• Another Samsung Galaxy S3 vulnerability hits. Malicious Service Loading can hard reset the device with no user interaction.

    posted by Keito
    2012-09-25 21:12:40
  • How to root & install CyanogenMod on a Samsung Galaxy S2

    posted by Keito
    2012-09-25 20:05:13
    Here's a quick breakdown of the process. (For a more in-depth guide, please check out this page.)

    1/ Find correct insecure kernel for our current ROM firmware version
    2/ Use ODIN and insecure kernel to root phone
    3/ Download CyanogenMod (and optional extra google apps) and place on SD Card
    4/ Backup current ROM
    5/ Install CyanogenMod

    Right, so let's get down to it!...

    1/ Find correct insecure kernel for our current ROM firmware version

    Finding the correct insecure kernel version is easy, simply go to Settings -> About phone -> Kernel Version. Note the string present there

    Example (yours will almost certainly be different):

    What matters most (KG1) in this case, is in bold. Then find the matching file under the download section of this thread.

    Example (yours will almost certainly be different):

    The XX and OXA identifiers are not that important. Usually a "KG1" kernel is a "KG1" kernel, and that is that. Sometimes (pretty rare) it happens there will be multiple different kernels with the same name in different firmwares, that are actually different. If this happens, they are usually only very minor changes and you should expect them to still be fully compatible. The "XX" and "OXA" identifiers are there so the very advanced users can deduce which full firmware the insecure kernel file was taken from.

    Don't worry too much, just find the matching download and use it.

    2/ Use ODIN and insecure kernel to root phone

    - Download ODIN then install it.

    - (USB) Disconnect your phone from your computer if it is connected.
    - Start ODIN.
    - Click the PDA button, and select CF-Root-xxx-vX.X.tar
    - Put your phone in download mode by powering down the handset, then press power+volume-down+home buttons all at once. Hold down until download mode screen shows.
    - (USB) Connect the phone to your computer.
    - Make sure repartition is NOT checked.
    - Click the START button.
    - Wait for the phone to reboot.
    - Done (shouldn't take more than ~30 secs).

    3/ Download CyanogenMod (and optional extra google apps) and place on SD Card

    - Download your preferred version of CyanogenMod.
    - Optional: Download the Google Apps for the device. (select the one that matches your CM version!).
    - Place the CyanogenMod file on the root of the SD card.
    - Optional: Place the Google Apps .zip on the root of the SD card also.

    4/ Backup current ROM

    Now you're rooted, it's a good idea to backup the current ROM (with apps, settings, etc) before installing any custom ROM. If you want to retain your apps and settings when installing a new ROM, use Titanium Backup (not covered in this guide).

    - Boot into recovery mode by powering down the handset, then press power+volume-up+home buttons all at once. Hold down until recovery mode screen shows.
    - Once the device boots into recovery mode, use the side volume buttons to move around and the power button to select.
    - Select backup and restore.
    - Select backup (this may take some time).
    - Once the backup has finished, select +++++Go Back+++++

    Now, you can always boot into recovery and restore the current ROM, should anything go awry with our CyanogenMod install.

    5/ Install CyanogenMod

    - Select the option to Wipe data/factory reset.
    - Select the option to Wipe cache partition.
    - Select Install zip from sdcard.
    - Select Choose zip from sdcard.
    - Select the CyanogenMod
    - Optional: Install the Google Apps by performing steps 7 - 9 again and choosing the Google Apps
    - Once the installation has finished, select +++++Go Back+++++ to get back to the main menu, and select the Reboot system now option.

    CONGRATULATIONS!!!! The Samsung Galaxy S II should now boot into CyanogenMod.

    PS: Massive thanks to the Steve Kondik and the CyanogenMod team for a great ROM, and humongous thanks to Chainfire for his guides/downloads/work.
  • Security researchers hack Android remotely over NFC to gain full control and steal all data from a Samsung Galaxy S3

    posted by Keito
    2012-09-20 21:43:37
    'Mobile Pwn2Own at EuSecWest 2012

    Today MWR Labs demonstrated an Android vulnerability at the EuSecWest Conference in Amsterdam. The demonstration of the 0day exploit took place at the Mobile Pwn2Own competition. The exploit was developed in a team effort between our South African and UK offices. The vulnerability was found and the exploit was developed by Tyrone and Jacques in South Africa and Jon and Nils in the UK.

    ### Impact

    MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.

    The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.

    ### The Vulnerabilities

    The first vulnerability was a memory corruption that allowed us to gain limited control over the phone. We triggered this vulnerability 185 times in our exploit code in order to overcome some of the limitations placed on us by the vulnerability.

    We used the second vulnerability to escalate our privileges on the device and undermine the application sandbox model. We used this to install a customised version of Mercury, our Android assessment framework. We could then use Mercury’s capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number.

    ### Challenges & Shortcomings

    Android 4.0.4 has many of the exploit mitigation features that are common to desktop Linux distributions, including Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP). Shortcomings in these protections allowed us to leverage the control we had of the device to trigger the second vulnerability. Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android’s linker) and /system/bin/app_process, which is responsible for starting applications on the device. Other protections which would make exploitation harder were also found to be absent.

    A more in depth technical blog post will be released once the vulnerability has been patched by the vendor, detailing the process of finding and exploiting this bug.'
  • Researcher wows Black Hat with NFC-based smartphone hacking demo

    posted by Keito
    2012-07-27 18:48:18
    "At the Black Hat Conference in Las Vegas Wednesday, Accuvant Labs researcher Charlie Miller showed how he figured out a way to break into both the Google/Samsung Nexus S and Nokia N9 by means of the Near Field Communication (NFC) capability in the smartphones.

    NFC is still new but it’s starting to become adopted for use in smartphone-based purchasing in particular. The experimentation that Miller did, which he demonstrated at the event, showed it’s possible to set up NFC-based radio communication to share content with the smartphones to play tricks, such as writing an exploit to crash phones and even in certain circumstances read files on the phone and more.

    “I can read all the files,” said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. “I can make phone calls, too.” Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said. NFC works at near-contact range, and it could not be used to attack from any distance.

    Miller said his efforts involved nine months of experimentation with NFC “fuzzing” techniques, and help from a cast of friends and fellow researchers. He said he plans to make his home-grown NFC fuzzing tool available to help with testing of NFC implementations “since there really aren’t any today.”