Wp8

PWNING A WINDOWS

PHONE

From shadow to light

NICOLAS JOLY – MOSEC 2015

@n_joly, but I only tweet cat pics

Exploiter, mostly focused on client

vulnerabilities

Did some tourism in Vancouver, opened a

laptop store

Like shopping for clothes too

NICO WHO? No XP at Phone hacking!

Missing Nokia 1520 here

Can’t stand iTunes

No XP with Android

I like that one

PWN2OWN MOBILE 2014 – SHOOT LIST

Let’s pwn IE Mobile!

Finding a crash

Debugging the device

Polishing the exploit

Writing a payload

Getting stuck within the sandbox (!)

SO WHAT’S HERE TODAY?

Does not fit in the pocket,

but the camera is badass!

WINDOWS PHONE SECURITY – SOME

PREVIOUS RESEARCH

Alex Plaskett – Blue Hat v11 Technical – Windows Pwn 7 OEM –

Owned Every Mobile?

Alex Plaskett and Nick Walker – Syscan 2014 – Navigating a sea of

pwn

Dmitriy Evdokimov and Andrey Chasovskikh – HackInParis 2013 –

Windows Phone 8 Application Security

IE MOBILE

Definitely not IE 6 :/

IE 11 running on WP 8.1

In ARM, run in AppContainer

Lots of « missing » legacy features

IE MOBILE

Can’t spawn scientific calc.exe, a bad idea :/

No flash, vml, vbscript, activex, no default pdf viewer etc.

Still accept the compatibility modes

Any public exploit somewhere?

Not to my knowledge

Any private exploit? For sure!

Someone here maybe???

IE MOBILE

Ran a stupid fuzzer

Got a few crashes on IE 11 desktop

Got one with a write-something-where condition

Exploit looks doable, object easy to replace

Does crash IE Mobile!

But does it really crash the way I want No idea, I can’t debug it :/

IE MOBILE – GETTING A POC

Forget ollydbg, use Visual Studio 2013

Yes we can debug IE Mobile

Hum, actually just the javascript

IE MOBILE – DEBUGGING THE THING

= debug something else

= debug IE for WP

Debugging IE just tells you there’s an Access Violation somewhere

With VS 2012 it was possible to debug IE10 on a Surface RT

The same Remote Debugging Tools do not work anymore on Windows 8.1

The new ones do not let you attach to IE :/

Worst case scenario, develop an exploit for IE10 / Win RT and hope it works

on IE11 / WP 8.1. Good luck with that.


Idea! What about creating an app embedding IE?

WebView control


This is your app so you can debug it!

Fuzz case crashed with 0xC0000005


That says something bad happened

Missing symbols

Just a null pointer


Original poc does not work :/

Only pages in edge mode are rendered in WebView

Forget the compatibility modes

But great to debug an HTML5 vuln

If you like the VS environment of course


An emulator maybe?

Emulators available for WP 8 and 8.1

Run in a VM in Hyper-V

Run in x86, not ARM

Pretty old versions

8.10.14141.167 (before April 2014)

Symbols not available

mshtml and jscript changed a lot between April and November


So we can’t debug but maybe we can find the remote dlls?

There’s no app to browse the WP drive (unless you want to see your pics)

APIs are limited but we can still call CreateFile2 to read the system files

Link that to a socket!

You can loadLib too. Just think about kernel32legacy.dll:

IE MOBILE – RETRIEVING THE DLLS

IE MOBILE – RETRIEVING THE DLLS

Previous research on IE exploitation involving write-what-where

COleScript::CanObjectRun by Yuki Chen, @guhe120

No ActiveX

« Vital Point Strike », by Yang Yu, @tombkeeper

No jscript.dll :/

No ArrayBuffer in compatibility mode

But still we can corrupt an array length and get an absolute read/writecondition

Did I say WP 8.1 ran in ARM 32 bits?

Heap Spray allowed!

IE MOBILE – EXPLOITING IE

Two phones to test

HTC 8S – 1GHz, Ram 512MB

Nokia 930 – 2,2 GHz, Ram 2GB (~= Nokia 1520)

Ideally, exploit would:

Work! (first things first)

Work on the emulators and the phones

Have a good success rate

Should not crash (so we can output debug results on the web page)

IE MOBILE – GETTING AN EXPLOIT

Exploit first developed on Windows 8.1 x86 desktop

Corrupt the length of an Array

Use it to get absolute R/W and locate a JS object in memory

Copy a vtable and overwrite the function at offset 0x104

Call obj.someProperty to crash with EIP controlled in Js::JavascriptOperators::GetItem

Call VirtualProtect to unlock the payload

Call obj.someProperty again to redirect the flow to the payload

Worked on the x86 emulators :)


Magic VirtualProtect gadget


Same idea on the ARM device

Corrupt the length of an Array

Use it to get absolute R/W and locate a JS object in memory

Corrupt offset 0xFC in the vtable (formerly 0x104)

Call obj.someProperty to crash with PC controlled in

Js::JavascriptOperators::GetItem

Failed! Does not work (as always…)

Can’t debug, no idea what’s happening here

Corrupt instead offsets 0x130 / 0x138 depending on the WP version

Call typeOf(obj) to crash in Js::JavascriptOperators::Typeof


We never get there!

