Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Shmoocon

Shmoocon 2011: Defeating mTANs for profit

Defeating mTANs for profit

Axelle Apvrille and Kyle Yang


Zeus In The MObile –> ZITMO

Malware for Symbian OS > 9.0

Intercepts mTANs (one-time passwords sent over SMS)

Targeting Spanish online banks

Propagated on PC by Zeus botnet

First case seen of organized criminals exploiting mobile TANs


Zeus (AKA Zbot)

It’s a crimeware kit and not a single botnet (there are several)

Designed to steal banking credentials

Zitmo in a nutshell

Once Zeus has infected a pc, and the user initiates a transaction, Zeus detects the mobile number and attempts to propagates to the mobile device by sending the end-user an SMS to prompt the user to download a new certificate. Once this is installed the attacker can transfer the money at any time as the attacker has access to the online login information (stolen by Zeus through keylogging) and the mTAN for the transaction (stolen through Zitmo). The end-user never receives an SMS due to it being intercepted by Zitmo.

This means attackers can do the transfer at any point they wish without any user interaction.

Analysis of the Zitmo malware showed the program shared a lot of similarities with a Russian software called SMS Monitor which offers a lot of the same functions, but marketed as a parent controls and security audit tool.

However some of the code from SMS Monitor was published in Russian magazines. Maybe the code was stolen?

Reverse Engineering Zitmo

Three actors –> Victim, Administrator (bad guy) and Others (e.g. bank, friends, …)

2 separate processes –> INIT and SMS Processing Engine

Daemon listens for incoming SMS requests and checks them to see if they need to be processed (commands, mTANs, etc…) or forwarded to the phone’s inbox.

Due to the way Symbian works it’s not possible to hook directly into the “Listen to all SMS” function (in use by the phone). However it is possible to hook into the “Listen to all SMS containing the following”. By setting this to IfNotNULL, they can bypass the restriction of listening to ALL SMS messages.

Zitmo doesn’t block all SMS messages, but checks all incoming to check for appropriate actions. Blocking all SMS messages would result in the user becoming suspicious.

Zitmo Commands

  • ON / OFF (disable Zitmo)
  • SET ADMIN xx
  • ADD SENDER xx, xx / ALL
  • REM SENDER xx, xx / ALL
  • BLOCK ON / OFF (block incoming calls)

Spoof administrator

Protocol flaw: Anybody can claim to be the administrator!

How to 0wn the adm1n :

  1. Method 1: Send SET ADMIN command by SMS to the phone
  2. Method 2: Craft a new settings file

By using remote debugging on Symbian it’s easy to step through the process used to handle commands as they come in from the lab administrator phone.

Zitmo’s Hidden debug window

Zitmo was secretly writing to a hidden debug window

By putting in a breakpoint on the hide function and altering it to visible, it was possible to view the hidden debug window and watch status information change when receiving commands.


Very difficult to spot due to the lack of symptoms

One possible trigger to detection is that the application was delivered as a .sis/.sisx application and not as a certificate (as advertised)

It also shows in the installed applications list

Zitmo is signed by Symbian, therefore accepted by the phone –> Express Signed

This is not uncommon however as multiple malware has been signed using this abuse


  • Shmoocon Schedule –> HERE
  • Talk Synopsis –> HERE
  • Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated – Fortinet Blog
  • Fortinet

Shmoocon 2011: Attacking 3G and 4G mobile telecommunications networks

Attacking 3G and 4G mobile telecommunications networks

Enno Rey, Rene Graf & Daniel Mende


No demos today due to shipping materials and the like. TSA don’t like big electronic devices being shipped after all.

Still, that doesn’t mean there was no practical research.



In mobile telco world everything is standardized by 3GPP

  • 3GPP: collaboration between groups of telco standards orgs
  • 3GPP: standard structured as/bundled in releases
    • 1992: Phase 1
    • 2000: Release 99 (incl first spec of 3G UMTS)
    • 2008: Release 8

2 Elements. 1 facing the internet and the other facing the mobile network

4G Network

4G networks change the names and functions of some devices.

Transport Layer: UDP or SCTP (mostly)

There could be some TCP elements, but none that have been seen in this research.

