alterakey et al.)

   - 2.1.1.1 ▸ Ghidra: Multi-arch disassembler (NSA!) 
 - 10.1.1-PUBLIC ▸ Radare2: Multi-arch binary analysis framework (pancake et al.) - 5.5.4 Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

9. TEXT FINDINGS ▸ trueseeing ▸ େྔͷݖݶཁٻ 
 →΄΅όοΫυΞͱݴͬͯ΋ྑ͍ͷͰ͸… ▸ ݶఆతͳDNS

   over API (DoA) ͷࣔࠦ 
 →ϓϥΠόγʔͷݒ೦ ▸ େ͖ͳWebView 
 →HTML5ΞϓϦέʔγϣϯʁ

10. TEXT FINDINGS ▸ HTML5… γάχνϟΛద౰ʹ௥Ճ ▸ AssetʹΑΔฏจ௨৴ ▸ Asset MIMEλΠϓఆੑత૬ҧ

    ▸ Assetྲྀ͠ಡΈ ▸ User extension (2.1.1~) ▸ module: ~/.trueseeing2/ext ▸ mypy: ܕνΣοΫ΋ิ׬΋Մೳʂ

11. TEXT FINDINGS ▸ HTML5… γάχνϟΛద౰ʹ௥Ճ ▸ https://gist.github.com/alterakey/ e1e92bdfdad25587ebeda2267b389fc2

12. TEXT FINDINGS ▸ trueseeing ▸ େྔͷݖݶཁٻɺมͳContentProvider ▸ ෆࣗવͳAssetλΠϓˠϞϦϞϦ ▸ AssetʹΑΔฏจ௨৴ˠϞϦϞϦ

    ▸ ٙΘ͍͠จࣈྻˠϞϦϞϦ

13. TEXT FINDINGS ▸ trueseeing ▸ ॏཁʁ: ٙΘ͍͠จࣈྻ; ېࢭϫʔυྨʁ, e.g. ▸

    ೔ຊؔ࿈: 
 େ೔ຊສෟ (ʙສࡀ) / ೔ຊઍ֛ยग़ᄧ / ౔ರ (਌ʙ) ͳͲ 
 ※Ѫࠃແࡑܥ,ώτϥʔܥจݴ͸ؚ·Ε͍ͯͳ͍ ▸ ମ੍൷൑ܥ: 
 ଧ౗ڞ࢈ౘ / CO2ۡग़ᄧ / ڞ࢒ౘ / ൓ڞ ͳͲ ▸ ఱ҆໳ࣄ݅ܥ; ๏ྠޭܥ 
 ఱ҆໳ࣄ݅ / 1989೥6݄3೔ (ͳͥ3೔ʁ) / 198964 ͳͲɺ PowertotheFalunGong ͳͲ

14. TEXT FINDINGS ▸ trueseeing ▸ ॏཁ: MIMEλΠϓෆ੔߹ ▸ Ӆṭͷҙਤʁ ҉߸Խ

    etc. ▸ PNG -> JSON 
 (ฏจ௨৴URL͕େྔʹ) ▸ JS -> binary 
 (ط஌ͷѹॖͰ͸ͳ͍ܗࣜ)

15. TEXT FINDINGS ▸ trueseeing ▸ ॏཁ: ݶఆతͳDNS over API 


    ॏཁ: ฏจ௨৴ର৅͕஍ਤλΠϧ౳ ▸ Ͳ͜ʹډͯ΋DNS͕ѲΒΕ͍ͯΔ্ʹ 
 ॴࡏ஍͕ͩͩ࿙Ε ▸ ͓ͦΒ͘͜Ε͕ࢦఠཁҼͷҰͭ

16. TEXT FINDINGS ▸ trueseeing ▸ ॏཁ: େྔͷݖݶཁٻ 
 ʢϝʔΧݻ༗ͷ΋ͷΛؚΉ΄΅શͯͷݖݶʣ ▸

    ి࿩/SMSɺ࿈བྷઌͷૢ࡞ɺҐஔ৘ใɺWi- Fiɺetc, etc. ▸ ίϯςϯπ͸׬શʹϦϞʔτ͔Βఏڙ 
 ࣮࣭తͳόοΫυΞΛߏ੒ ▸ ͜Ε΋ࢦఠཁҼͷҰͭ

