in-mem process patching
in-mem process patching using zSimulator.
I won’t go into details at this time, but this is just a small showcase of what can be done using zSimulator. Hopefully more to follow soon.
Unlocking the Sony Tablet S bootloader
English: An illustration of Sony S1 (codename) Honeycomb Tablet. (Photo credit: Wikipedia)
So, I’ve got myself a new Sony Tablet S. Cool device. However – locked bootloader? are you kidding me? are we back to the 80′s all over again?
Therefor, I think it is only sufficient to say, this should be a nice project, hopefully with interesting & helpfulĀ results – i recon this bootloader issue is the only thing standing between this tablet and xda popularity…
If anyone has any information regarding partition tables or ever better – some RE of the bootloader, please share here. once I have something to show off, I will post it here.
gluck to us all. ad astra per alas porci.
Twitter diff – bash script
Recently I’ve been planning a small twitter contest, but I had to find which new followers has joined, and who have left. So, I came up with this little script (which initially was ment to be a one-liner… yea right), I hope it will assist others as well.
#!/bin/bash
#
# twitter_diff.sh by z4ziggy
#
# handy yet dangerous utility - followers with weird chars in their names can
# cause unpredicted results but i'm too lazy to fix this. so be warned.
#
# change username to match desired twitter account to retrieve, or use 1st
# command line parameter as username.
#
username=z4ziggy
[ $# == 1 ] && username=$1
echo "[+] fetching followers for $username"
wget --quiet -O - http://api.twitter.com/1/followers/ids/$username.xml | grep "<id>" | sort > new.$username.xml
if [ -f $username.xml ]; then
diff=$(diff -u0 $username.xml new.$username.xml)
for id in $diff; do
[ "${id:0:2}" != "+<" -a "${id:0:2}" != "-<" ] && continue
user=$(echo ${id:1} | sed 's/<[^>]*>//g')
wget http://api.twitter.com/1/users/show/$user.xml -O /tmp/$user.xml >/dev/null 2>&1
f_sname=$(grep "<screen_name>" /tmp/$user.xml | sed 's/<[^>]*>//g;s/^[ ]*//')
f_name=$(grep "<name>" /tmp/$user.xml | sed 's/<[^>]*>//g;s/^[ ]*//')
f_count=$(grep "<followers_count>" /tmp/$user.xml | sed 's/<[^>]*>//g;s/^[ ]*//')
[ "${id:0:2}" == "+<" ] && echo "[+] $f_sname ($f_name) joined (has $f_count followers) - http://twitter.com/#!/$f_sname"
[ "${id:0:2}" == "-<" ] && echo "[-] $f_sname ($f_name) left (has $f_count followers) - http://twitter.com/#!/$f_sname"
done
fi
mv new.$username.xml $username.xml
echo "[+] done"
Disable gnome-shell hotspot
I hate the new hot spot on gnome-shell. and as always with gnome, no option to disable it. here is a quick & ugly patch to accomplish that:
--- /usr/share/gnome-shell/js/ui/panel.org.js 2011-05-04 15:03:01.982247999 +0300
+++ /usr/share/gnome-shell/js/ui/panel.js 2011-05-04 15:03:13.175520693 +0300
@@ -761,7 +761,7 @@
},
_onCornerEntered : function() {
- if (!this._entered) {
+ if (this._entered) {
this._entered = true;
if (!Main.overview.animationInProgress) {
this._activationTime = Date.now() / 1000;
Reminisce: The early days.
The followings took place more than 10 years ago, so I guess no sensitive information is at risk.
Lesson one:
Your security is as strong as your weakest link.
It was my first week working for a big international bank. But instead of working, I got tons of bloated-out-of-proportion dossiers, which if I had stacked them one on top of the other, the height of them would be more than 1 meter tall. I didn’t believe they actually expected me to read page by page all these how-to-deal-with-our-systems boring stuff, but a quick check with my new co-workers revealed they all actually read it all (and I guess some of them could even cite large parts…). Well, it wasn’t for me. However, I was not granted permission to the system until I have finished reading and mastering all the regulations described on those manuals. So I figured, two weeks should be a good time to do nothing. great.
Alas. I was bored.