Generic Packed Tunneling: GTP

All types of signaling:

  • S1AP
  • X2AP
  • GTP-C

Authentication: DIAMETER


  • L2TP
  • DSMIPv6

SCTP Overview

Stream Control Transmission Protocol

General purpose layer 4 protocol

Specified by the IETF

Uses elements from TCP and UDP to cover all required functionality of both.

SCTP – 4 way handshake


Several different RFCs covering SCTP (starting with RFC2960).

Current tools don’t work very well due to SCTP rewrites in RFC5206 and RFC4960

  • NMAP SCTP doesn’t work “in a satisfactory manner”
  • SCTPscan no long work

Attacks from within the mobile telco networks

  • Attacks from the backhaul networks
  • Attacks from the Core network
  • Attacks from Management networks

Backhaul networks

Mobile backhaul

Carries data from the RAN to the management network and back

4G specific requirement laid out by 3GPP


  • eNodeB
  • MME
  • SGW

Can be implemented with different technologies

Originally ATM (in the early years of GSM), PDH/SDH, IP/MPLS, “Hybrid Approach” offloading to DSL, Carrier Ethernet

4G Assumes gigabit connections between elements to give sufficient bandwidth (mainly ethernet based)

How to get into backhaul

Physical intrusion to some cage located “in the somewhere”

Get Access to the network segment

  • Microwave
  • DSL
  • Carrier Ethernet

4G Aggregates “dumb” BTS and BSC/RNC functions on the one device –> eNB is not dumb anymore!

Once your in, what to do!

Attacking components

  • 3G: SGSNm RNC, NodeB
  • 4G: MME, eNB, SAE.GW
  • Routers/Switches


  • Pretty much everything is unencrypted
  • 3GPP insists on using IPsec Gateways
    • Which operators implement this?
  • Some countries argue against this standard

ARP spoofing still works smoothly

  • Apparently not on the security radar!

4G ALL-IP approach comes in handy

Let’s get practical

These notes are from in lab testing (i.e no firewalls, IPsec, etc…)

Real world attacks may be different due to this!

“Standard attack approach” did not yield anything interesting

SCTP Scanning via nmap or SCTPscan showed nothing

Using custom SCTP scanning tool showed some open ports

  • some of those “obscure signaling protocols”

Fuzzing the protocols

After starting the fuzzing, things got really slow.

When checking the server was sending SCTP ABORT leading us to believe something had crashed!

The main function of the device was no longer available

It recovered after a few minutes

Changed scripts and continued to fuzz

Final result…. system went down!

Business impact?


The first field of the protocol was causing the device crash!

Targeted code was running in the kernel

All that glitters is not gold however!

This isn’t old code! It’s newly developed for 4G! Make your own conclusions…


Continued testing is planned to really find the impact of this and other issues.


Attacks from the internet

Public space might mean the terminal (not covered) or the internet

Some interfaces must be made available to entities outside the network

  • e.g. S8 on PDN-GW for roaming
  • 3G: SGSNs must be able to connect to GGSNs of other countries
  • Standards say: Use NDS (IPsec of equiv. security) for these cases
  • So GTP should never be visible from the internet

Reality check!


Used to carry IP-based data traffic between network elements. There is also some other elements

Variants: GTP-C, GTP-U, and GTP’


Tunnel Endpoint IDentifier

Not very random

Not protected

Reality is that scanning for GTP in the wild does find results.

GTP Echo mechanism (port 2123) can be used to discover real GTP speakers in the internet waiting for communications

GTP-scan.py will be released soon to show this!

Many of the systems listening on GTP ports are also listening on other ports (21, 22, 23, 80) !

Various countries, many in Europe.

Whois information points to major mobile operators in these countries.

So why would they do this?

Sometimes having a working network is more important than following the standards to the letter!


From what the research shows, it looks like many attacks are coming against these networks.

Walled telco gardens are disappearing

All IP in the future

Terminals are getting more and more powerful

Misconception that people don’t understand these complex IP landscapes


Shmoocon 2011: Printers gone wild!

Printers Gone Wild!

Ben Smith

Printers are everywhere… they are ubiquitous!

Everybody seems to ignore them. They get plugged in, and just work!

