How we found a backdoor in Sprint’s EVO and Hero phones (and lived to tell about it)

July 7th, 2010

As you might have seen on Wired or Engadget, we were poking around on the pre-release EVO from Google I/O and managed to get root access to it before it had been shipped. You might remember my blurrycam video of the event:

We didn’t mention how we did it at the time, only that we exploited a serious vulnerability and recommended other users root their phones. Now that Sprint’s patch has been out in the wild for a while and everyone has updated, we’re releasing more details on what the security vulnerability is.

The first step of rooting any phone is taking stock of what’s on the device and doing a cursory check of whether you can use it to elevate permissions. This means running a shell on the device and poring over ls -l in every directory.

On the EVO I received from I/O, there was a file named “skyagent” in the /system/bin directory of the device. This file was also present in the latest, shipped firmware in Sprint HTC Hero phones. When we started poking at it, we discovered that not only would it let us get root, but it was effectively a backdoor into the device that allowed external users to peek and poke input, dump the contents of the screen and run arbitrary programs. Not only that, but the program listened on every interface, meaning external users could spy remotely on the device. We weren’t able to determine if the program could be launched remotely, but once it was launched, it was a very effective back door.

We disclosed this to Sprint quickly after finding it. They were very responsive and rolled it into a patch that they released alongside the EVO’s launch.

We’re still not sure what this program was doing on the device at launch. One theory is that it’s a test program, designed to provide input and output for automated testing on real devices. Another theory is that it’s a law-enforcement or three-letter-agency wiretap program for capturing communication. Yet another is that it was placed there by a rogue employee as a plain, malicious backdoor. There’s not enough evidence to determine which (if any) of the theories is correct and Sprint hasn’t disclosed anything.

Here’s an excerpt from our coming vulnerability disclosure (thanks to rpearl for turning our internal disclosure into something more readable):

The binary is executable by any user; no authentication or privileges are necessary. Further, during the program’s initialization, there are numerous instances in which a buffer overflow can overwrite stack or bssmemory; similarly, the program passes user controlled arguments unsanitized as a format string to a sprintf, also leading to memory being overwritten. We believe that these can only be exploited to the point of a denial of service, not to the end of arbitrary code execution. This appears to be by chance, not by design.

However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user’s knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:

  • sending and monitor user tap and drag input (“PentapHook”),
  • sending key events (“InputCapture”),
  • dumping the framebuffer (“captureScreen”),
  • listing processes (“GetProc”),
  • rebooting the device immediately,
  • and executing arbitrary shell commands as root (“LaunchChild”)

Here’s the paper that Joshua Wise typed up from the analysis we did, describing the backdoor in more detail:

Skyagent Protocol Description

Posted in electronics, technology | 2 Comments »

MP James Moore calls opponents of Bill C-32 “radical extremists”

June 23rd, 2010

Apparently he denied this remark in messages to Michael Geist (and the video posted on balancedcopyrightforcanada.ca conveniently omits it):

Posted in Uncategorized | No Comments »

Balanced Copyright for Canada’s daily astroturfing points

June 18th, 2010

I signed up for a Balanced Copyright for Canada account to see what sort of astroturfing points they had in their “Daily Action Items” section. My account was deleted shortly after taking these screenshots.

You can see that they instruct their members to swarm any anti-Bill-C32 articles as well as engaging anyone who retweets them. Members are instructed to support any pro-Bill-C-32 articles or comments.

While the screenshots here are copyrighted by the owner of balancedcopyrightforcanada.ca, I believe that I have a fair dealing defence for publishing them here for analysis.

The Purpose of the Dealing Is it for research, private study, criticism, review or news reporting? It expresses that “these allowable purposes should not be given a restrictive interpretation or this could result in the undue restriction of users’ rights.” In particular, the Court gave a “a large and liberal interpretation” to the notion of research, stating that “lawyers carrying on the business of law for profit are conducting research”.

Posted in Uncategorized | 1 Comment »

First impressions of Safari’s Extensions

June 8th, 2010

First quick impressions of Safari extensions:

  1. Close enough to Chrome extensions that it won’t take much to port something over. (good)
  2. Settings API is interesting. I missed the point originally, but apparently Safari will build you a settings page from these. Will probably work for simple settings, but not sure if it’ll scale.
  3. Different API for buttons/context menus, but no real winner in terms of API design.
  4. Really don’t like having to get a certificate from Apple to develop. Regardless of Apple’s policies, this is the first browser that you need central approval to deploy to (not IE, Firefox, Chrome or Opera needed it).
  5. No solution provided to build from command-line (we had to hand-roll one for Chrome too). Browser vendors need to get their act together here.
  6. The extension builder is a strange experience: you need to drop files in the directory, then head back to the builder to update things.

