Soumettre la recherche
Mettre en ligne
Nopcon '16 Android Kernel Vulnerabilities
•
Télécharger en tant que PPTX, PDF
•
2 j'aime
•
851 vues
AbdSec
Suivre
Inspecting CVE-2016-0801 , Broadcom WiFi Driver RCE Crticial Bug
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 15
Télécharger maintenant
Recommandé
Debugging TV Frame 0x02
Debugging TV Frame 0x02
Dmitry Vostokov
José Selvi - Historia de un CryptoFAIL [rootedvlc4]
José Selvi - Historia de un CryptoFAIL [rootedvlc4]
RootedCON
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
yang firo
Ipsec
Ipsec
Eddy Barzallo
[CB16] The ARMs race for kernel protection by Jonathan Levin
[CB16] The ARMs race for kernel protection by Jonathan Levin
CODE BLUE
Tdm to vo ip 2
Tdm to vo ip 2
Abhiroop Mn
Debugging TV Frame 0x05
Debugging TV Frame 0x05
Dmitry Vostokov
Recommandé
Debugging TV Frame 0x02
Debugging TV Frame 0x02
Dmitry Vostokov
José Selvi - Historia de un CryptoFAIL [rootedvlc4]
José Selvi - Historia de un CryptoFAIL [rootedvlc4]
RootedCON
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
Cyber Security Alliance
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
yang firo
Ipsec
Ipsec
Eddy Barzallo
[CB16] The ARMs race for kernel protection by Jonathan Levin
[CB16] The ARMs race for kernel protection by Jonathan Levin
CODE BLUE
Tdm to vo ip 2
Tdm to vo ip 2
Abhiroop Mn
Debugging TV Frame 0x05
Debugging TV Frame 0x05
Dmitry Vostokov
got HW crypto-slides_hardwear
got HW crypto-slides_hardwear
Gunnar Alendal
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
Daniel Roggen
Código ASM para LCD Microcontrolador PIC
Código ASM para LCD Microcontrolador PIC
SENA
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
Fernando Marcos Marcos
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
Blaine Stancill
Programmation pic 16F877
Programmation pic 16F877
Mouna Souissi
Unix Monitoring Tools
Unix Monitoring Tools
SEA Tecnologia
Qemu net netdev - nic
Qemu net netdev - nic
Chia-An Lee
Nan meno c2
Nan meno c2
Jonathan Bigoudenne
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah
Devry ecet 105 week 3 homework new
Devry ecet 105 week 3 homework new
Bartholomee
NEO Smartcontract Programing with Python
NEO Smartcontract Programing with Python
Shizuka Eguchi
Make ARM Shellcode Great Again
Make ARM Shellcode Great Again
Saumil Shah
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
Humantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
Gaztea Tech Robotica 2016
Gaztea Tech Robotica 2016
Svet Ivantchev
Static analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systems
Andrey Karpov
It's all about the timing
It's all about the timing
SensePost
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Мохачёк Сахер
Static analysis as means of improving code quality
Static analysis as means of improving code quality
Andrey Karpov
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slides
Matt Kocubinski
Contenu connexe
Tendances
got HW crypto-slides_hardwear
got HW crypto-slides_hardwear
Gunnar Alendal
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
Daniel Roggen
Código ASM para LCD Microcontrolador PIC
Código ASM para LCD Microcontrolador PIC
SENA
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
Fernando Marcos Marcos
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
Blaine Stancill
Programmation pic 16F877
Programmation pic 16F877
Mouna Souissi
Unix Monitoring Tools
Unix Monitoring Tools
SEA Tecnologia
Qemu net netdev - nic
Qemu net netdev - nic
Chia-An Lee
Nan meno c2
Nan meno c2
Jonathan Bigoudenne
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah
Devry ecet 105 week 3 homework new
Devry ecet 105 week 3 homework new
Bartholomee
NEO Smartcontract Programing with Python
NEO Smartcontract Programing with Python
Shizuka Eguchi
Make ARM Shellcode Great Again
Make ARM Shellcode Great Again
Saumil Shah
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
Humantalk Angers 14 Mars
Humantalk Angers 14 Mars
Rémi Dubois
Gaztea Tech Robotica 2016
Gaztea Tech Robotica 2016
Svet Ivantchev
Tendances
(17)
got HW crypto-slides_hardwear
got HW crypto-slides_hardwear
