Chalie — A Tale of Android 0day Hunting

so um the next speaker I'm going to get a bit Technical and um one thing that I would like to mentioned about this the next speaker is um I've had the privilege of working with him especially in developing CTF challenges within our ctfo platform I went into still under ctf.7 ke and it was one of the best in my opinion one of the best individuals when it comes to mobile exploitation browse exploitation as well I'm Provost engineering and I want to say so much about him because I know some of you may be familiar with him so I'd like to invite Charles come it will be taking us to Adele of 100 zero day Hunter

so I'm looking forward to that so [Music] um in the next few minutes you're going to have a brain or a chat but I promise you're going to learn a lot so I'll talk for the time being is a tale of finding 100 zero days all right so we'll get to see what their days are why they are cool and all sorts of things you can do with them so who am I uh my name is Charles but many people call me Charlie for some reason and uh I have been in the cyber security industry for the last uh couple of years doing in same research on various things here and there so I used to be an independent researcher

until recently when a company called silencets hooked me up so I'm working there is a offensive security consultant during the day and during the day I'm doing uh vulnerability research I do many things you'll find me in webtech mobiles and just trying to secure living and I love Android and I'm assembly those are my favorite men like I use paracos everybody should use foreign place so why would you hunt for Android zero days well for one they have maybe Bounty rewards from zerodium you can see that an Android FCP goes for this is 200 plus million Kenyan shillings you spent maybe a year plus getting one and oh it's definitely one it then it opens us and while coming to our

business and researchers so for iOS research you have to do incentivize engineering with no resources you know just doing Black Box stuff and it's quite frustrating then we have rich people problems in iOS when you're doing research on iOS you must have the latest M1 and the latest iPhone quite expensive and not convenient at all and then Android is well documented and heavily uh or it's heavily documented with a supportive community so you'll get to ask people questions some of us too quick and the answer for iOS to Bear the answer so uh let's get to the basics so what do you need to get started in uh hunting for these things we call in zero days

now before I get to the basic zero days are uh vulnerabilities that haven't been exploited before so uh by the show of hand how many people are comfortable with any programming language see any seeks damn so uh I had two parts for this uh if most of you if the higher percentage was supposed to if they have a percentage one would have like a good or maybe just this experience on such programming languages will be getting who would have gotten voice technical but since most of you don't have sufficient stuff in that we are going to be overly abstracted so I'm going to make this as friendly as possible the brain touch I've been has been done away

with so for the basics to begin doing stuff you need to feel good in basic memory corruption bugs so these include buffer buffaloes if you've been playing CPS you definitely know about this I don't include stock overflows and such kind of stuff but it's very there to get such in in a exploitation we will see about that later so you need a couple of languages you need to be good in cc is a programming language C plus plus a little bit of a 70 Java and probably English it's optional you can do some other languages and also you need to have a good PC with the 8GB plus era and uh well 50 GP hard disk is sufficient if

you have a hard disk that better and then you need a good internet connection and patience it takes quite a huge amount of time to get things set up uh when doing this sort of stuff so let us be speak why why do you begin so you have the basic memory corruption exploitation skills you have all those C plus plus and whatever skills but you don't know where to get started so for me personally I had quite a hard time about trying to DM people who critique me alone they are quite good in this and that's the bit of patience so you need a lot of reports you understand nothing from Project zero you do a lot of CPS and you question your

signage I mean I'm good at memory corruption box why am I not seeing stuff in in however finding zero days and I do Google a lot stupid questions but you'll eventually get what you want then you need to set up your lab this is how you install the build tools Android Studio I don't know some getting the source kernel and all that stuff and I think you're good to go so I want to focus on using publicly available available resources because we said the terrestrial Rich iOS people reach problems and all that stuff so you have States highlights about you know like Siri or what do you call these Android stuff and there is a systems or something

it usually passes the panel on a daily basis and submits reports so if you subscribe to the mailing list you will be up to date with anything happening around the corner so you see some uh fix that has been pushed and then you look at it and you might find a zero day and when you reach security bulletin so these are usually released with every update of the iOS the Android device you just go through if you see a CBE something you just focus on that because it might have a point our way to by password they just pushed and then you read change notes so if you you've been using GitHub and give and all those VCS stuff you know what