I can’t imagine it’ll take us longer than a few days to port the DotSpots extension from Chrome to Safari. It’ll take a while for us to integrate this into our automated build process though.

Posted in Uncategorized | No Comments »

HTC EVO 4G: Nice Hardware, Horrible Sprint Software

June 3rd, 2010

UPDATE: Sprint’s OTA release last night fixes the serious vulnerability we reported to them. Kudos to them for moving so quickly. As an end-user, you’ll have to decide between being more secure with the OTA update or having root access to the device you own for now.

In the comments, Sean Doherty says:

We want to reassure everybody about some questions that have been raised about HTC EVO 4G.

We have a software update being deployed that corrects an issue with some MicroSD cards and also deploys a patch that will fix a potential security vulnerability. Users can install this update by going to Settings > System Updates > HTC Software Update on their EVO and following the instructions as prompted.

Sprint moved swiftly to make sure this was addressed.

Sean Doherty
Sprint Corporate Communications
@srdoherty

As you might know, I’ve been poking around in the guts of the HTC EVO with some other developers during the last few weeks of early EVO ownership looking to get access to root. It turned out to be fairly easy – a few hours into the investigation and we had access to root.

It turns out that this is a really, really bad thing for users. The Sprint customizations of Android are so bad that an Android application could get access to all of your data with very little work. It’s so bad that I would not recommend purchasing the Sprint EVO or Hero.

You are putting your data at risk of theft from not just one vulnerability (the one we’re releasing tomorrow), but a whole suite of vulnerabilities!

The hardest part of this is that we’re now in competition with Sprint trying to keep root access to the phone, so the idea of “responsible disclosure” works against what you’re trying to do. If end-users had full access to the phone, we’d be sending these vulnerabilities straight to Sprint. Since Sprint has decided to take the anti-user approach and lock down the phone, we’re basically holding all of these exploits close to our chest.

It hurts me to say this, but to help users take control of hardware they own, we have to expose them to security holes.

To handset manufacturers and carriers: if you give users to freedom to customize their devices, we’ll work with you directly to make sure those same users aren’t vulnerable out-of-the-box. Be more like Google and less like Apple and you’ll get an army of white-hats working to improve your product.

To end-users: choose phones that don’t make you jump through hoops to take control like the Nexus One. You bought it, it should be yours to hack and customize.

We’ll be releasing the unrevoked exploit tomorrow, but holding the details for a week or so. It’s such a blatant and dangerous hole that we felt that responsible disclosure was our only choice.

For the record, both Google and Sprint have been very proactive in plugging this hole. It would, however, be a lot easier for all parties involved if these devices weren’t locked down and we were all working to improve the user’s experience instead of building better mice and mousetraps.

Posted in electronics | 35 Comments »

unrEVOked: painless EVO root teaser

June 2nd, 2010

UPDATE: Sprint just pushed an OTA update for these phones that may patch the root hole we’re using. Don’t install any OTA updates yet if you want root!

We (ozzeh, joshua, shadowmite and I) just put the teaser site together for the EVO root. More info coming soon!

http://unrevoked.com, Twitter: @unrevoked

Painless root for your HTC EVO 4G.

Posted in Uncategorized | 16 Comments »

HTC Evo 4G Root – where’s the details?

May 26th, 2010

No surprise here: lots of people are interested in the details of the root process. There’s four reasons why we aren’t releasing anything yet:

  1. We’re still working on making the root ‘sticky’. The current root doesn’t persist beyond a reboot, meaning you need to root it every time you reboot the device.
  2. We want to package up the rooter in an easy-to-install, one-click application so we’re not holding people’s hands through adb shell.
  3. We don’t want to give HTC any details that they could use to fix the hole before the official release.
  4. We want to make sure that when Froyo is released on this device, we can still get root on it.

#1 is the only real technical challenge left, but we’ve almost cracked it. Stay tuned for details.

FWIW, I can’t use my HTC Evo up here in Canada, so I’ll be selling or trading it after we finish everything up. It’s a great phone, but the best parts of it come from being a great network device.

Posted in electronics | 11 Comments »

Root on an HTC EVO 4G!

May 23rd, 2010

UPDATE: We (ozzeh, joshua, shadowmite and I) just put the teaser site together for the EVO root. More info coming soon!

http://unrevoked.com

I ended up with a Sprint HTC EVO 4G after Google I/O. It’s a pretty fantastic phone, even though it’s something of a kitchen sink. By a happy coincidence, I ended up reconnecting with some of my buddies from the old mobile hacking days who were looking to root it. With a few hours effort and a three person team (credit to ozzeh and Joshua Wise!), we managed to get the standard su tool installed.

This sort of disassembly and hacking really brought back memories. Shadowmite introduced me to mobile phone hacking back in the day. Back then we were doing stuff like porting Linux to the device and hacking the bootloader.