17. TEXT … WAIT! ▸ ຊ౰ʹͦΜͳڍಈͳͷ͔ʁ ▸ HTML5 App Container͸ݖݶཁٻ͕ͪ͠ ▸

    ݕग़͞ΕͨΫϥε਺: 11 ..? ▸ ໌Β͔ʹ͓͔͍͠ 
 αΠζ (smali߹ܭ): 102487 
 αΠζ (classes.dex): 66216008 Image by Mo Riza on flickr, CC-BY 2.0

18. TEXT REVERSE ENGINEERING ▸ AndroidManifest.xml ▸ minSDKVersion: 21 .. ▸

    ApplicationContainerFactoryΛࢦఆ ▸ NativeActivityͷؔ༩ࣔࠦͳ͠ ▸ ࢀর͍ͯ͠Δίϯϙʔωϯτ͕smaliதʹͳ͍ 
 →௨ৗͰ͸ͳ͍

19. TEXT REVERSE ENGINEERING ▸ SmaliϑΝΠϧ܈ ▸ DebugܥAPIͷෆࣗવͳݺͼग़͠ 
 →௨ৗͰ͸ͳ͍ ▸

    ٯΞηϯϒϧ͕·ͱ΋ʹͰ͖͍ͯͳ͍ʁ 
 →trueseeingͷ໰୊ʁ͍͑ҧ͍·͢Α…

20. TEXT IMAGE ANALYSIS ▸ radare2: classes.dexͷ಺༰෼෍ ▸ ਖ਼ৗͳͷ͸͘͝Ұ෦ 
 →ͦΕʹͯ͠΋ΰϛ͕ࢄΓ͹ΊΒΕ͍ͯΔ

    ▸ ͦͷଞ͸ߴΤϯτϩϐʔͷσʔλ ▸ Dalvik VMͷISA͸ͦ͜·Ͱޮ཰͕ྑ͘ͳ͍ ▸ ॻ͍ͯ͋Δ͜ͱ΋ࢧ཭໓྾ 
 →ඇแׅతͳ҉߸ԽͷՄೳੑ ▸ Τϥʔ͕ग़ͳ͍ͷ͸ͳͥʁ

21. TEXT IMAGE ANALYSIS ▸ Τϥʔ͕ग़ͳ͍ͷ͸͓ͦΒ͘… (ҎԼਪఆ) ▸ ਖ਼ৗͳdex͸ඞཁ࠷খݶʹ ▸ ͦΕʹ҉߸Խ࣮ͨ͠ମΛ຤ඌʹ࿈݁ͳͲ͢Δ

    
 →PaddingͰ΋ͳ͍ͷͰଟ෼จ۟ͳ͍͸ͣ

22. TEXT IMAGE ANALYSIS ▸ ೉ಡԽػߏͷ࡞༻ػং͸͓ͦΒ͘… ▸ ϩʔμ͕࣮ߦ͞ΕΔ ▸ ࢀরʹΑΓJNI͕ॳظԽ͞ΕΔ ▸

    JNI͕base.apkͳͲ͔ΒdexΛಡΜͰ෮߸Խɺ ACFͷٻΊʹԠ࣮ͯ͡ମΛ࡞੒͠ఏڙ 
 ※࣮ମ=Veneer [jclass] + impl. [C/C++] Image by blinking idiot on flickr, CC-BY-ND 2.0