exchange logs are so they kind of tell you the changes that have been made to uh the update or something and that fights defeating you compare the old version of Android the one that has been currently released and then we have Twitter people tweet a lot about uh this issues and uh you can be definitely done from that and then you should stock other researchers I mean I stock my desktop because she's good at what she does you should definitely do that in basically so my hunting methodology what I usually do I read like The Operators from the Nexus is Project zero but we have other such as releasing stuff so I just go through that and then read the root

cause analysis so I don't want to get quite Japanese and Technical I'm going to use common English so I read reports there are no reports and then after that I do something called holding the car also it's like when they push an update I just pull it to my machine and do a piece like a different stuff to see the difference between the old release and that release and then I also browse uh the tunnel you know type travel there is this site called boot stream you can be able to go to any kernel you think about and uh try to see stuff that was exploited before and you know try to understand what it's doing and if you don't you

move to the next image keep trying until you get something and then after that I try to create my own version of the exploits however horrible it is um I mean it's a learning process so before we dive in uh I want to take you through the Android privileged escalation model so uh once again I'm not going to be technical because if I get technical most of you will sleep and it's not good so at the lower and we can see the CPUs while we all know our devices have CPUs the the processing units and stuff and then in the middle between half the Canon space so this is why the tunnel uh exists and

I've been mentioning the world Kano a lot so the panel is the core of an operating system it's the the what's the without the kernel the operating system cannot it's useless so it's sort of the brains of the operating system and it has something called a task scheduler so the first scheduler you can see I'm maybe like in sort of uh uh and a what a Linux well that's because Android is basically mean us it's just that it has been heavily patched that patching means it has been extremely modified so it looks like kids something else but um the lower end it's just the Linux uh whatever so after the task scheduler we have something called multi-threading okay so

multi-attracting uh in layman's task it's in layman's English it's just multitasking so uh you can see those Android icons with some Linux stuff inside so assume those are individual tasks so uh maybe the first one pass on the screen the second one does something else to your phone the talent you know other stuff and then you have uh the first from the from the from the left you can see an l and those are called lightweight processes so from the task scheduler we have many processes these only exists in the kernel space but we also have separation between uh the kernel space and the user space so well in English just plain English we have different layers of formation in

the Android devices so in the kernel space we have extreme privileges you can do anything you want when you're in the kernel space but in the user space if you just open WhatsApp go to Facebook like on Instagram and stuff but in the kind of space you can do anything you feel like you can or read WhatsApp messages even if they have been secured with the password stuff so you have a lot of privileges inside here and then uh outside there now now we have what we call library processes any kind of babies of these uh dusts and just to simplify this well just now we have separation between stuff and then you have something

interesting called accred well if you comfortable with C it's a data structure if you do not know what c is create this link um this tank so my taxes I'm a speaker yours probably says you are an attendee so the Privileges of being a speaker I can hold the mic you get unless you're asking a question so the current is what uh tells the kind of the privilege that something has so it's very irregular if you had WhatsApp uh doing what about powering of the devices it's reasonable but it won't be reasonable if you had the power button powering of the device so that's what we have in the separation so this current structure is very important because it's

what we are going to Target to elevate our privileges from being an attendee to being a speaker right so conventionally people used to use those memory corruption bugs that I was talking about the stock overflows the buffer buffaloes what's very simple you know you just control the we have something called a pointer it is points to the next instruction you click on WhatsApp it just says open the home page and then when you click on something else it says do that it tells the CPU to do that so you will just correct that and you could definitely do anything but uh uh Android cannot developers are getting serious day in day out so they made that

point difficult so at the moment the only sort of uh thing you can do is uh cont that are only attacked so why are you corrupted so assuming that relationships um are the ages right speak up and then when the camera comes and says oh you are a speaker should be here should not be here and that's how you uh elevate your privilege it's quite simple right yeah it's very simple so [Music] uh now I think I'm going to use a very simple analogy so uh [Music] now assume we have a farmer all right they plant flowers and red so they just come they have several sections of land they come and plant flowers in the super

