September 21, 2012

Android 4.0.4 multiple Zero-Day Vulnerabilities

Android 4.0.4 multiple Zero-Day Vulnerabilities

Android 4.0.4 multiple Zero-Day Vulnerabilities

The Samsung Galaxy S3 can be hacked via NFC, allowing attackers to download all data from the Android smartphone, security researchers demonstrated during the Mobile Pwn2Own contest in Amsterdam.

Using a pair of zero day vulnerabilities, a team of security researchers from U.K.-based MWR Labs hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via NFC (Near Field Communications).

NFC is a technology that allows data to be sent over very short distances. For mobile devices, the protocol allows digital wallet applications to transfer money to pay at the register. While the technology has been slow to take off, despite the adoption by Google for its Wallet payment application, a number of recent high-profile announcements have boosted its adoption.

"Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation," MWR InfoSecurity said in a statement. "The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments."

The attacker, for instance, gets access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

How this Works:
1.) The first, a memory corruption flaw, was exploited via NFC (by holding two Galaxy S 3s next to each other) to upload a malicious file, which in turn allowed the team to gain code execution on the device.
2.) The malware then exploited a second vulnerability to gain full control over the device using privilege escalation. This undermined Android’s app sandbox model, allowing the attackers to install their customised version of Mercury, the company’s Android assessment framework.
3.) Mercury was then used to exfiltrate user data on the device (such as contacts, emails, text messages, and pictures) to a remote listener.

Researchers also said that,"Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android’s linker) and /system/bin/app_process, which is responsible for starting applications on the device. Other protections which would make exploitation harder were also found to be absent."

MWR Labs, which won $30,000 for its hack, is planning a more technical blog post detailing the process of finding and exploiting this bug.

Also, a Dutch research Joost Pol , CEO of Certified Secure, a nine-person research outfit based in The Hague hack into Apple's iPhone 4S from scratch, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.

They used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."

During the Pwn2Own attack, Pol created a web site that included an amusing animation of the Certified Secure logo taking a bite of the Apple logo. The drive-by download attack did not crash the browser so the user was oblivious to the data being uploaded to the attacker's remote server. "If this is an attack in the wild, they could embed the exploit into an ad on a big advertising network and cause some major damage."

The duo destroyed the exploit immediately after the Pwn2Own hack. "We shredded it from our machine. The story ends here, we're not going to use this again. It's time to look for a new challenge," Pol said.He provided the vulnerability and proof-of-concept code that demonstrates the risk to contest organizers at HP TippingPoint Zero Day Initiative (ZDI).