In any case, here’s some screenshots. We’re not releasing any details on the root hack yet:

At this time, we believe that this specific exploit cannot be applied to Incredible.

You can find me on twitter as @mmastrac

Posted in electronics | 43 Comments »

The sorry state of Avira anti-virus heuristics

March 17th, 2010

UPDATE (July 7, 2010) Daniel Herding sent me a story about his adventures with Avira’s latest version. Looks like they’ve just paved over the problem.

We’ve been seeing a number of reports that our DotSpots Chrome extension is being reported as infected with the HTML/Crypted.Gen malware. There’s not a lot of information on Avira’s site about this malware, except that it’s a ‘trojan’ with ‘low damage potential‘.

I previously submitted a sample of the false positive which solved the problem until we pushed out a new version of our code. Since we can’t submit each of our builds ahead of time to Avira for approval, I had to spend some time figuring out exactly what was causing them to think our code was malicious.

I started by downloading a trial version of their anti-virus product. Immediately after restart, it detected the HTML/Crypted.Gen malware in the Chrome extension that was already installed. I extracted the script from the extension to my desktop and it continued to pop up infection warnings on the file. Now that I had a reliable reproduction case, I could start working on narrowing down what triggered the alert.

I loaded up the file in my trusty analysis tool, Notepad. Starting from the original file, I deleted large swaths of code until it was no longer detected as a virus, then restored those pieces and deleted smalled chunks. Eventually I reduced it down to a couple of lines, which were then reduced down to a few strings of characters. At the end, a file with only a few hundred characters would trigger the signature:

.fromCharCode
.charCodeAt
for
eval
0,0,0,0,0,0
Math.min

Aside: my original set of pattern strings included “nodeValue” rather than “eval”. The patterns are all case-insensitive and don’t ensure matches happen on JS token boundaries. When I went character-by-character to simplify the triggers further, I discovered that it was the ‘eVal’ in ‘nodeValue’ causing issues.

When I create a file with those six strings in it on a website, Avira will attempt to block the download. This appeared to be the most specific components of the signature. Putting those keywords into Google, I found a few references to the malware it detected. The malicious script seems to construct an iframe from an array of characters, then inserts it into the document to download malware from a third-party site.

Unfortunately, these keywords also end up in the compiled Javascript of nearly every Google Web Toolkit application, giving Avira anti-virus users false-positives when viewing many of these applications.

I posted a report to the GWT contributor Google Group with my findings. I had expected that since I posted the offending signature in the message, Avira would warn me that the web page I was reading was malicious. It didn’t.

I ran the message page through the same process that I used to figure out what triggered the signature, this time looking for the smallest piece of text that disables detection of the virus. It turns out that this text is the phrase google. So, the heuristic looks for the presence of the six character strings above, but also the absence of the word Google.

It’s a little disappointing to see how poorly this anti-virus product implements heuristic detection of this particular scripting pattern. It was trivial for me to figure out the pattern. I could have worked around any number of ways- by adding whitespace to the array of zeros, using Math['min'], or String['from' + 'CharCode'], all of which breaks this pattern recognition. Having the phrase ‘google’ disable detection of the virus made my job even easier. It’s possible that there are a set of other safewords that do the same thing. If I were writing malware or viruses, I’d definitely spend time altering it to work around this sort of heuristic.

Considering that the risk of false positives is so high (and users might be trained to ignore other, potentially valid virus warnings), I’d say that users are worse off with this virus definition than they are without.

You can find me on twitter as @mmastrac

Posted in Uncategorized | 28 Comments »

A decade and three blogging platforms later

March 14th, 2010

Looking back through the archive.org history of grack.com, I realized that I’ve used three off-the-shelf products to blog over the last decade: CityDesk, Typo (a Ruby blog engine) and WordPress.

My favorite of the three was CityDesk. It was a very simple CMS with a decent custom scripting engine. Its big disadvantages were 1) that its data was stored in a Microsoft Access database 2) its data was basically a big binary blob that didn’t work well at all with source control, 3) I couldn’t push stuff into it from the command-line (ie: various testing snippets that I like to save) and 4) the scripting language was too limited at times to do what I wanted.

Typo was a great engine, but terribly slow on my webhost, 1&1. A few years in I managed to accidentally delete the .htaccess file that configured the Ruby magic and couldn’t get it working again.

WordPress is both fast and stable, but I find that it’s near-impossible to customize it as I like, not being terribly experienced with PHP.

I’ll probably be migrating off WordPress to something a little more custom in the next few weeks. I’d like to go through my entire blog history (from 1998 to present) and put it into a single, source-controlled repository that I can use going forward.

I reserve the right to remove some of the more embarrassing posts from the Internet entirely, however. :)

Tags:
Posted in Uncategorized | No Comments »

« Older Entries