section the second section another section then when the time for harvesting comes they have plenty of Paris so they harvest everything and they think oh I'm going to plant again bats at this time I got like excess I read a lot of stuff so my granadas were full so I'm just going to plant in a couple of sections not a couple of sections they they kind of like when you get rich you become ignorant so you gain weight it's it's one of the things accompanied with becoming rich you can see here so when they are planting they forget to plant in this section but they do not notice that they haven't done that so they break up with their girlfriend and

the plants continue to grow in this section of having nothing but in their minds they they didn't they planted something so when they break up with the girlfriend the girlfriend um wants to kill them but they only get out in cars and there is no way to reach them so the governor has access to the farm you know when you you are living you have access to the to the house the some title Deeds that are not hidden and such stuff so they come and plant weep in this form so assuming the farmer had planted the wheat they come and plant with wheat looks very quick so when the farmer comes back they just Harvest

everything they do not realize they have harvested a combination of Wheat and wheat so when they keep stuffing their adrenalis they start eating uh they in day out they eventually get mad because we get people mad so that's the same thing we are going to use to elevate our privileges in the expect that I'm going to Showcase well the kind of threats data to the memory this normally and then it reads from the memory um uh just normally without you know having any issues but then uh this specific bug uh is usually called a use after free because you uh the the the the words the form are planted then harvested so you can come planting a location and then

harvesting you can call it free in the land and then planting its allocation with some free land and then the hungry eggs we can just call them A Primitive so they sort of an exploit and I want to talk about harvests again we have now the use of the free we're thinking this land uh has weeds but in real sense it didn't have with that nothing but the the exploit Creator planted wheat and they harvested weed so it's the same thing we use in angry when you have such a type of a bug so you have clean data it's cleaned out of its way data in the memory and then it's Green Dots [Music] thank you thank you so so we were

talking about clean and dirty data so we have clean data in the memory um you free that data another memory is empty uh you have allocation of some data but forget to allocate some sections that have been freed a while back and then the section looks like this it has some freed section that you don't see when the the kernel doesn't even know about so as the attackers plants the remember the correct thing I was talking about we just planted here so when the candle reads it like it will be like oh this guy is not an attentive he's a speaker somebody treats uh this is the speaker you get your privileges elevated and the same thing happens to

the farmer getting high so um let's now go to the demo I do not want to go to the exploit because it's quite lengthy and but you have the basic understanding of what's happening so I I just compiled the kernel few minutes but I don't even know if it's going to work but uh just share some evidence you can see it's clean just finished building like a few seconds ago wow oh yeah yeah it's it is so uh if this doesn't work for some reason I have a backup camera that I've had bills wild parks so we will be using it so I I bought a pixel device specifically for these demo only to find out that it has a lot of

good loaders so we're going to use a regulator instead um I really wanted to show you guys how iOS is weak it's for the week because at everything I mean like parking and iOS devices it's quite easier compared to doing the same stuff on Android because we have excessive mitigations on Android so I'm not going to take you through them I'm just going to showcase the demo and probably we'll have another section where I go through the exploit step by step showcase what it does and all those uh stuff so um I'm just going to start it up it's going to take some few seconds as it does that we can probably be doing something useful so

[Music]

[Music] I hope I'm still Audible awesome so actually instead of typing and then um it's going to paste it and then I'm going to [Music] uh do some navigation I mean it's Android empties and then the least what we have here also we have the demo so this is where my expert is I'm going to Showcase it in a few minutes and then we have the all these when you start pulling from the kind of from Source you see all this stuff and it's quite heavy so uh the the final build exists in this out file out directory so I'm just going to uh copy all this because it is very hard so out about the latest copy that and

then paste it okay so let's do this one about we're focusing so I'm just going to paste it again why is it doing that I don't know it was working yesterday

so as I do this actually you can be shooting up questions if you have any image [Music] ah there we go now we have the phone screening out you can close this log so this is the pixel 2 device it's made by Google and heavy departure and I'm going to open another phone you know that we'll be using to shoot the The Exodus so okay so you can see it's a real device you know it's not fake so it's not working okay I promise most moving yesterday it really was oh yeah it's moving I'm probably having something crashing for some reason they don't stand uh let's try to see the settings and actually verify some pixel device so

