No Needs to Find Android 0-day

Last week, I was preparing a presentation for smart phone security training,  I found out a statistics of android OS usage. The newest ratio was published in Android Developers webpage(http://developer.android.com)

As you can see, the most popular version is Gingerbread(2.3.3-2.3.7). Over 50% users still using Gingerbread, even Jelly Bean has been released. (Gingerbread released December 2010). It means, if a hacker try to attack an android smart phone, there is no reason for insist 0-day of Jelly Bean, because he can reuse the vulnerability of old android that was already exposed.

This is the vulnerability list of android publicly posted, some of them can using for remote code execution and privilege escalation. The vulnerability can be a trigger to gain an access right from remote and that can use to obtain root.

Smart malware producers already knew it, they aimed to attack most popular versions like Gingerbread and ICS. According to a survey, 28% of malwares were targeted to Gingerbread.

IT Threat Evolution: Q3 2012, SECURELIST

Even though a critical vulnerability were reported and patched it, an user would be exposed if they are not applying it.

To apply patch on Android has several barriers, 1) An user usually want to be stable, 2) Complicated patch circumstance.

Smartphone has many new features and it’s becoming an innovative stuff. But essentially it’s a phone, so some of ordinary users are expecting stable voice call and unchanged interface as a traditional feature phone. They would never apply patch before facing a big problem or someone asking to apply it.

And, as we know that, Google has released Android, then Smartphone manufacturers like Samsung, HTC update and modify the original source to develop their own device. This environment make confusions like “who is in charge of developing a patch”, “How distribute and apply patch for users”. To fast patch, the clear controller is needed. They have to analyze the vulnerability, develop the patch, distribute and inform it. But, Android platform has many stakeholders than iOS (iOS is only controlled by Apple), therefore they need a time and procedure to check the responsibility like kernel bug or application bug, effecting to all version or only special device and so on. Furthermore, restart smart phone to apply patch is a another hurdle. A phone should waiting a call 24 hours, so restart and shutdown are not a good condition. Some people who are not interested in IT device and security wouldn’t restart their own Smartphone for patching.

When we make the mobile security strategy for company or users, we have to consider it, every device is not a full patched android. And Android platform and Smartphone manufacturers need to improve their patching environment.

Reference for Fuzzing

Recently, I have read some documents and books about fuzzing. Many hackers and security testers have been using a fuzzer to find 0-day bugs. Many vulnerabilities on several platforms like windows, mac, ios and android were discovered and caught by fuzzing, also various good fuzzer platforms, such as sulley were developed and opened for us.

Developing a simple fuzzer is not a hard matter, many sources can help to making generate test data, input the data through target’s interface and monitoring crashes. But making it smart is up to you.

I introduce some reference for fuzzing, and I will update frequently for us.

[Books]

1. Gray Hat Python: Python Programming for Hackers and Reverse Engineers by Justin Seitz(http://amzn.com/1593271921)
– I use Python for fuzzing. This book includes developing debugger and fuzzer using Python. It has the powerful example to build a fuzzer, and the usage of sulley framework.

2. Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene and Pedram Amini(http://amzn.com/0321446119)
– It can help to understand basic of fuzzing and how working various type of fuzzer(file, web, network and others) and the usage, I recommend it for fuzzer starter.

3. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Mark Dowd, John McDonald and Justin Schuh(http://amzn.com/0321444426)
– When you start fuzzing, previously you have to understand vulnerabilities and security architecture. This book can help to learn various vulnerabilities and you can use it for making exploit.

4. iOS Hacker’s Handbook by Charlie Miller, Dion Blazakis, Dino Dai Zovi and Stefan Esser(http://amzn.com/1118204123)
– Some chapters in the book mentioned iPhone fuzzing, and it can help to understand fuzzing on smart devices. An author of this book, Charlie Miller, he did various fuzzing case and presented it at the many seminar like Blackhat.

[Article]

1. Windows Kernel Font Fuzzing and Exploitation, Lee Ling Chuan & Chan Lee Yee, PacSec 2012
– Slide : http://www.f13-labs.net/pacsec2012/PacSec2012_Lee_Chan.pdf
 Video : http://www.youtube.com/watch?v=veHPuaiXBI0
# Slide and video are not matched, but both deal with Kernel Font fuzzing