Hacking Team Android browser attacks during the vulnerability analysis Stage4-vulnerability warning-the black bar safety net

2015-11-11T00:00:00
ID MYHACK58:62201568861
Type myhack58
Reporter MarcusAurelius
Modified 2015-11-11T00:00:00

Description

A, vulnerability introduction: Hacking team of the year broke out for android4. 0. x-4.3. x android browser vulnerabilities to attack the use of the code. The exploit code, by successive use of a plurality of browser and kernel vulnerabilities, is done through Javascript to the virtual memory write data, code execution, elevation to root privileges, and eventually reach to the target phone in the implantation of a malicious program purposes. This attack process is divided into 5 stages, my previous articles Hacking Team Android browser attacks during the vulnerability analysis Stage0 And Stage1, Stage 2 And Stage3, has to Stage0 And Stage1, a Stage2, And Stage3 for the analysis, this paper mainly analyzes the last stage, the Stage4 of the work. In a previous article finally, the attacker has access to the browser to write any code and execute permissions off the memory, executable protection. This article will analyze the Stage4 of the operation performed, the attacker by Stage3 in the use of the method, leak a libc function pointer, and loading an incoming Dynamic Link Library. Through this dynamic link library, the attacker then sent to the server request, and download the Trojan and the malicious apk. Then execute the exploit to get root access and root permissions to install the malicious apk. Second, the Stage4 attack process: 0. Overview: Stage4 the attack process is mainly divided as the following five steps. a. By Stage3 the same way, leaking out of the libc in the required function pointers. b. Get the current process name and PID. C. The download of dynamic-link libraries written to the physical storage device. d. Loading and execution of Dynamic Link Library, this process will download the Trojan and the malicious apk. E. Perform the exploit and install the malicious apk. 1. Leak the libc function pointer: By Stage3 the same method, the attacker gets a libc function pointer. ! Figure 1 libc function pointers in As shown in Figure 1, the attacker gets the libc of the system, fopen, and fread, and fgets and fwrite, and fclose, the getpid function for subsequent operations. 2. Get the current process name and PID: ! Figure 2 to obtain the current process name and PID As shown in Figure 2, the attacker by reading the/proc/self/cmdline file content, you can get the program name of the program, by calling the getpid function, you can get the program's PID. To get the current in and out of the name of the object is to find the“/data/data/Process name/”this directory is used to stored Dynamic-Link Library and download the Trojan and the malicious apk. 3. The download of dynamic-link libraries written to the physical storage device: ! Figure 3 will download the Dynamic Link Library is written to the physical storage device As shown in Figure 3, an attacker could fopen and fwrite and fclose three functions, the download Dynamic Link Library is written to a physical storage device, since the physical devices are“/data/data/Process name/”directory. 4. Load and execute the Dynamic Link Library of: ! Figure 4 load and execute a Dynamic Link Library As shown in Figure 4, in the first red box, the attacker find this step in the desired libc function pointer; in the second red box, the attacker through the dlopen function to load dynamic link library, and by the dlsym function to exported Dynamic Link Library function; in the third red box, the attacker to the Dynamic Link Library of the function is passed parameters and execute here the ip for the server ip address; in the fourth red box, the attacker deleted stored on a physical storage device of a Dynamic Link Library File. ! Figure 5 Dynamic Link Library the main operation As shown in Figure 5, the Dynamic Link Library the main function is divided into two steps. In the first red box, the DLL will pass the parameters stored in the global variable, and call download_exec_exploit()function, download the exploit and the malicious apk,and through the Trojan program elevated to root privileges and install malicious apk; in the second red box in the Dynamic Link Library in sleep 9 0 0 seconds after the exploit and the malicious apk to delete. ! Figure 6 download_exec_exploit()function of the main operation As shown in Figure 6, in the first red box, download_exec_exploit()function to complete the virus and malware apk download operation; in the second red box, download_exec_exploit()function executes the exploit and the malicious apk in as an argument wherein, by executing the exploit to achieve the installation of a malicious apk effect. 5. Perform the exploit and install the malicious apk to: (1)virus kernel extraction rights: exploit the kernel providing the right to operate is by CVE-2 0 1 4-3 1 5 3 vulnerability. The vulnerability is mainly produced in the kernel the Futex system call. Futex is a fast user space mutex mean, it was the glibc in the mutex implementation basis. Since the Futex is in the user space mutex, so the mutex is stored in the user space, the user can be modified, which leads the user can modify the mutex value, resulting in the critical area of the waiting queue of the exception. In certain cases, critical sections of the wait queue will be stored in the kernel space of the thread stack. So, when the attacker in the user permissions through the Futex causes a critical area of the waiting queue the abnormal and elaborate design of the thread stack is filled, we can achieve providing the right to object, the thread elevate to root permissions, so root permission to operate. More detailed information please find information about the CVE-2 0 1 4-3 1 5 3 articles, not repeat them here.) (2)the Trojan the malicious apk install: ! Figure 7 malicious the apk installation process As shown in Figure 7, The exploit in elevation to root privileges, it will call install_shell function to install the malicious apk. In the first red box, the function of the malicious apk is written to the ROOT_BIN this macro for/system/bin/ddf file; in the second red box, the function gives ROOT_BIN executable permissions; in the third red box, the execution of the function createBootScript()function, the malicious apk is set to boot start.

[1] [2] next