scroll down to the Box twice and then you can see the map and it's running on a return and all that stuff so now let's fire up another term you know oh and we will be using something called ADB so it's the it's an Android debug preach it's used to communicate it used in communication between the posts Mac and the Android phone so let me just navigate to where I have the exploits in our trades oh yeah you can be shooting up questions if you have any and so long as they are not personal and then releases so you have all these files we have let's play the CPP it's with the page of the black and those are

the files I'm used to create the expert and you have the Pathfinder so I just named it by binder because that was the name it was tapped in now I'm going to push these and then push it to [Music] um a directory called [Music] data and then local and then TMP so this is our globally readable directory oh yeah you can see it's already push and then I'm just going to uh shoot up the individual no I mean that device but I do not have a lot of privileges on my save when I ask who am I so let's see

you guys are not let me try to zoom it out

okay so is that readable okay can you guys see that yes you can see okay that give the aspects from a midnight but let me just do my opinion [Music] now if you can see that you have you have an issue so uh I'm just going to ask who Am I who is who am I and we can see that I'm just a share well if I'm running the the command from the device I would be maybe the mobile or some application but we want to be rude so having root means we have complete uh access of the form if you can navigate to some private uh places where the phone stores are data we can go read messages we can

read emails they definitely do everything you want with the phone when we are rude but when we are another user we have like all those limits so I'm just going to navigate to the directory that I just pushed the aspect I think it was in or was in data and then local and then TMP all right so let's see then I pray to the Demo Box now you have these expect but bind and I'm just going to wire you now just let me just take the ID you can see I have uh the user share with the uip tools and all that when I am rude I should have a uid of 0 and let's not talk about those uh but

just know they should be zero so [Music]

to work all right let's try again but right now you can see it's been some stuff okay let me just use another panel that seems to be not working for some reason so um I just disconnect for a sec you don't want to see my my secret holders so just a second be patient oh you can be asking questions

so great presentation and I've had you explaining uh the zero days if you explain it so well and from the from the presentation I'm seeing endings do you mind explaining what the end days are oh so um zero days are previously unexpected devices not devices like exploits for 10 days they are um on zero days so when a zero days when a zero day passes like one day two days it becomes a one day two day three days so we just call them end days I hope that answers your question awesome

session again and uh would you just tell me a little about playing the export experience they missed some of the best parts come again would you tell me could you tell us more about the background experience all right so the part finder is basically uh used after free should I get technical all right so let's do this so the bug biter is basically I use after three in the binder so when you have an application like WhatsApp uh you have you want to save your number for example this number okay let's assume somebody text you from WhatsApp and then uh you want to save their number from WhatsApp so just click on the number and

then it automatically takes you to the contact application well ideally WhatsApp should not be able to communicate with uh uh the contacts application they should have a layer of Separation but you have something called binder so the binder is an IPC mechanism so in the process control so it it's uh facilitates that transfer of the number from the WhatsApp to the contact application right so that's the binder now the part buying a bug is is uh zero day that was uh followed by sales buds that I was talking about a while back so that the the further follows the car also uh it's I use after three right you remember when I showed you the farmer

planting and all that it's used after free in the binder so the binder has something called uh weight a weight Cube and when the weight cue is free the vital forgets the binder thread forgets that the week you have been allocated and has been free so when the process uh tends to exit we have uh the memory being not in use but it's trying to be used again right so that's what bad binder is have I answered the question did I answer the question oh come on situation I suppose so uh let me just bring it up again and let's do it with the demo words on our side so I'm just going to chemistry and

then but before you go here let me just present this question Yeah question yeah so when you're talking about the the Android like the candida so it wasn't like the bad point is a an Universal expert or something so the word binder um the binder okay we have different colors branching from anchoring uh each manufacturer is Samsung HTC Huawei have a version of the uh Android OS modified a little bit but the Core Concepts remain the same they barely change the column so when you find a kernel bug in Android it's almost Universal it requires little or no device customization so if it works on Google pizza 2 that means if a price hasn't been released you should also work on

