Fuzzing Samsung Kies

Android fuzzing is always fun – seems that whenever we fuzz an android app it crashes within seconds.

Samsung Kies was no different. With the help of the talented Juan Yacubian (who built the Kies module in no time) we launched beSTORM against Kies… And saw it crash in record 23 seconds (just over 1,100 attack combinations).

Next on the agenda: install gdb for Android and build the proper payload.

Samsung Kies Crash


S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

Malformed input?

Came back to the computer after some time away, to find the sun shining full on the desk and part of the screen.  And, of course, the screen has blanked from lack of input during that time.

So, I pull the drapes forward to shade the screen–and the screen pops up, even though I haven’t touched the keyboard or the mouse.

Considering this, I realize that a) it’s an optical mouse, and b) it was on the part of the desk that was in the sun, and is now shaded when I pulled the drapes.

So, being a security geek, I start to wonder:

a) how the system interpretted that light?
b) how hard it would be to figure out how to get a laser to create specific “actions” on the computer?  (And if the optical sensor’s range is wide enough that you can do it with an IR laser, so the user doesn’t realize what you are doing?)

Windows Device Driver Fuzzing

We recently received a request to adapt the beSTORM  fuzzing framework to fuzz a series of Windows Device Drivers. It appears that there is little documentation and practically no commercial tools to provide proper fuzzing for Windows Drivers.

Adding support for device driver fuzzing required us to add a few function to our already existing File Utils library. This library allows you to create and read files with the intent of using the information inside these files to either fuzz something else, or provide a file to a piece of software that you intend to test.

With a device driver you basically do the same, but instead of opening an ordinary file, you open a device driver – usually in the form of “\\.\AAA”. The AAA is replaced by a string that tells the Windows operating system what device he should open. To provide this function inside beSTORM we introduced the Win32CreateFile wrapper function which receives the device driver’s name. This function returns a HANDLE that is then fed to the Win32CloseHandle wrapper function to close the opened handle.

The next step in fuzzing a Windows Device Driver is to send it information and in some cases read from it information. This is done through our Win32DeviceIoControl wrapper function, which receives the HANDLE from Win32CreateFile, and is passed an InBuffer as well as a IoControlCode value. Most commonly this value will be generated through the CTL_CODE macro under Visual Studio, and since it is usually very difficult to calculate this value by “hand” we provide a wrapper function called Win32CtlCode to allow you to do this inside the module you create.

Here is a complete “block” that utilizes all these wrapper functions and exploits a vulnerability in DVWDDriver – which was built with vulnerabilities inside it as an educational tool.

<SC Name="Sequence">
<SP Name="Win32CreateFile" Procedure="Win32CreateFile" Library="File Utils.dll">
<S Name="Filename">
<EV Name="Filename value" ASCIIValue="\\.\DVWD" Description="CreateFile Filename" />
<S Name="DesiredAccess">
<C Name="DesiredAccess value" Value="C0 00 00 00" />
<S Name="ShareMode">
<C Name="ShareMode value" Value="00 00 00 07" />
<S Name="CreationDisposition">
<C Name="CreationDisposition value" Value="00 00 00 03" />
<SP Name="Win32DeviceIoControl" Procedure="Win32DeviceIoControl" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
<S Name="InBuffer">
<B Name="InBuffer value" />
<SP Name="IoControlCode" Procedure="Win32CtlCode" Library="File Utils.dll">
<S Name="DeviceType">
<C Name="DeviceType value" Value="00000022" Comment="FILE_DEVICE_UNKNOWN" />
<S Name="Function">
<C Name="Function value" Value="00 00 08 01" />
<S Name="Method">
<C Name="Method value" Value="00 00 00 03" Comment="METHOD_NEITHER" />
<S Name="Access">
<C Name="Access value" Value="00 00 00 03" Comment="FILE_READ_DATA | FILE_WRITE_DATA" />
<SP Name="Win32CloseHandle" Procedure="Win32CloseHandle" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>