Privilege Escalation via adbd Misconfiguration

Similar documents
Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33

SEEDAndroid User Manual

Secureworks Security Advisory Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers

SA30228 / CVE

Exploiting USB/IP in Linux

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Software Development Kit for ios and Android

Cyber Essentials Questionnaire Guidance

Snort Rules Classification and Interpretation

Android Things Security Research in Developer Preview 2

MOBILE SECURITY OVERVIEW. Tim LeMaster

Testing Gear Companion Apps using the Gear Emulator

Monthly Security Bulletin Briefing

From write to root on AIX

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Frequently Asked Questions WPA2 Vulnerability (KRACK)

C1: Define Security Requirements

Security Philosophy. Humans have difficulty understanding risk

General Pr0ken File System

ValidVCE. ValidVCE - Free valid vce dumps for certification exam test prep

How to Demonstrate Junos Pulse L3 VPN - Android

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Multiple vulnerabilities in Vectra Cognito

General ways to find and exploit directory traversals on Android. Xiang Xiaobo 360 Alpha Team

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

(Early) Memory Corruption Attacks

Windows Security Updates for August (MS MS06-051)

Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework

Hackveda Training - Ethical Hacking, Networking & Security

BES Operational Baseline Database User Guide Module 1 App, User, and POC Information

Sql Server Service Specific Error Code 1814

mission critical applications mission critical security Oracle Critical Patch Update July 2011 E-Business Suite Impact

Ruckus Wireless Security Advisory ID FAQ

CQ Beacon Android SDK V2.0.1

Man-In-The-Browser Attacks. Daniel Tomescu

Cyber Security. Our part of the journey

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

SD Card with Eclipse/Emulator

mission critical applications mission critical security Oracle Critical Patch Update July 2011 Oracle Database Impact

We will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {

Wireless Network Security Spring 2015

Relay Attacks on Secure Elementenabled

Microsoft Office Protected-View Out-Of- Bound Array Access

To learn more about Stickley on Security visit You can contact Jim Stickley at

mission critical applications mission critical security Oracle Critical Patch Update October 2011 E-Business Suite Impact

Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Secure Element APIs and Practical Attacks on Secure Element-enabled Mobile Devices

CS 356 Operating System Security. Fall 2013

We will see how this Android SDK class. public class OpenSSLX509Certificate extends X509Certificate {

Wireless Network Security Spring 2016


Practical Attack Scenarios on Secure Element-enabled Mobile Devices

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Inspect a Gadget. Rafael Dominguez Vega. FIST Conference 26 th October 2007 Barcelona

Overview. Android Apps (Partner s App) Other Partner s App Platform. Samsung Health. Server SDK. Samsung Health. Samsung Health Server

Privilege Escalation

A Data Driven Approach to Designing Adaptive Trustworthy Systems

Hacking (Hybrid) into Broadband and Broadcast TV system. How to setup and use a quick and dirty testbed for security evaluations

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Upgrading Your Android, Elevating My Malware:

Instructions on Yealink s SDK for Yealink T5 Smart Media Phone Series. Instructions on Yealink s SDK for Yealink T5 Smart Media Phone Series

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

RiskSense Attack Surface Validation for Web Applications

Android Documentation Level-0 Registered Device Service

MRG Effitas Android AV review

Bluetooth Pairing Authentication Bypass

By: Robert E. Sult. For the best results consult SULT. 6/29/2016 KODI for Fire Stick

Karthik Bharathy Program Manager, SQL Server Microsoft

Metasploit. Installation Guide Release 4.4

10 FOCUS AREAS FOR BREACH PREVENTION

McAfee Exploit Prevention Content Release Notes New Windows Signatures

Best Practice. Cyber Security. tel: +44 (0) fax: +44 (0) web:

Using CFEngine with Open Nebula A CFEngine Special Topics Handbook

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Monthly Security Bulletin Briefing- January 2014

Fast and Vulnerable A Story of Telematic Failures

Chrome Extension Security Architecture

IoT Vulnerabilities. By Troy Mattessich, Raymond Fradella, and Arsh Tavi. Contribution Distribution

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Cross-Site Request Forgery in Cisco SG220 series

Device Vulnerabilities in the Connected Home: Uncovering Remote Code Execution and More

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

3. Apache Server Vulnerability Identification and Analysis

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

GE Fanuc Intelligent Platforms

Samsung Galaxy S 2.1 to 2.3 Update Instructions

Test Harness for Web Application Attacks

GfK Digital Trends for Android. GfK Digital Trends Version 1.21

Release Notes Zebra VC80x Android N Update 003 based on NG-00-A (GMS)