23. TEXT IMAGE ANALYSIS ▸ ཪ෇͚ ▸ Ghidra: libDexHelper.so 
 →

    ॏ఺తͳ೉ಡԽ ▸ trueseeing: JNIࢀরͷݕग़

24. TEXT ANOTHER PERSPECTIVE ▸ ಈతղੳ ▸ ಈ࡞ͤ͞Δ ▸ ΤϛϡϨʔλ: 32bit

    [armeabi, armeabi-v7a] 
 →M1Ͱ͸ෆՄೳ (aarch64ͷΈ) 
 →x86͕ඞཁ ▸ ࣮ػ → ࠓճ͸ύε; ୺຤ௐୡͷ໰୊ Image by Raúl González on flickr, CC-BY 2.0

25. TIME OUT Image by Clyde Robinson on flickr, CC-BY 2.0

26. TEXT ANOTHER PERSPECTIVE ▸ ࢀߟ: τϥϑΟοΫղੳΛߦͳͬͨྫ [1] ▸ ެࣜϖʔδ͔ΒͷτϥϑΟοΫ 


    ※֘౰Օॴͱͯ͠ڍ͍͛ͯΔURL͕ଟ෼ҧ͏ 
 https://my2022.beijing2022.cn/homepage- api/static/js/app.ea18d9374a91d4a93c17.js 
 ※”decompile” ≒ “beautify” (un-minify) ▸ ਂ͍ݒ೦Λ๊͔͟ΔΛಘͳ͍಺༰

27. TEXT NEXT ACTION ▸ શϩδοΫͷղಡ ▸ ׬શϝϞϦμϯϓͷ෼ੳ͕ଟ෼༗ޮ ▸ ΤϛϡϨʔλ͕ศར Image

    by thtstudios on flickr, CC-BY-NC-ND 2.0

28. TEXT TAKEAWAYS ▸ ๺ژޒྠެࣜΞϓϦ ▸ ౰ہ͸શؔ܎ऀʹΠϯετʔϧΛཁٻ ▸ ֤ࠃ͸બखͳͲʹݸਓ୺຤Λ࣋ͪࠐ·ͳ͍Α͏ ʹ௨஌ ▸

    ถCitizen Labs͔Βͷݒ೦ 
 →ݱࡏੈքதͷ஫໨ΛूΊ͍ͯΔ໰୊

29. TEXT TAKEAWAYS ▸ ݒ೦͸ࢸۃଥ౰ͱߟ͑ΒΕΔ ▸ େྔͷݖݶཁٻ͓Αͼฏจ௨৴ ▸ DNS over API

    + ʮෆਖ਼ʯޠ۟ 
 →ݕ஌͞ΕͨΒͲ͏ͳͬͯ͠·͏ͷ͔…ʁ ▸ ΄΅શҬʹ౉Δ҉߸ԽϩδοΫ 
 →Ӆṭͷڧ͍ҙਤΛײ͡Δ໘ന͍ߏ଄ ▸ ΞϓϦͷػೳશ͕ͯϦϞʔτ͔Βίϯτϩʔϧ Մೳͳঢ়ଶ → ΄΅όοΫυΞͱݟͯྑ͍ Image by *Yu7yU* on flickr, CC-BY-NC-ND 2.0

30. TEXT TAKEAWAYS ▸ radare2ͷ෼෍ղੳ͸͔ͳΓ༗ޮ 
 (VV → p → p

    → p → p) ▸ ·ͨr2͸dalvikίʔυղੳʹ΋͔ͳΓ༗ޮ ▸ trueseeing: rebooted (2.1.1.1; ~4w iter.) 
 https://github.com/alterakey/trueseeing ▸ ॻ͍ͨextension͸ͪ͜Β: 
 https://gist.github.com/alterakey/ e1e92bdfdad25587ebeda2267b389fc2

31. TEXT TAKEAWAYS ▸ Related works: 
 [1] https://github.com/ jonathandata1/2022_beijing

32. Q?

33. FIN. 24.1.2022 TAKAHIRO YOSHIMURA (@ALTERAKEY)