Is your fingerprints still safe? -Blackhat 2015 Black Hat Convention summary Day 2

0x00 sequence

Today is black Hat 2015 the second day of the first day of the conference summary please refer to:

See how hackers remotely black out a car-Blackhat 2015 Black Hat Convention summary Day 1

0x01 Trustkit:code injection on IOS 8 for the GREATER good

Originally intended to listen to Shendi's Trustzone crack's talk, but because the Shendi visa did not do down, finally to cancel. So I went to listen to this iOS injection talk.

Talk begins by saying that it is not allowed to load the library dynamically before iOS 8, only static compilation is allowed. But after iOS 8, a new feature called "Embedded Frameworks" was added. Allows the app to communicate with its extension, but in fact there is no extension to use this new feature.

Then the author tries to hook the SSL method to the non-jailbreak machine using substrate method, but fails because substrate needs the prologue of the patch function when the hook function, so rwx permissions are required, but this is not possible on a non-jailbroken machine. The ultimate author uses the Fishhook framework developed by Facebook to hook up.https://github.com/facebook/fishhook

Finally, the author uses the method described above to develop the Trustkit. With Trustkit, you can hook the SSL function and add the pinning function without modifying the source code. And the author released the source code today.

ppt Download: https://www.blackhat.com/docs/us-15/materials/us-15-Diquet-TrustKit-Code-Injection-On-iOS-8-For-The-Greater-Good.pdf

Trustkit Source: Https://github.com/datatheorem/TrustKit

0x02 ah! UNIVERSAL ANDROID rooting is back

Speaker is Xu Wen, from Shanghai Jiaotong University and internship at keen. First of all, speaker mentions that the need to achieve universal root must be based on a Linux kernel vulnerability rather than a driver-driven vulnerability. The speaker then describes how to discover the vulnerability process.

Speaker first useshttps://github.com/kernelslacker/trinitythis system call Fuzzer to get a lot of log information. Then in the process of analyzing Fuzzer's log, it was found that kernel crash in a very strange address 0x200200. Continuing analysis reveals that the problem is caused by the Ping_unash () function. But start with a denial-of-service attack, which is far from enough for Root. Subsequent analysis found that Sock_put (SK) was called 2 times, resulting in a very common UAF (use-after-free) vulnerability. Now that you have a UAF vulnerability, the next step is to use UAF to control the kernel. Pingpong Root is ret2dir (ret2dir:rethinking kernel isolate) in the way it is used. Control of the kernel is the implementation of the right to Shellcode. Pingpong root draws on the generic shellcode used in Towelroot, allowing the process to gain root privileges.

Speaker finally mentions how to root a 64-bit device. On the 64-bit, the UAF vulnerability still exists, but one problem is that it is not possible to return shellcode to user space. therefore need to do kernel layer of ROP. Finally, a method similar to the ROP (JOP) is used, and in some ROMs, a god gadgets can disclose the memory information and overwrite the data. Finally, the root power is achieved.

ppt Download: https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back.pdf

0x03 fingerprints on MOBILE devices:abusing and leaking

Speaker is the Wei Tao and Zhang Yulong from FireEye. Talk first introduced the fingerprint system principle and implementation, such as how to carry out feature acquisition, how to compare features and so on.

Then there were 2 architectures, one of which was fingerprint without TrustZone and fingerprint with TrustZone. In the case of root without trustzone is very dangerous and all data can be easily obtained. However, in the case of trustzone, Hacker still cannot read the fingerprint information in Trustzone after acquiring root. If you want to get fingerprint information, it is theoretically necessary to crack trustzone.

Then speaker introduced four attack methods: The first attack was confused attack (deceptive attack). Speaker mentioned that fingerprint has two uses, one is authentication another authorization. It's like passport and visa. One used for authentication and one for exercising power. Hacker can take a confusing attack, letting the user simply feel authenticated, but actually exercising the right, for example, in the demo where the user thinks he's unlocking the phone screen, but actually uses the fingerprint to turn the money to the hacker.

The second attack is a data store that is not secure. The classic example is the fingerprint of HTC One that saves the file. is readable and writable to all. There is no security whatsoever.

A third attack is the finger spy. Although Trustzone is very secure, the Android system communicates through the service and trustzone of the application layer. So hacker can forge a finger print app and communicate with finger print sensor to steal the user's fingerprints. Samsung's solution to this problem is to trustzone the UI. That is, when using the fingerprint for authorization must be done through the Trustzone UI, because the Trustzone UI is also part of the Trustzone, so the hacker must break down the trustzone to get to the fingerprint.

The fourth attack was a fingerprint backdoor. The user can view the number of fingerprints in the current record in the system settings, but this amount of information is not stored in Trustzone. So hacker can leave their fingerprints as the back door and subtract the number of increased fingerprints. For example, in the Demo fingerprint service display only saved a fingerprint, but the demo has successfully used three fingerprint unlocked the phone screen, because two of the fingerprint is actually left by hackers, in order to prevent users to find, the hacker will save the number of fingerprints modified to 1.

ppt Download: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking.pdf

0x04 REVIEW and EXPLOIT neglected ATTACK surfaces in IOS 8

This talk comes from Pangu. Speaker first introduced several iOS attack points: Local attacks, remote attacks, kernel attacks, etc., with many examples (such as the previous jailbroken use of the vulnerability).

Then speaker introduced tips for fuzzing in the kernel layer. Speaker first mentions that Iokit is the best fuzz goal, so the first suggestion to Fuzzy Iokit is to fuzz the lower function as much as possible. For example, there is a limit to the parameter size in Ioconnectcallmethod, but there is no limit to the parameter size if you call Io_connect_method. The second suggestion is to use the information leak vulnerability to obtain the information generated during the fuzzy process.

Then speaker mentioned the shared Memory. Because Iokit will share some data to the user layer and the user layer can modify it. Therefore, these user layer data can also be fuzz in the process of fuzz Io_connect_method. The Iokit is then likely to create a vulnerability after reading the modified data from the user layer. Then speaker introduced the Iokit_user_client_trap () This user layer function of the fuzzy, and demo a 0day.

Next speaker describes how to dig a xpc hole in the user layer. First, the server side and client side are established on the application, and then the server side is communicated using the client side.

In the communication process, there are many functions can be fuzz, if the function of the transmission of data processing error, it is possible to produce a null pointer exception, memory out of bounds and remote code execution and other vulnerabilities. The last speaker shows the POC code for each of these vulnerabilities and briefly describes how to exploit these fuzz vulnerabilities.

ppt Download: https://www.blackhat.com/docs/us-15/materials/us-15-Wang-Review-And-Exploit-Neglected-Attack-Surface-In-iOS-8.pdf

0X05 Summary

The last talk was supposed to listen to theAndroid fuzzing, and the result was cancel for the visa issue. So the Blackhat session is over. Tomorrow, the Defcon conference and the CTF competition will be held in the next hotel. We welcome your continued attention.

This article turns from wooyun.org

Original link: http://drops.wooyun.org/papers/7807

Is your fingerprints still safe? -Blackhat 2015 Black Hat Convention summary Day 2