Chasing In The Backstage

Transcript

1. CHASING IN THE BACKSTAGE OWASP SAITAMA MTG #9, TALK #2

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. DO YOU KNOW..?

7. TIKTOK ▸ ྑ͘࢖ΘΕ͍ͯΔSNSΞϓϦ ▸ ಈըڞ༗ ▸ ίϝϯτػೳ etc.

8. TIKTOK ▸ ӡӦ฼ମ ▸ ByteDance Ltd. (த՚ਓຽڞ࿨ࠃ) Photo by VCG

9. TEXT BACKGROUND ▸ In-app browserʹJSΛ஫ೖ →͜Ε͚ͩͳΒྑ͋͘Δ࿩ →KeystrokeΛऔ͍ͬͯΔͷͰ͸ʁͱ͍͏ٙ࿭ ▸ ൃݟऀʹΑͬͯݕग़αΠτ͕࡞੒͞Εͨ ▸

   TikTokͷଞʹ΋Instagram΍SnapchatͳͲ ▸ Androidʹ͍ͭͯ͸ʁެࣜൃදͳ͠ ▸ iOS 14.3Ҏ߱Ͱݕग़ෆೳͳख๏͕ར༻Մೳʹ (WKContentWorld) →ܯ৊Λ໐Β͍ͯ͠Δ

10. TEXT BACKGROUND ▸ ੩తʹ͸ݟ͑ͳ͍ͷ͔ʁ Android͸Өڹͳ͍ͷ͔ʁ →͜ΕҎ֎ʹಠࣗղੳɾൃද͸ࠓݱࡏͳ͍ ▸ ੩తղੳʹϦόʔεΤϯδχΞϦϯά

11. WAIT, BUT IS IT LEGAL? ▸ ೔ຊͰ΋߹๏ʹͳΓ·ͨ͠ (ஶ࡞ݖ๏ୈ30৚ͷ4) ▸ ͍ͭ࠷ۙ·Ͱҧ๏ɺ͕ͩͬͨ:

    ΍Βͳ͍ͱݟ͑ͳ͍ ▸ ͦΕ͸ࠃӹʹ͔ͳ͏͜ͱʁ →ͦ͜·Ͱͯ͠ஶ࡞ݖ͸อޢ͞ΕΔ΂͖෺ͳͷ͔ʁ →ҧ๏Ͱ͋ͬͯ΋΍Δҙຯ ɹˠ࣮ߦ͢Δ෺Λཧղ͠Α͏ͱ͢Δ౰વͷߦҝ ɹɹʢ৯඼Ͱ͋Ε͹ݪࡐྉͷ෼ੳʹ૬౰ʣ →ղੳ͕ҋͷख๏ʁ ɹˠಉௐѹྗͱ૬·Γɺ๷Ӵೳྗ͕޲্͠ͳ͍ཧ༝Λ ੒͍ͯ͠Δͱߟ͑ΒΕΔ Photo by Onasill ~ Bill - 78.8M on flickr, CC-BY-NC-SA 2.0

12. CASE 1: IOS

13. TEXT TARGETS ▸ TikTok (us): 25.8.0

14. TEXT TOOLCHAIN ▸ Ghidra: Multiarch Disassembler (NSA) ▸ frida-ios-dump: Binary

    dumper (Alone_Monkey et al.) Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

15. STATIC ANALYSIS ▸ ੩తղੳ ▸ Ϧιʔεղੳ ▸ όΠφϦղੳ: AArch64

16. OVERVIEW ▸ App StoreʹΑΔ҉߸Խ (FairPlay) ▸ jailbroken୺຤ͱfrida-ios-dumpͰղಡ ▸ ୺຤Ͱ෮߸ͤ͞ɺϝϞϦղੳͰఠग़ ▸

    ࣮ߦʹઌཱͬͯOS͕શจΛ෮߸Խ͢Δ͜ͱΛ ར༻ɺෆਖ਼୺຤ݕ஌͕͋ͬͯ΋ແ໰୊ ▸ ৗ౟खஈ͕ͩൺֱత஌ΒΕ͍ͯͳ͍ The App Store by Glen Bledsoe on flickr, CC-BY 2.0