Image via Wikipedia
I stared at my Windows unlock dialog. CTRL-ALT-DEL. No username yet. So my best bet was – either grab someone else’s user/pass, or stick to what I know – Administrator always exists. I had a good hand, the dealer was on my side. I by-passed the lame Windows’ security and logged on (it doesn’t matter how, there are SO many ways of doing so). The day after, I decided to come clean with my new boss (a stupid british executive) which proved itself as a bad idea (at first) – he yelled at me, didn’t even bother to notice the lack of security nor the easiness of the break, but only got upset about “how dare I do something like that which page 63 on dossier 121 clearly states is forbidden!” (or something similar). He concluded that I should never ever try anything like that in the future, that I should finish reading my manuals, and we’ll see how we continue from there. He also stated that this is a serious business, and he will keep this accident to himself for the time being since I’m new.
Needless to say, when I got back home that day, I felt lousy. I felt like I just lost this job. But on the other hand, I was thankful to my new boss to not advertise my ‘bad’ doings, so I still had little hope. My bad.
Come the day after. I got to work at about 9:00, flipping pages in the manuals, trying to win back my boss’s trust. It was about 12:00 when I was asked to get to the management building. My boss gave me a ‘bye bye’ look as I was walking out the department. I knew my days at that place are over.
An hour later, I was a new man. The manager who was informed of my ‘break-in’ (yea, my boss’s word turned out to be worthless) was one of the vice-presidents of the company, and showed great interest at my findings, asked me to elaborate to the IT-administrators how this should be prevented, and asked me to continue doing so, as long as I inform him personally (couple of months later he got his password mailed to him, after I found the Administrator password encrypted in some vbs file on the LAN, which allowed me to run lophtcrack for a weekend. He was pleased 
), and so I did. He also asked me if there is anything I would like to have while working. I had only two requests: To work at my own (crazy) hours, and a new boss. I got both.
Some notes about Android Security
Android Security (Image from http://www.mushive.com)
I had the time to take a long look on Android security. I found some Android Anti-Virus programs which aren’t much different from their Windows counterparts – they work by scanning APKs for known files using a signature database. This can easily get by-passed using encryption, polymorphic code, and similar methods. Needless to say, none of them will detect a new Android exploit/virus trying to take over the system.
Regarding Android exploits, I found out Google had fixed version 2.2.1 so running in-app exploits doesn’t work anymore (I thought its the use of /dev/ptmx which enables applications to connect to shell, but apparently it’s not since no fix relating to this has been issued, yet using /dev/ptmx doen’t work on 2.2.1 as on 2.2). Running exploits thru ADB shell, one can still obtain root (even with the new ADB binary found on 2.3) although many known exploits doesn’t work any more (rage, exploiting hotplug). I also found one troubling Linux exploit from exploit-db.com which poweroff my Android device. Although atm this attack is only a denial-of-service, one might ‘upgrade’ it for privilege escalation. To summarize ADB Android exploit status:
2.2 – adb shell exploitable, in-app exploitable
2.2.1 – adb shell exploitable, in-app not exploitable
2.3 – adb shell semi-exploitable, in-app not exploitable
So we can see the progress Google had made, but it’s not perfect yet.
Also, Google is pushing a silent update to prevent in-app exploits in current version (someone told me it’s not even for 2.2.1 which points to 2.2 as the candidate). I guess we’ll know shortly.
Some important links to watch:
http://c-skills.blogspot.com/
http://imthezuk.blogspot.com/
http://www.accessroot.com/
http://strazzere.com/blog/
http://dtors.org/
http://jon.oberheide.org/blog/
http://thomascannon.net/projects/android-reversing/
http://blog.stalkr.net/
Android Security – http://androidsec.net
Finally I put most of the info in the public domain – the Immunizer is done, and I feel I’ve took the right approach (not releasing the sources asap but waiting instead).
I also published the quick fix info for ROM modders on XDA forums so all customized ROMs should be immuned without the need for Immunizer.
Although Immunizer is a free app, installing it from the market costs $1. I still debate among myself whether to use paypal instead – the problem with ‘paypal’ is that it’s not as simple for the end-user. Any suggestions are welcome.