Application Security Approach

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Microsoft SQL Installation and Setup

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

OAuth securing the insecure

6.858 Final Project Writeup

What s My Profile? REVISION 1. JANUARY

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Transcription:

Privilege Escalation via adbd Misconfiguration 17/01/2018 Software Affected Versions CVE Reference Author Severity Vendor Vendor Response Android Open Source Project (AOSP) Android 4.2.2 to Android 8.0 CVE-2017-13212 Amar Menezes Moderate Google Fixed in January 5, 2018 Android Security Bulletin Description: A local privilege escalation vulnerability was identified in Android by exploiting the Android Debug Bridge daemon (adbd) running on a device. If an android device was found to be running adbd configured to be listening on a TCP port, a feature commonly referred to as ADB over Wifi, a malicious application running on the device could connect and authenticate to the adbd daemon and escalate its privileges to that of adbd. Exploiting this misconfiguration would allow the android application to elevate its privileges from the context of u:r:untrusted_app:s0 to that of u:r:shell:s0. Impact: This adbd configuration could be exploited by a malicious application running on the device with the ability to connect to the TCP port that adbd is listening on. This typically requires the application to define the INTERNET permission in its AndroidMainifest.xml. Once an application has successfully authenticated to the daemon, it can then execute commands with the privileges of the adb shell user. This would allow the application to perform privileged functions such as installing/uninstalling applications, reading and writing to the SDcard, recording the user s screen contents, injecting touch events to automate user input, etc. However, the impact of this vulnerability is significantly reduced as by default adbd in AOSP images is configured to only be accessible via authenticated USB connections. Applications installed on a device are not able to force ADB to run over Wifi instead of the default USB. Therefore exploiting this vulnerability is only possible where the device owner had already enabled ADB over Wifi. 1

Cause: The SystemUI pop-up used to display the RSA authentication prompt when an adb server attempts to connect to adbd is vulnerable to overlay attacks. Should the targeted android device be running ADB over Wifi, a malicious android application on the device could initiate a connection to adbd over the TCP port it s listening on and attempt to authenticate to adbd. The application would be able to overlay the RSA authentication prompt with an arbitrary message to trick the user into authorising the adb server connection originating from the malicious application. Solution: This vulnerability was addressed by adding overlay detection capabilities to the SystemUI pop-up used to display the RSA authentication prompt. The patch for which was included in the January 5, 2018 Android Security Bulletin. Android users are advised to update their devices to this patch level. 2

Technical details This vulnerability exists only when an android device has USB Debugging enabled and has adbd listening on a TCP port. Prior research on attacking adb over TCP has required attackers to be on the same local network as the victim s device and then attempt to authenticate to adbd over the local network 12. This vulnerability was patched in Android 4.2.2 with the introduction of Secure USB debugging. Secure USB debugging requires the user of the device to authorise every adb server connection by verifying the adb server s RSA public key. Thus, even if an attacker on the same network did connect to adbd over TCP, the attacker would have to get around the RSA authentication before authenticating to adbd. An example of this RSA authentication prompt is shown below: 1 https://www.trustwave.com/resources/spiderlabs-blog/abusing-the-android-debug-bridge/ 2 http://www.sersc.org/journals/ijsia/vol9_no4_2015/29.pdf 3

Up until Android 5.0, AOSP images for Android would ship the adb binary under /system/bin/adb. Some researchers have suggested that it would be possible to use this binary to connect to adbd and gain privileges of the shell user. From Android 6.0 onwards, this arm binary was dropped from the AOSP. It was found that even with these measures in place, it is possible for a remote attacker with a malicious application on a targeted device to defeat/circumvent existing defences and exploit adbd over TCP. In order for a malicious application to exploit this configuration, it would first have to identify the TCP port on which adbd is listening on and then authenticate itself to the daemon. Once authenticated, the malicious application would be able to execute commands on the device as the adb shell user. This attack was tested on Android 7.1.2 and would affect all versions prior to it that support connecting to adbd over TCP. Enabling adbd to listen on a TCP port is done using the following adb command "adb tcpip <portnumber>". For the purpose of demonstrating this vulnerability, adbd was configured to listen on port 5555: $ adb tcpip 5555 restarting in TCP mode port: 5555 To confirm that adbd was listening on TCP port 5555, the netstat output of the targeted device is shown below: # netstat antp grep 5555 Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program tcp 0 0 :::5555 :::* LISTEN 27637/adbd On a device with USB debugging enabled and adbd listening on a TCP port, a malicious application would first have to connect to adbd using either a precompiled adb binary packaged within the application or the application should implement the adb server protocol to communicate with adbd. If the adb server hasn't been authorised by the device, it would trigger an authentication request and prompt the user to verify and accept the RSA public key. In order to circumvent the RSA authentication challenge an attacker can draw an overlay to partially obscure the RSA Public key prompt in an attempt to tapjack and authorise the adb server. This approach to authenticate to adbd is scalable and trivial to exploit. An application which has declared the SYSTEM_ALERT_WINDOW permission in its Android Manifest would be able to draw overlays over SystemUI prompts. A Proof-of-Concept application was developed to demonstrate this attack. The application would bundle a precompiled adb binary and use that to spawn an adb server instance once installed on the device. This PoC application defined the INTERNET permission to allow it to connect to TCP port the adbd server was listening on and the SYSTEM_ALERT_WINDOW permission to draw overlays over the RSA key prompt. In order to verify the escalation had worked, a Refresh ID button was added to display the application s current uid and group membership. The following screenshot shows the PoC application s uid and the group membership before escalating privileges: 4