HP Basics

Listens on tcp/9100

Admin page on 80/443

Many have hard disks!

HP printers have 3 passwords

  • Web admin
  • Telnet (same as the wedadmin)
  • PJLPassword

PJLPassword can be used to lockout the console, make disks read-only etc…

PJLPassword is weak… no brute-force protections

PJL is unathenticated and widely supported, going away, but will be here for a while.

SNMP can be disabled through the Web Admin, however encoding them specially they will still answer SNMP requests over port 9100

Google search “PJL DMINFO ASCIIHEX” for more info


PJL (Printer Job Langauge)

Sets up printer for jobs

Created by HP, used in many other devices

Really old!

Fun PJL commands

  • FSUPLOAD (not an upload)
  • FSDOWNLOAD (not a download)

There’s een lots of research before (Hijetter etc…)

Bringing that into the modern environment with printFS


Python tool for covert file systems using HP printers

Distributes files over multiple printers

Uses the printer RAM disks or physical disks

Works on any supported printer via network or the internet!

All stored files are compressed/encrypted and saved using random filenames

All files are stored twice with different names and keys to improve redundancy (files in RAM disk are lost on restart)

Supports panic mode (panic) remotely reboots every device in the file table to destroy the data


multithreaded scanner

Scans printers to see if necessary commands are supported to use printFS

Scans are randomized in the order that functions are run and the timing between them

Test upload files are random data and given random names

Entire scan peppered with random sleeps


Main support lib

Used by all tools

Implements most of the documented PJL commands


A support tool for doing nasty funny things

User interface to the PJL password cracker

Mass control panel lock/unlock

Mass RamDisk/Disk Lock/Unlock

Pass printing (toner is cheap!)


Support class for printjack

Brute-forces all possible password combinations in about 2 hours (single thread)

So now it’s threaded to check multiple printers… all communicate together until one valid password is found (password reuse)

Other fun stuff to do to PJL

  • Mass reboot loop
  • Mass connect to port 9100 and remain connected (blocking)
  • Animated LCD messages
  • SE LCD messages (please call xxxxx)
  • Mass disk lock
  • Mass printing
  • Mass control panel locking


Can only upload files form the directory you are running printFS from

Known issue where some printers won’t respond to pfsScanner if they’re offline

To ensure that printers can still print when being scanned, dynamic class is used (generating huge traffic)

Code Release

Remote-exploit.org will receive it within the next week


  • Shmoocon Schedule –> HERE
  • Talk synopsis –> HERE
  • HP PML faq –> HERE

Shmoocon 2011: TEAM JOCH vs. Android: The Ultimate Showdown

TEAM JOCH vs. Android: The Ultimate Showdown

Jon Oberheide and Zach Lanier

Android Security Overview

Base platform :

  • ARM Core
  • Linux Kernel 2.6.3x
  • Native Libraries
  • Dalvik VM
  • ….

TrustZone Security Foundation by ARM

  • ARM11 TrustZone –> Unused!
  • ARM11 Jazelle JVM –> Unused!
  • ARMv6 eXecute-Never (XN)? –> Unused!

Mobile ASLR sucks!

Exploiting like it’s 1990

  • Executable stack/heap
  • Non-randomization of mmap/brk

Permissions based models

Applications explicitly request pre-defined permissions. All or nothing (ACCEPT or don’t install)

App Sandboxing

standard uid/gid – generating a unique account per app to prevent overwriting of files

Application signing


Kernel Security

Linux kernel = Swiss cheese

Jailbreaks, aka local privesc


Dalvik VM != sandbox

  • Not limited to execute dex bytecode
  • Can pop out of VM to execute native code
  • Any 3rd party app can root your phone by exploiting a kernel vuln

Native code packaged within APKs

  • No code signing

How to build a mobile botnet

  • Build some fun looking game/app
    • including RootStrap functionality
    • Periodically phone home to check for new payloads
  • As soon as a new kernel vuln is discovered, push out exploit payload
  • Rootkit a bunch of phones

PoC –> Eclipse Preview

200+ downloads in under 24 hours

Not very good reviews… 1*

Google pulled the software from the store

Google used the REMOVE_ASSET function to uninstall the app from the phones

Google can not only remove software, but use INSTALL_ASSET to install things!

