What’s the point of reporting 0day?

Posted on June 17, 2013 by Simon Roses

In the last weeks the news related to PRISM has not stopped since leaked by Edward Snowden, who worked for Booz Allen Hamilton, a defense contractor for the NSA.

One interesting outcome of these leaks is the NSA access to 0Day vulnerabilities on Microsoft products and who knows if other big companies as well (Google, Apple, Adobe, etc.) under the cooperation programs Microsoft Active Protections program (MAPPS) and the Security Cooperation Program (SCP). The first program is for security companies and the second for government agencies -for example the Spanish intelligence agency (CNI) is a member of this program- in order to be informed first when vulnerabilities appear to be able to protect themselves before the security patch is released and to update their security products.

These programs were created for defensive purposes, but they raise an interesting issue: the use of this information for offensive purposes.

Finding vulnerabilities in products from large companies is increasingly more expensive so access to information about 0day by intelligence agencies makes them gain time and save resources. Now they only have to develop exploits to attack any system, remember that the security patch has not been published yet…

Countries wishing to establish offensive and defensive capabilities should create national programs that offer financial rewards (depending on a scale) to individuals that inform them of 0Day.

Large software and big Internet companies are mainly American but many vulnerabilities are discover and reported by foreign security experts. If there were a national program in place on vulnerability reporting they could first inform their Government and not the software companies.

The question is why to report vulnerabilities to software companies so they in turn inform their intelligence agencies to carry out offensive actions against other nations?

Remember that 0Day vulnerabilities and exploits have economic value today, and many public and private companies pay good money for them.

Quite honestly we should not be surprised by NSA acts since at the end their mission is national security using all possible means (legal ¿?), the same as many countries’ intelligence agencies.

What is clear is that the PRISM case may have more consequences to the United States as seemed at first, and certainly many countries will change their policies on defensive / offensive cyber security.

It will certainly be interesting to see how cyber security policies evolve in countries in the coming years.

What changes do you think are necessary in cyber security policies?

— Simon Roses Femerling

Posted in Business, Microsoft, Pentest, Security, Technology | Tagged , , , , , , , , , , | Leave a comment

A tale of Government Trojans

Posted on June 5, 2013 by Simon Roses

Sorry, only in Spanish :)

— Simon Roses Femerling

Posted in Pentest, Privacy, Security, Technology | Tagged , , , , , , , , , | Leave a comment

AppSec: Build Rooted Detection in your App

Posted on June 4, 2013 by Simon Roses

For various reasons many Apps need to detect if the phone has been “rooted” and in this article will see different techniques for this purpose. Since it is common to see this type of questions in development forums, I thought a post on the subject would be of interest to many readers.

In this StackOverflow post we can find techniques commonly used in Apps for Rooted detection. The following code makes use of three methods for detecting Rooted: the first check for the string “test-keys”, which is a generic key for signing packages; the second method checks whether the Superuser.apk exist in disk, this App manages access to “su” command (administrator privileges) for other Apps; and finally the third method calls “su” directly and runs a root command.


 /**
 * @author Kevin Kowalewski
 * 
 */
public class Root {

    private static String LOG_TAG = Root.class.getName();

    public boolean isDeviceRooted() {
        if (checkRootMethod1()){return true;}
        if (checkRootMethod2()){return true;}
        if (checkRootMethod3()){return true;}
        return false;
    }

    public boolean checkRootMethod1(){
        String buildTags = android.os.Build.TAGS;

        if (buildTags != null && buildTags.contains("test-keys")) {
            return true;
        }
        return false;
    }

    public boolean checkRootMethod2(){
        try {
            File file = new File("/system/app/Superuser.apk");
            if (file.exists()) {
                return true;
            }
        } catch (Exception e) { }

        return false;
    }

    public boolean checkRootMethod3() {
        if (new ExecShell().executeCommand(SHELL_CMD.check_su_binary) != null){
            return true;
        }else{
            return false;
        }
    }
}

/**
 * @author Kevin Kowalewski
 *
 */
public class ExecShell {

    private static String LOG_TAG = ExecShell.class.getName();

    public static enum SHELL_CMD {
        check_su_binary(new String[] {"/system/xbin/which","su"}),
        ;

        String[] command;

        SHELL_CMD(String[] command){
            this.command = command;
        }
    }

    public ArrayList
<string> executeCommand(SHELL_CMD shellCmd){
        String line = null;
        ArrayList
<string> fullResponse = new ArrayList<string>();
        Process localProcess = null;

        try {
            localProcess = Runtime.getRuntime().exec(shellCmd.command);
        } catch (Exception e) {
            return null;
            //e.printStackTrace();
        }

        BufferedWriter out = new BufferedWriter(new OutputStreamWriter(localProcess.getOutputStream()));
        BufferedReader in = new BufferedReader(new InputStreamReader(localProcess.getInputStream()));

        try {
            while ((line = in.readLine()) != null) {
                Log.d(LOG_TAG, "--> Line received: " + line);
                fullResponse.add(line);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }

        Log.d(LOG_TAG, "--> Full response was: " + fullResponse);

        return fullResponse;
    }

}
</string></string></string>

Apps on a not rooted phone cannot run either of these methods, since all Android Apps by default are in a sandbox (a system of process isolation) and with limited privileges.

The three methods described may be the most common and if we reverse engineering often we can find them in well-known Apps.

Other techniques include the use of the fantastic RootTools library that facilitates the development of Apps that need root offering various tools. Many Apps use this library.

Library features include check if it exists or offers to install BusyBox (program that combines many Unix utilities in a small single executable), check if it exists or offers to install SuperUser, verify that App has root access, native tools or enough space on the SD Card.

As an exercise to test these root detection techniques, I have written the VULNEX ROOT TESTER that combines different techniques from the basic here presented to some more sophisticated that we will cover in another post. Find below some screenshots of the tool.

vulnex_root_tester1
vulnex_root_tester2
vulnex_root_tester3
vulnex_root_tester4

No doubt the ability to detect Rooted may be necessary for certain Apps that require a high level of security, but also for many legitimate Apps, such as various security Apps, that require root to function properly or take maximum advantage of the Android platform.

We have to bear in mind that to develop a secure App it is not enough to detect Rooted, but we should think about making a threat modeling of the potentials risks to our App, secure development practices (for example OWASP Mobile) and apply code obfuscation techniques among many other security measures, in order to mitigate vulnerabilities and hinder reverse engineering. My recommendation is that if you are not familiar with these concepts you should talk to some application security professional and get help.

What techniques is your App using to detect Rooted, if any?

— Simon Roses Femerling

Posted in Pentest, Privacy, Security, Technology, Threat Modeling | Tagged , , , , , , , | Leave a comment