Js::JavascriptOperators::Typeof:

Two additional gadgets to reach VirtualProtect


Did that work???

MS devs thought of that and added a boolean to the function

See that 1?


It worked :)

Issue with versions!

We can’t rollback the WP image to a previous one

My HTC phone is still locked with the July version. Send me your

exploits :)

Some WP versions:

8.10.12400.899 16 July 2014 <= my phone

8.10.12397.895 12 June 2014 <= the pwn2own device

8.10.14147.180

(GDR1)

4 August 2014 <= the nokia 930 I

bought


So I couldn’t test on the system running their device, was too old! :/

Idea! Do a dynamic ROP, just in case…

Looking at the IE11 desktop versions since April, it seems the gadgets I

used have always been there

« It seems ». Had a bad night about that!

Looks like it worked!

Well, on the 2nd try :D


Some words about the payload

VS 2013 comes with armasm.exe

Build your payload with armasm test.asm test.obj

The generated output does not resolve symbols

Compile a valid exe and extract the shellcode from:

IE MOBILE – WRITE YOUR PAYLOAD

Create an app in VS 2013 and debug step by step the machine code:

IE MOBILE – WRITE YOUR PAYLOAD

What to do in the sandbox?

Not much. AppContainer only lets you read files under the INTERNETEXPLORER directory

We can still dump the cookie database

IE MOBILE – WHAT TO DO WITH YOUR

PAYLOAD?

IE MOBILE – WHAT TO DO WITH YOUR

PAYLOAD?

But don’t browse too much or exploit fails :/

Potential buffer

overflow :S

IE MOBILE – CAN WE GET OUT OF THE

SANDBOX?

Not that « surprising »

Can we prison break?

Yes we can! We always can!

Tried for two weeks and…

… clearly failed that part!

So I can’t :/


SANDBOX?

Angry cat stuck in

the sandbag

Many undocumented features or code rewrite

CoreApplicationShim.dll

CoreUIComponents.dll

Ole32_wp.dll

Minuser.dll

There must be a broker somewhere

But who??

Let’s try with CoCreateUserBroker and SetClipboardData


SANDBOX?

MSHTML.dll Desktop

MSHTML.dll Mobile IE


SANDBOX?

Spot the diff!

MSHTML.dll Desktop – Imports

MSHTML.dll IE Mobile – Imports


SANDBOX?

Spot the diff!


SANDBOX?

Let’s have a look at the clipboard:

in minuser.dll

Wrong turn!


SANDBOX?

Let’s have a look at the clipboard:ie_shims.dll actually


SANDBOX?


Never heard of that.

Idea someone?


SANDBOX?


Looks like there’s a COM here.

But who? where?? how???


SANDBOX?

There’s a « save picture » feature too:

Save a picture to the screenshots folder

But who handles that??


SANDBOX?

Attack the kernel maybe?

WP 8.1 does not let you allocate at 0


SANDBOX?

And even if you have a kernel panic…Who?

What?

Where?How?

Why?

That means we crashed. And badly!

IE MOBILE – RECAP

IE Mobile

Built on a robust system

Perhaps too much obscurity?

Can still be pwned

Things I haven’t done

Play with the Windows Phone Kits

Not free (~ $100)

Not even sure we can properly debug IE / WP kernel

Load malicious fonts, or mess with windows and menus

Play with a WP 10 (Windows 10 Mobile)

THANKS!

NEXT TIME I’LL TEACH HIM HOW

TO BREAK SANDBOXES!

IE MOBILE – REFERENCES

https://labs.mwrinfosecurity.com/system/assets/128/original/mwri

_wp7-bluehat-technical_2011-11-08.pdf

http://andreycha.info/files/hip-13/Windows-Phone-8-application-

security-slides.pdf

https://labs.mwrinfosecurity.com/system/assets/651/original/mwri

_wp8_appsec-whitepaper-syscan_2014-03-30.pdf

http://hitcon.org/2014/downloads/P1_06_Chen%20Zhang%20-

%20Smashing%20The%20Browser%20-

%20From%20Vulnerability%20Discovery%20To%20Exploit.pdf

https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSe

cWest_2014.pdf

https://labs.mwrinfosecurity.com/system/assets/128/original/mwri_wp7-bluehat-technical_2011-11-08.pdf

http://andreycha.info/files/hip-13/Windows-Phone-8-application-security-slides.pdf

https://labs.mwrinfosecurity.com/system/assets/651/original/mwri_wp8_appsec-whitepaper-syscan_2014-03-30.pdf

http://hitcon.org/2014/downloads/P1_06_Chen Zhang - Smashing The Browser - From Vulnerability Discovery To Exploit.pdf

https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf

Internet

Wp8