Platform Security

There’s a lot of “platform goo” in the middle between applications and kernels

What to attack?

  • Not kernel, not apps!
  • How about the permissions framework

Permissions approval process is designed to warn users of what an application needs to access

  • Browse
  • Install
  • Approve?
  • Installed!

Google is a sneaky panda!

You don’t actually download/install the app through the market

When you click install in market, Google sends the INSTALL_ASSET command to your phone to begin the install using the GTalkService persistent data connection used to connect your phone to Google.

This is one of the few closed-source parts in Android.

Connections are SSL… but SSL isn’t everything.

If you can pop the GTalkService Servers at Google, you could push out apps to every Android phone!

Gap in responsibility

Market app performs the perceived install process and acceptance of permissions

The GTalkService then takes it from there

The communications use Google’s Protobuf format which has been at least partially documented by the Android Market API project on googlecode.

Elements of an install request

Needs to be populated with

  • Misc fields
  • App ID
    • Can be derived from dissecting market requests
  • Auth Token
    • Turns out this can be stolen from the Android AccountManager

Bypassing permissions approval

  • Steal the “android” service token used by the market from the AccountManager
  • Construct ProtoBuf request to market servers
  • Bypass the permissions approval process by directly requesting the software from the GTalkService using INSTALL_ASSET

When people viewed the install page in the market, the user wasn’t prompted and in the background other applications were installed

Platform Security Write-up

Vulnerability Status

  • Donut: Fixed
  • Foyo: Fixed
  • Eclair: no confirmation yet, may be vulnerable

Solution adds a process where the marketplace flags an app as accepted which the GTalkService checks before installing.

Platform complexity leads to vulns

  • Round-about marketplace and GTalkService procedure
  • “server-initiated” flag fix worth investigation

Application Security

Broad Observations

The web pushed a lot of content to the browser

Now instead of data, functionality is being pushed to the web.

Mobile brought about an app for everything. Most could be achieved through the browser

XKCD viewer??


Carriers: “We trust you because you’re on our network”

Client-side data trust issues… admin=1 is live again!



Whitebox source-code review

  • Sometimes it’s trivial to get app source code


  • Acquiring Application binaries
  • Reverse Engineering (Disass/Decomp)
  • Network Analysis (Fuzzing, Protocol Analysis)
  • MITM

Testing Tools and Techniques

  • DextoJar
  • JDgui / JAD
  • Undex
  • APKtool (wrapper around smaller tools)

Case Studies


Originally written in Java, like most Android apps

Source available under Apache 2.0 license

FourSquare API supports Basic Auth and OAuth

  • OAuth Includes signatures for transactions to prevent replay attacks etc…
  • So naturally FourSquare used Basic Auth over HTTP

FourSquared app does have OAuth support, but it’s not actually used

Fixed since, as FourSquare API now forces HTTPS (at least it’s one step in the right direction)

Storage Application

Simple crash in storage quota viewer

  • Divide by zero error leads to Dos
  • Attacker mus successfully intercept and modify the server response

More of an annoyance than a real problem… app crashes!

This app also supported some DRM protections however

  • App supports sharing video, audio, image content
  • This is set by an XML manifest that says what is and isn’t possible
  • DRM enforced on the handheld….
  • intercept, change read only to share and DRM bypassed

App Framework

Runs on multiple platforms

Custom permissions restricts us from sending messages (intents) to the runtime

This app implements a custom intent service which can be spoken to as long as you have the right key!

But other malicious apps can clobber widget content! (CWE-276: Incorrect Default Permissions)

The configuration and store on the filesystem is world writable, allowing for clobbering the app content (modify widget anybody)

Lookout mobile

Lookout mobile security app

> 4 million users

Performs scanning, backup, lost device recovery.

Installs with world writeable configuration file (/data/data/com.lookout)

Has a code execution flaw due to its call to liblookout.so from a shared location.

By overwriting the lib (or changing the read path in the world writeable config) you can get code exec

Security app != Secure phone


  • No real guidance, standards, best practices
  • Bone-headed unix mistakes from 1995 are appearing in mobile now


  • Shmoocon Schedule –> HERE
  • Talk Synopsis –> HERE
  • Market API –> HERE