your Nokia you are infinix and your item so it should be sort of cutting across all the devices I will answer the question is awesome so let me just push the the exploit again and the spin up the shell so it will be sure and then we move back to the darker and then local and TMD and then now we let's check the ID so that we don't say I messed up things when I stop sharing we can see here I share and then we attempt to run a command like maybe what is privilege okay let me just try the message oh so you can see it's saying for my permission denied that means we don't

have access to that but let's run the X guys but find that and uh we can see it doing stuff and we have a Roadshow now if I take the ID I am root so I have complete control of the application maybe I can just scroll down a little bit to see what the asteroid did so well we can see the introduction I I did make it when I was half asleep but it's just a rewrite of something that had been exploited before so they did it and I I took the latest turn on uh or created a patch actually I'm going to release all this stuff uh via GitHub after rupees so you should be

able to see it so after this so you can see it's opening the binder uh doing security some event called setting up a pipe well I don't I don't like it what we will be doing this in a technical this is I'll explain all these double points are all ions are why is it bring some 4GB staff why is it spring the bike or we saw something flee and free and pizza linking it and it's linking some stuff opening vital yeah and finally check on the uid so when the uid is zero that means we are root and we can see that it says grouping successful now this bug because there's one more bug to be a one or zero click

so a zero click is for you send somebody a link and when they click it they actually compromised like you have complete control of their device but it's quite vague like making this like creating such an expert can take actually I hear also so white people come to my DM telling me to have to your boyfriend since I feel like killing them with the level of headaches required to make such a thing are just insane and we just saw the amount of fail to get for creating such so if you want to make huge money just start doing your research but it's quite bad because each and every day they introducing new stuff to make it more

hard so we have my socials I didn't want to list of this is my Global username that cha stuff so if you have anything you'd like just teach me how to something my parents are always open and then now you know how to hack this B actually this is what the Pegasus and say goiter groups those big big apts they use such kind of explains and do you have any questions or something yeah sure

uh could you mind maybe explaining how you use the use after three verb to a Community just escalation sure so on a high level obstruction remember that Craig distractor those speaking about I just forced it to be the memory space that had been free so when the camera was reading through I thought there is some data some authentic data in that space when I tried it made the credit and then the credit um tells you that the the existing space should be in the kernel space so it's a basic elevation from the user space the Canon space and that's how you gain root so there is so much technicalities behind that but that's the high level of

abstraction I've answered your question also many other questions insults sentiments confidence

so you talked earlier about in the Bible there is a queue right um so so you pretty much add the credit for I guess the process that you're trying to to I don't know is it about licking a credit or is it about adding a credit to the to the queue so the curb is already existing and it says I have very little privileges like I should only do stuff in the user space now they use after free has a specific structure called dust track now that's the first strength has um has information about the credit it has something called adbr limit the adbr limit structure tells the kernel the space that they should operate with me so ideally I

should be operating within the user space now when I I the first time I use the use after 3 is to increase the lbr limits so that means I should be able to write and read from the kernel now from there I use this after free again to write to the current structure that is already in the karma all right so now the can of beans I am rude it should be a process running with elevated privileges now does that answer the question also for those who are wondering what those are taught holy and I'm also wondering what those are so we have together any any other questions I had a question uh how the ADB push is working like how is

the funding transferred foreign

[Music]

from the local machine to the device well the ATP is specifically made for it's specifically designed for that so if you've been doing Android development you'll be you can you've been using an ADP a lot it's it's a protocol design like that we have PCP for the internet we have https for the website we have now ATP this is specifically for communicating with Android making a communication between Android devices and the host machine and my experience in finding zero days I I really don't think I I should talk about that it's it's pii data and we just had a session on that so yeah let's just keep it Black Box yeah any other questions

I I had a question I don't know what your thoughts are with regards of using machine learning to be specifically be deep learning in hunting because it might be very difficult to just try to hunt out whether and you don't know what you're really thinking just to answer that it's almost close to impossible to use machine machine learning to find zero days because uh most of them are something you just know what it is but you know it's there so most of them are usually found by fathers like you know uh just on a normal use case you have WhatsApp you're supposed to send text let me try sending other stuff like irregular characters just crashes

because it doesn't know how to handle so you just try that and by chance if you make it crash you analyze what made the crash up and then you see if you can use that to your own Advantage now the parts are smart by just generating the random data that doesn't even make sense pushing it to the panel trying to see how it's processing it and if we have a crash that tries to create something called a reproducer so if you run direct producer you should be able to crash the Cardinals the way it was supposed to so now that's why the human intervention can't see you do the root cause analysis to try to see if this is

what happened you hear from bees and all that and try to see if you can make an expect from the same so using machine learning it's quite hard I um unless they implement it in the buzzers using it in the exploitation of things feasible any other questions also I'm going to take one last question but I see three hands with so I had questions or comments question I'll make them brief I will take all the three questions then you'll answer them once so that you don't the question is on the bill that you achieve but uh on the practicality aspect we will let the same Cloud will it be easy to use um because it will give you a lot of

privileges already

hi okay and now for example it's pretty successful so how does the Android device respond and maybe how does someone come up from the expert

hello I've known York City of research well in in Android security so my question with this once I was back in the campus when I was in second year there's one of my friends who sent me a link I was seeking for attachment he sent me a link to apply to apply for attachment through that link when I click that link on my contacts was sent for a message that I'm currently involved in accident can listen to me 400 in this number the other of my number are police are going to use it so those who those who are uncertain of the message just send the money to the other boy then recently last and it is here I also saw that

incident again have you come across that incident in your research under what are the activities of the the measures can be put to avoid it foreign

so I'm trying to remember all those questions at once so the first question was about the build are you asked I used a Google Play build yes it's because I was creating um I was creating the the specific kind of for a pixel device so that's why I use the specific build for that device but if you use the same that there is one shared common like it's it's known as the the common color it's shared across all the other third-party vendors that are not Google so if you reverse the same in them and create builds for the same it shouldn't work efficiently on all be it the nighttime as I say we had the infinix

and all that so the other question was [Music] the other question was I talked about this it was about oh he's sending contacts there was another question about [Music] oh yeah the question was what happens after the exploit so um there have been cases where uh this kind of explains are not usually used on Common People in QNB because they are expensive based on specifically targeted people like maybe presidents uh huge journalists so the chances of you and me being exploited are almost close to zero because we barely have yeah yeah we we but how you would recover from that uh immediately you notice something suspicious of such high level you should contact people like the

citizen lab it's uh or maybe actually you should use uh some of the tools used by such vendor so you have I don't know it's your point or something I just installed kaspati and purchase the license you should be able to foresee these things before they happen and I know you people have an issue thing for active higher system yeah please the last question was about a link visit and then the the contacts receiving messages so for that actually I used to make such when I was in high school I uh I used to be a bad guy but then I met Jesus and now I know good stuff so what essentially happens I actually have

done root cause analysis of such I'll send you the link I usually do analyze such malicious stuff links and all that I'll send you for for you to understand what happened so what basically happens is the link comes in with an application maybe you might install it and they might wipe your device screen another variant would produce all noises and they are very persistent you try to reduce the volume it's just like morning all of mine it's valuable other variants who do the protocols Mission if you have credited sent message to all your contacts the first question that I made used to steal credits so you just click the link and then if you have

um credit it just used to steal danbo yeah you know your government so it doesn't call me so you just deals with them both nuts just say thank you for all that so what is essentially happens when you click the link there is some way to install the application you might install it yourself without knowing or the final uh way of doing it is by okay you might have an authentic form an authentic looking form that asks for your phone number so when you enter the phone number they'll start sending you premium messages in the morning you wake up to a number and do it for has touched you 50 people or listen to for listeners

or something so it's usually like that I I don't know if I have answered your question but I'll sure send the those resources afterwards I I finished so I I guess that's the end we shall meet again oh an issue that then say welcome I probably should be releasing on God willing evaluated by then I will be having a staff on iOS so yeah excuse me have fun and do research [Applause]