The Escalate button whose functionality is defined below is used to trigger the exploit and attempt to elevate the application s privileges: private void escalatepriv() { if(first_attempt) { first_attempt = false; try { // Get a file handle to the bundled adb binary File adb = new File(this.getFilesDir() + "/adb"); //Check for unauthorised devices to connect to "devices"); ProcessBuilder builder = new ProcessBuilder(adb.getAbsolutePath(), builder.directory(this.getfilesdir()); Map<String, String> env = builder.environment(); env.put("home", this.getfilesdir().tostring()); env.put("tmpdir", this.getfilesdir().tostring()); Process adb_devices = builder.start(); // Check for adbd listening port String output = getdevices(adb_devices.getinputstream()); Log.d(LOG_TAG, output); int rc = adb_devices.waitfor(); 5

//CASE: USB debugging not enabled and/or adbd not listening on a tcp port if (output.isempty()) { a tcp port"); Log.d(LOG_TAG, "USB debugging not enabled and/or adbd not listening on //CASE: We have a tcp port, however the device hasn't been authorized if (output.tolowercase().contains("unauthorized".tolowercase())) { //If we're here, then we most likely we have a RSA prompt showoverlay2(); hideoverlay(); Log.d(LOG_TAG, "We haven't been authorized yet..."); else if(output.tolowercase().contains("device".tolowercase())){ Log.d(LOG_TAG, "We have authorization"); hideoverlay(); auth = true; else { hideoverlay(); Log.d(LOG_TAG, "The port is probably in use by another process"); auth = false; catch (Exception e) { Log.e(LOG_TAG, e.tostring()); hideoverlay(); else { //Check if we have been authorized and set auth if(!auth){ //escalatepriv(); Log.d(LOG_TAG, "In escalatepriv(), we're still not authenticated"); 6

On taping Escalate, the adb server bundled with the PoC application attempts to connect to adbd. This triggers a SystemUI pop-up that prompts the user to accept the adb server s RSA Public key. An example of which is shown in the screenshot below: 7

This SystemUI pop-up is vulnerable to tapjacking attacks and can be overlayed with an arbitrary message in order to trick the user into authorising the connecting adb server. The PoC application can reliably determine when the prompt was triggered and draws an overlay to obscure original intended message. The following screenshot shows an arbitrary message drawn over the RSA Public Key prompt: 8

Should the user tap on OK, the RSA key would be accepted and the adb server started by the application would have successfully authenticated to adbd. Once authenticated to adbd, the application can then execute commands via the adb server. The following screenshot shows the app executing the id command with elevated privileges: Once escalated to the shell user, the application would be granted permissions granted to uid 2000 and defined in /data/system/packages.xml. Some of the more interesting ones are listed as follows: android.permission.real_get_tasks" android.permission.clear_app_user_data" android.permission.install_packages" android.permission.bluetooth" android.permission.write_media_storage" android.permission.access_surface_flinger" android.permission.install_grant_runtime_permissions" android.permission.disable_keyguard" android.permission.kill_background_processes" android.permission.manage_device_admins" android.permission.grant_runtime_permissions" android.permission.read_frame_buffer" android.permission.inject_events" 9

Detailed Timeline Date Summary 2017-05-28 Issue reported to Google 2017-06-12 Google s initial severity assessment rates it as Moderate 2018-01-05 Patched in January 5, 2018 Android Security Bulletin 2018-01-17 Public disclosure of vulnerability and technical blog post 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback