-
Recovering dProtect's Obfuscated Strings Using Katalina in an Android App
TL;DR: In an Android app, strings obfuscated using dProtect can be recovered by Dalvik code emulation using Katalina.
-
Poking around with FRIDA's Java enumerateClassLoaders
TL;DR: In Android, if classes are loaded by using non-default classloader, FRIDA will not be able to hook it. By using enumerateClassLoaders() API one can get the other classloaders used by the program and use them to hook Java classes.
-
Solving iOS UnCrackable 1 Crackme Without Using an iOS Device
TL;DR: iOS UnCrackable Level 1 crackme application can be solved without using an iOS device using Angr’s dynamic execution engine.
-
RageAgainstTheCage - Revisting Android adb setuid Exhaustion Attack
TL;DR: adb setuid exhaustion attack (aka RageAgainstTheCage) was present in Android 1.6 to 2.2. During adb initialisation, while dropping its privileges there is no check for setuid syscall’s return value. This can be exploited by causing a race condition by creating RLIMIT_NPROC processes and killing adb, on adb restart setuid syscall might fail and can lead to adb continue running with root privileges.
-
Differentiate an ELF executable from a shared library
Time To Read: 5 min
-
Bypassing Android FLAG_SECURE using FRIDA
Since Android 5 via MediaProjection API, Android allows screen capturing and screen sharing using third party applications. I won’t be going in detail of how this API work and what are its various security implications. This article by Nightwatch Cybersecurity summarizes it very succinctly.
-
Frida, Magisk and SELinux
While using Frida 12.x with Magisk v16.3+, I came across the problem that Frida is not able to spawn applications on Android. In logcat one can see the SELinux error:
-
Bypassing anti-debugger check in iOS Applications
Expected Reading Time: 5 Mins
-
Working of LD_PRELOAD for Android Applications and its anti-RE Technique
Have you ever checked the parent process of an Android application launched using “wrap” system property set with LD_PRELOAD value? It’s not Zygote!!!
-
Intercepting HTTPS Traffic of Android Nougat Applications
TL;DR To intercept network traffic for Android 7.0 targeted applications, introduce a res/xml/network_security_config.xml file.
-
Bypassing SSL Pinning in Android Applications
It is a common practice for Android and iOS applications’ developers to implement SSL Pinning in order to make reverse engineering of the apps difficult. As per OWASP, SSL Pinning can be defined as the process of associating a host (in this case the app), with their expected X509 certificate or public key. Applications communicating over HTTPS and using SSL Pinning makes it non-trivial to perform Man-In-The-Middle attack and grab the network traffic in clear text using the proxy tools. For further reading about SSL Pinning, I would recommend OWASP article to get started with.
-
Linux Thread is a Standard Process
As per Wikipedia, a computing thread is defined as “the smallest sequence of programmed instructions that can be managed independently by a scheduler”. And further goes on to say, the implementation of threads and processes differs between operating systems, but in most cases a thread is a component of a process. A process can have multiple threads within a shared memory address space of the process. In this article, I won’t be going into the nitty-gritty of threads. There are many good resources available on the Internet discussing various details of threads. Rather I would like to focus on an important aspect of threads specifically in Linux kernel.
-
Security Implications of Zygote Process Creation Model in Android
In the previous post I discussed about the Zygote process creation model in Android OS and importance of having different process creation model than a linux process in a mobile device. Before getting into the technical specifics, it is advisable to freshen the concept pertaining to Linux process creation and ASLR.
-
Android Zygote
In this post I will discuss about a very interesting piece of Android Operating System. If you have worked with Android, you might have run the ps command and might have observed that all applications have same parent PID (PPID). Android takes an unconventional approach to spawn processes, which ensure application startup is snappy. The process from which all the Android applications are derived is called Zygote. So in the screenshot below, all the applications have PPID of 1914, which is the PID of Zygote. In the rest of the post, I will talk about what is the need of Zygote, how does it come into existence and some discussion about Zygote in general.
-
TLS Sequence Numbers
When talking about SSL/TLS most of the discussion centers around the ciphersuites, the types of messages or other complex cryptographical aspects. But there are many subtle things embedded in the protocol, which are often skipped or not discussed generally. One such thing is sequence numbers. Like in TCP, a sequence number for messages is also maintained in SSL/TLS protocol and one gets to know only is he/she delve into the RFCs.
-
iOS Solid State NAND Storage
There is not much literature available on how does NAND storage of Apple’s iDevices is like. While reading “Hacking and Securing iOS Applications” by Jonathan Zdziarski, I came across how does the NAND storage looks like until iOS 5. As a note on caution, it is very possible that this structure has been changed in the subsequent iOS versions.
-
Detecting Microsoft HTTP.sys Vulnerability
On April 14th, 2015 patch Tuesday, Microsoft released a patch for a remote code execution vulnerability in HTTP.sys module of Windows. The vulnerability affected all versions of windows, ranging from Windows 7 to Windows servers. Microsoft’s bulletin MS15-034 talked about the vulnerability only in brief and left the details to be revealed only by reverse engg the patch. It was a race against time for people to patch their servers and for attackers to reverse engineer the patch to zero-down on the exact vulnerability. The vulnerability was assigned CVE-2015-1635. In this blog we will see what is HTTP.sys is and how to detect the vulnerability. Understandably the fix was to apply Microsoft’s patch.
-
How Cuckoo Filters Can Improve Existing Approximate Matching Techniques
If you have used VirusTotal, in additional information tab you will find a field for ssdeep. It is intriguing what this field represents among hashing functions SHA1, SHA256 and MD5. ssdeep is a approximate matching algorithm (AMA). NIST define approximate matching algorithms as:
-
How to Detect a Drupal Installation
On 15th October Drupal project disclosed a severely critical vulnerability SA-CORE-2014-005 in Drupal core. Durpal is one of the most commonly used Content Management System (CMS), apart from Wordpress and Joomla. CMS helps in organizing and storing files of a website.
-
What is POODLE and How to Detect It
SSL was again center attention recently. After series of vulnerabilities, Heartbleed and OpenSSL CCS to a count a few, another vulnerability rocked one of the most important communication protocol of the internet. POODLE - Padding Oracle On Downgraded Legacy Encryption, affects SSLv3 (RFC6101) protocol and assigned CVE-2014-3566. SSL 3.0 is an old protocol, proposed by Netscape in 1996 and now have been succeeded by new protocols, TLS 1.0, TLS 1.1 and TLS 1.2. SSL 3.0 is obsolete now and only supported because many legacy systems still use it. For example, some old embedded devices still use it and it is not very straightforward to update such devices. But after surfacing of POODLE attack, it is highly recommended to disable SSL 3.0 for any form of communication. After the demise of IE 6, all the modern browsers support TLS 1.0 and thus it is safe and logical to deprecate this old protocol.