Upcoming Black Hat USA 2012: Android 4.0.1 Exploitation

Blue

This February in the “Hacking Exposed: Mobile RATs” talk at the RSA conference, we released a demonstration of an end to end compromise of an Android 2.2 phone using a vulnerability in Webkit that we had weaponized. The demo consisted of sending a spearphish SMS message to the device with a link to a website hosting the exploit. Once the user clicked on the link, we stealthily compromise the browser through the Webkit vulnerability and then used another root privilege escalation exploit to gain root access to the device.  Afterwards, we installed a Chinese RAT we had commandeered that would proceed to track the user’s real-time location and intercept phone calls and text messages. All that was done without any end-user interaction or awareness, beyond having clicked on the original spearphish link.

At the time, the demo only worked on Android Froyo phones because in later versions of Android, Google had introduced partial <i”>Address Space Layout Randomization (ASLR) and No Execute (NX) exploit mitigations. However, after a few weeks of additional effort in collaboration with Accuvant LABS’ Joshua “jduck” Drake, we are pleased to announce that a new Webkit exploit will be discussed at BlackHat USA 2012. Using the same vulnerability, we successfully circumvented all extra security protections present on Android 4.0.1 (Ice Cream Sandwich). The fix for the vulnerability at hand has been merged into Android since 4.0.2 and our exploit would not work on Android 4.1 (Jelly Bean), since Google completed ASLR work to include randomization of dynamic linker in that version.

Reverse Shell initiated by the Browser on Android 4.0.1
Since the bug is hard to turn into an information leak, we do Return Oriented Programming within the dynamic linker, which is located at a fixed address, and subsequently execute shellcode from executable memory allocated by the ROP chain. This allows us to do anything that the browser has privileges to do on Android 4.0.1 (e.g. track the location without user interaction) or chain a local root exploit / “Jailbreak” allowing us to take 100% control of the phone.
The details of our linker ROP and how we solved this seemingly hard challenge to pivot from this insanely hard bug will be presented by CrowdStrike’s Georg Wicherski as a guest feature in Stephen Ridley’s and Stephen Lawler’s “Advanced ARM Exploitation” (on a “Lackluster Hackcluster”) at 10:15am on July 25th at Black Hat. The actual demo will also be a surprise in another talk!

George Kurtz

Co-founder of CrowdStrike, Kurtz is an internationally recognized security expert, author, entrepreneur, and speaker. He has been part of the security community for more than 20 years including leadership roles at McAfee and as the brains behind Foundstone. He also authored the best-selling security book of all time, Hacking Exposed: Network Security Secrets & Solutions.

 

Stop Breaches with CrowdStrike Falcon request a live demo