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
Código ASM para LCD Microcontrolador PIC
Código ASM para LCD Microcontrolador PIC
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
DDAA FPGA - Multiplexor De Numeros en Display 7 Segmentos En Tiempo
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
Programmation pic 16F877
Programmation pic 16F877
Unix Monitoring Tools
Unix Monitoring Tools
Qemu net netdev - nic
Qemu net netdev - nic
Nan meno c2
Nan meno c2
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
Devry ecet 105 week 3 homework new
Devry ecet 105 week 3 homework new
NEO Smartcontract Programing with Python
NEO Smartcontract Programing with Python
Make ARM Shellcode Great Again
Make ARM Shellcode Great Again
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
Humantalk Angers 14 Mars
Humantalk Angers 14 Mars
Gaztea Tech Robotica 2016
Gaztea Tech Robotica 2016
Similaire à Nopcon '16 Android Kernel Vulnerabilities
Static analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systems
Andrey Karpov
It's all about the timing
It's all about the timing
SensePost
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Мохачёк Сахер
Static analysis as means of improving code quality
Static analysis as means of improving code quality
Andrey Karpov
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slides
Matt Kocubinski
Clash royale 黑盒分析与手游客户端保护方案
Clash royale 黑盒分析与手游客户端保护方案
CFC4N CHEN
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
Similaire à Nopcon '16 Android Kernel Vulnerabilities
(7)
Static analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systems
It's all about the timing
It's all about the timing
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Stealing from Thieves: Breaking IonCUBE VM to RE Exploit Kits
Static analysis as means of improving code quality
Static analysis as means of improving code quality
Bh ad-12-stealing-from-thieves-saher-slides
Bh ad-12-stealing-from-thieves-saher-slides
Clash royale 黑盒分析与手游客户端保护方案
Clash royale 黑盒分析与手游客户端保护方案
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
Dernier
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Dernier
(20)
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Slack Application Development 101 Slides
Slack Application Development 101 Slides
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Nopcon '16 Android Kernel Vulnerabilities
1.
Hacking with style
2.
‘94 ‘97 ‘03 ‘14 ‘16‘12 Who am
I ?
3.
Is it ?!
4.
11 days later..
5.
White White Local Root Remote Root Remote Root Which Root
? {XDA} {Finch} {Zerodium}
6.
Howto Root ? Finch
Style • Qualcomm CVE-2015-0570 • Broadcom CVE-2016-0801 * • MediaTek CVE-2016-2453 Needed • Find the execution path • Prepare PoC
7.
CVE-2016-0801 Execution Path • char
devname[100]; • wl_validate_wps_ie() • wl_cfg80211_add_set_beacon() • struct wl_cfg80211_ops = { • .set_beacon = wl_cfg80211_add_set_beacon • .add_beacon = wl_cfg80211_add_set_beacon
8.
PoC • Probe
Respone Packet CVE-2016-0801
9.
PoC • Probe
Respone Packet CVE-2016-0801
10.
CVE-2016-0801 Result • Nexus
5 , Samsung S5, Note5, … ??? • DO NOT forget to check IF-ELSE blocks! • wl_cfg80211.c line #7728 #if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 4, 0)) .set_beacon = wl_cfg80211_add_set_beacon, .add_beacon = wl_cfg80211_add_set_beacon, #else .change_beacon = wl_cfg80211_change_beacon, .start_ap = wl_cfg80211_start_ap, .stop_ap = wl_cfg80211_stop_ap, #endif
11.
drivers/net/wireless/bcmdhd/wl_cfg80211.c • wl_cfg80211_change_beacon() CVE-2016-0801
12.
Others Qualcomm Adreno GPU
MSM Driver Heap Overflow • No CVE assigned • (mis)security t = min_t(int, group->reg_count, count); • buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL); • Bug added June 2014 Bug patched July 2015 (!) • Samsung S5 Avea inTouch
13.
Others Qualcomm MSM Debugfs
Arbitrary Write • CVE-2016-2443 • /sys/kernel/debug/mddi/reg -rw-r--r-- root root • Root ≠ Root • SELinux context
14.
Nopcon Specials • Ebook
about KASLR (Turkish) • WPS Probe Response Packet Generator (Github) (CVE-2016-0801 - PoC) • Links? Follow @abd_sec
15.
Thanks ! --------- Questions ? @abd_sec @kyabd
Télécharger maintenant