One Root To Own Them All

1

One Root To Own Them All

Black Hat US 2013Jeff Forristal @ Bluebox

2

Outline• Introduction• Android APK Overview• Jar and Jar Signer• Exploit Analyze • APK Install Process

– Normal Case– Abnormal Case

• Vulnerability Point• Patch• Similar Approach• Conclusion• Reference

3

Introduction

4

Vulnerability Description

5

Attack Surface

6

Android APK Overview

7

Android APK

• APK stands for Android application package file.

• Just a Jar file with some other new files that Android need.

8

Android APK Content

• Package resource files:– Android Manifest– Some Pictures, Audio files….– Etc…

• classes.dex• META-INF/Manifest.MF

9

Compile Android APK

• What we usually do:– 1. writing code in Eclipse/ Android Studio– 2. press compile button– Simple and Easy

10

Compile Android APK

11

Compile Android APK• 1. aapt will create R.java according to the following files:

– Android Manifest– Recourses– Assets

• 2. use javac to compile source code with some libraries -> generate many *.class files.• 3. use dx to transform Java bytecode into Dalvik bytecode -> many *.class files will be merged into 1 classes.dex• 4. use apkbuilder to generate unsigned APK with following files:

– classes.dex– Package Resources Files

• 5. use jarsigner to signed the unsigned APK into signed APK– E(unsigned APK, Key) = signed APK

12

Jar and JarSigner

13

Jar

• Jar stands for Java Archive• Jar File Format is Same as Zip file• File Contents:– *.classes– Resources– META-INF/Manifest.MF

14

JarAndroid APK

15

JarSigner

• Generate Signature for JAR (Java Archive)• Verify Signature for Signed JAR file.• Two Additional file placed in META-INF

directory:– signature file with .SF as extension– signature block file with .DSA extension

16

JarSigner - Signing

aapt jarsigner

17

JarSigner - Signing

Integrity

18

JarSigner - Signing

Integrity

19

JarSigner - Signing

Identity

20

JarSigner - Signing

Identity

21

JarSigner - Signing

Certificate

22

Public Key

Digital Signature for the Certificate

23

Attempts

24

Attempts

25

Attempts

26

APK Install Process

27

Overview

28

PackageManager

PackageParser Installer PackageHandler

Parsing Package And

Verify

Sending Command to

installdHandle Event

29

Overview

• Parsing• Verify• Install

30

Parsing

JarFile.ClassJarEntry.Class

Android APK

File 1

File 2

File 3

File 4

CentralDirectory

31

Parsing

JarFile.ClassJarEntry.Class

Android APK

File 1

File 2

File 3

File 4

CentralDirectory

File 1 Meta-Data

File 2 Meta-Data

File 3 Meta-Data

File 4 Meta-Data

End of Central Directory

32

Parsing, Verify and Install

• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put

into mEntries HashMap.– The index is calculate by :

• secondHash(String entry name)

• 4. JarVerifier will verify each entries according to the mEntries.

• 5. After Verify, find classes.dex entry and install it.

33

Parsing, Verify and Install

• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put

into mEntries HashMap.– The index is calculate by :

• secondHash(String entry name)

• 4. JarVerifier will verify each entries according to the mEntries.

• 5. After Verify, find classes.dex entry and install it.

34

Parsing, Verify and Install

• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put

into mEntries HashMap.– The index is calculate by :

• secondHash(String entry name)

• 4. JarVerifier will verify each entries according to the mEntries.

• 5. After Verify, find classes.dex entry and install it.

35

Parsing, Verify and Install

• 1. Get entries list from Central Directory.• 2. Create JarEntry object for each entry and put

into mEntries HashMap.– The index is calculate by :

• secondHash(String entry name)

• 4. JarVerifier will verify each entries according to the mEntries.

• 5. After Verify, find classes.dex entry and install it.

36

Normal Case

37

Manifest.xml

ZipEntry object

Classes.dex

META-INF res

……..mEntries

1. Manifest.xml Meta-Data2. META-INF Meta-Data

3. classes.dex Meta-Data4. res Meta-Data

End of Central Directory

Android APK

Manifest.xml

META-INF

res

CentralDirectory

classes.dex

Parsing

38

Manifest.xml

ZipEntry object

Classes.dex

META-INF res

……..mEntries

Verify

39

Install

1. Manifest.xml Meta-Data2. META-INF Meta-Data

3. classes.dex Meta-Data4. res Meta-Data

End of Central Directory

Android APK

Manifest.xml

META-INF

res

CentralDirectory

installd

classes.dex

40

What If …

Android APK

Manifest.xml

META-INF

res

CentralDirectory

classes.dex

classes.dex

res

CentralDirectory

Manifest.xml

META-INF

classes.dex

41

Manifest.xml

ZipEntry object

Classes.dex

META-INF res

……..mEntries

Parsing

classes.dex

res

CentralDirectory

Manifest.xml

META-INF

classes.dex

1. Manifest.xml Meta-Data2. META-INF Meta-Data

3. classes.dex Meta-Data

5. res Meta-DataEnd of Central Directory

4. classes.dex Meta-Data

Classes.dex

42

Manifest.xml

ZipEntry object

Classes.dex

META-INF res

……..mEntries

Classes.dex

Verify

!!!!!!

43

Install

classes.dex

res

CentralDirectory

Manifest.xml

META-INF

classes.dex

1. Manifest.xml Meta-Data2. META-INF Meta-Data

3. classes.dex Meta-Data

5. res Meta-DataEnd of Central Directory

4. classes.dex Meta-Data

installd

!!!!!!

44