17. JAILBREAK ▸ Apple͕ڐՄ͍ͯ͠ͳ͍ίʔυΛ࣮ߦͤ͞Δ͜ͱ ͕Ͱ͖Δ ▸ FairPlayͷղআʹඞਢ ▸ ࠓճ͸checkra1nΛ࢖༻ (~iOS 14.5)

    →Intel Mac͕ඞཁͩͬͨ…

18. JAILBREAK ▸ fridaͷηοτΞοϓ →ղੳϗετʹ΋frida-ios-dump͕ඞཁ https://github.com/AloneMonkey/frida-ios- dump jailbreak by Viniloco on

    flickr, CC-BY-NC-ND 2.0

19. TEXT RESOURCE ANALYSIS ▸ Assetͷதʹڵຯਂ͍಺༰ ▸ ಛఆͷύεʹ͍ͭͯτϦΨ͕͋Δ ▸ ϩʔΧϧDNSΛૡ͍જΔՄೳੑ

20. TEXT RESOURCE ANALYSIS ▸ Assetͷதʹڵຯਂ͍಺༰ ▸ WebViewΛ؂ࢹ͢ΔΑ͏ͳهड़ →ҰݟύϑΥʔϚϯεऔಘʹݟ͑Δɺ͕… →͜Ε͕औΓͭ͘ͱ͢Ε͹େมͳ໰୊

21. TEXT ARCHITECTURE ▸ Private Frameworkͱͯ͠શϩδοΫ͕֨ೲ →ϝΠϯόΠφϦ͕΋͵͚ͷ֪ʂ ▸ ετϦϯάςʔϒϧɺϝιουςʔϒϧͷѹॖ ▸ ࣮ߦ࣌ʹϩʔμʔ͕ల։

    →Private FrameworkԽ͍ͯ͠Δཧ༝

22. TEXT ARCHITECTURE ▸ ѹॖ ▸ LZFSE: COMPRESSEDV2_BLOCK (“bvx2”) ▸ _C_ҎԼͷηΫγϣϯˠ_D_ҎԼ΁ల։

    ▸ cstring, ustring, methname, methtype ▸ ͋Εʁcfstring, selrefs͸… →͓ͦΒ͘ผϥΠϒϥϦ͔Βల։͍ͯ͠Δ →ਅ૬͸ෆ໌͕ͩଟ෼᎟ཚ޻࡞

23. TEXT ARCHITECTURE ▸ cfstring, selrefsͱ͸… ▸ Objective-Cͷจࣈྻ΍ϝιουࢀর →ղੳʹඞཁෆՄܽͳ৘ใ ▸ จࣈྻͰ͸ͳ͘ΞυϨεςʔϒϧ

    →ਖ਼֬ʹղ͔ͳ͍ݶΓҙຯΛҝ͞ͳ͍

24. TEXT PROTECTION ▸ ੩తʹଘࡏ͠ͳ͍ →Objective-C 2.0 Messageղੳ͕ޮ͔ͳ͍ →iOSΞϓϦղੳʹ͓͍ͯ͸க໋త ▸ ਵ෼ͱಛघͳߏ଄

    ▸ ྺ୅ͷTikTokɺ͓ΑͼಉࣾʹΑΔฒߦϓϩμΫ τ (e.g. Lemon8) Ͱ͸ྫΛݟͳ͍… ݼଉͳखஈ

25. TEXT BREACHING THE PROTECTION ▸ ϝϞϦμϯϓ߈ܸ ▸ ࣮ࡍʹಈ࡞ͤ͞Ծ૝ϝϞϦΛࠜͦ͗͜ऩू →ಈత৘ใΛԣऔΓ͢Δৗ౟खஈ ▸

    Fridump →readonly/writableͷ2ηοτऔΔ ▸ cfstring, selrefs΋͜ΕͰऔΕΔ…͸ͣ

26. TEXT BREACHING THE PROTECTION ▸ ϝϞϦμϯϓ߈ܸ ▸ …͕ɺASLRͷհࡏʹ஫ҙ ▸ ASLR:

    Address Space Layout Randomization ▸ ୺຤͕࣮ߦ࣌ʹΞυϨεۭؒΛγϟοϑϧ ▸ ϝϞϦഁյܥ߈ܸʹର͢Δॏཁͳ๷ޚػߏ ʢBuffer over fl ow, Return-oriented programmingͳͲʣ

27. TEXT BREACHING THE PROTECTION ▸ Կ͕໰୊ʁ ▸ ࣮ߦϑΝΠϧ: ૬ରΞυϨεࢀর (PIE:

    Position-Independent-Executable) ▸ ࣮ߦ࣌Πϝʔδ: ઈରΞυϨεࢀর ▸ Πϝʔδ͔ΒηΫγϣϯΛషΓࠐΉ͚ͩͰ͸ ΞυϨε͕߹Θͳ͍ (→ςʔϒϧ͕ਖ਼֬ʹղ͚ͳ͍) ▸ ࣮ߦϑΝΠϧ͸࠶ߏ੒͠ʹ͍͘ →ASLRΛ๦֐޻࡞ʹར༻͍ͯ͠ΔΑ͏ʹݟ͑Δ

28. TEXT BREACHING THE PROTECTION ▸ ϑΝΠϧͰ͸ͳ͘ϝϞϦΠϝʔδΛ௚઀ղੳ ▸ Մೳ͕ͩ໘౗Ͱ΋͋Δ →ηΫγϣϯ͸ԟʑʹͯ͠ଟ਺ ▸

    ΤϯτϦϙΠϯτͳͲͷ৘ใ͕શͯܽམ →Ͳ͔͜ΒղੳΛߦͳ͏ͷ͔ʁ

29. TEXT BREACHING THE PROTECTION ▸ ໘౗͕ͩͬͨؤுͬͨ →ࠓճ͸ro͔Β15%ఔ౓; rw͔Β͸ཁٻʹԠͯ͡ →selrefs͕ͦ΋ͦ΋writable… ▸

    ΤϯτϦϙΠϯτ ▸ 103240000͕Mach-Oϔομ →׬શͰͳ͍ͷͰ݁ہGhidraʹ೚ͤͨ (“Analyze function starts”) ▸ ࣌ؒ͸͔͔͕ͬͨ…

30. TEXT PROTECTION IS HISTORY ▸ ༗ҙٛͳ৘ใ͕औΕΔΑ͏ʹͳͬͨ (~30min. / M1 MacBookPro)

    ▸ एׯͷ໰୊ ▸ objc_msgSendͳͲͷC APIίʔϧͷղܾ ▸ ηΫγϣϯͷܧଓతͳషΓࠐΈ

31. TEXT VERDICT ▸ Ϧιʔεʹpayload͕ଘࡏɺ͔ͭ ▸ WebViewʹऔΓ෇͘Մೳੑͷ͋ΔAPIίʔϧ͋ Δ͍͸ͦ͏͍͏ڍಈʹͭͳ͕ΔγϯϘϧ͕ଘࡏ ▸ ຊདྷ͸΋͏গ͖ͪ͠ΜͱηΫγϣϯΛ࠶ߏ੒͠ ͯݟΔඞཁ͕͋Δɺ͕ݶΓͳ͍Ϋϩ

    →ཪ͚͕ͮऔΕͨ

32. BUSTED. Uni. Cat. Plausibly part Manx. by ▓▒░ TORLEY ░▒▓

    on flickr, CC-BY-SA 2.0

33. CASE 2: ANDROID

34. TEXT TARGETS ▸ TikTok (us): 25.9.4 (Android)

35. TEXT TOOLCHAIN ▸ Trueseeing: Non-decompiling Android app vulnerability scanner (alterakey

    et al.) Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

36. TEXT RESOURCE ANALYSIS ▸ Assetͷதʹڵຯਂ͍಺༰ ▸ WebView؂ࢹεΫϦϓτྨͷଘࡏ →iOS൛ͱಉ౳

37. TIME OUT

38. TEXT TAKEAWAYS ▸ In-app browserԚછݕग़αΠτ͸ສೳͰ͸ͳ͍ ▸ Android΋͓ͦΒ͘ಉ༷ (payload͕֬ೝͰ͖Δ) ▸ In-app

    browser͸֎͔Β͍Ζ͍ΖհೖͰ͖Δ ▸ In-app browserΛ༏ઌ͢Δ෩ை͸Ͳ͏ͳͷ͔ →Ϣʔβʹબ୒ࢶΛఏڙ͢΂͖ →Android΋ಉ༷

39. FIN. 30.8.2022 TAKAHIRO YOSHIMURA (@ALTERAKEY)