NewLC - Explore and Hack the Server Heap in Symbian - Comments

No privilege escalation

puterman — Thu, 03 May 2007 20:44:33 +0200

Of course, plugins are DLL:s, and as such have to have at least the same capabilities as the app that uses them, so no privilege escalation.

http://ptrmobile.blogspot.com/

Hacking

puterman — Thu, 03 May 2007 15:05:26 +0200

The word "hacking" seems to have very negative connotations to lots of people. It can be used for different things, eg. to get the system to do stuff that it wasn't supposed to do. Using undocumented/unsupported features might be poor development practice, but it really depends on what you're doing and what the user base wants.

Whether techniques that can be used for creating malware should be published is an interesting topic, which has been discussed to an absurt extent among security people during the last couple of decades. If you believe that you've found an exploitable security hole, I believe it's a good idea to inform the vendor before going public, but I do believe in publishing the information. I don't believe it's a good idea to put the lid on everything that might be used for malevolent purposes, because most system level knowledge lives in a grey zone.

/puterman

http://ptrmobile.blogspot.com/

Hacking

tote — Thu, 03 May 2007 12:03:59 +0200

That's right! That's what I concluded, too: it's for hacking! May I dare to ask: is it the right forum to discuss about hacking? Although personally I'm also interested in the technical challenges of making use of a component's unpublished services, internal data structures, etc., BUT:
- I will never make use of it, just keep it in mind as examples, patterns to be avoided in my programs ==> i.e. learn from bad examples,
- I will never publish it to others so that everybody can exploit it.

Tote
---
GÃ¡bor TÃ¶rÃ¶k
Software architect, Agil Eight
http://www.agileight.com

Conclusion!

puterman — Thu, 03 May 2007 11:20:44 +0200

Hacking can be done for different reasons, the most common one being curiosity, I believe. In this particular case, the point of accessing the heap is that you can change the behaviour of the hacked program, as you have both read and write access to the heap. As for loading plugins, I don't remember the details of how capabilities and plugins interact, but I'd guess you could use it for privilege escalation, ie. use API:s that requires capabilities that you don't have, but that the server has (only applicable to SymbianOS >=9, of course).

http://ptrmobile.blogspot.com/

Conclusion?

tote — Fri, 27 Apr 2007 16:06:19 +0200

Hi there,

I AM looking at Symbian OS v9 SDK, indeed. THeapWalk class is not available at all. I don't dare to ask where did you get the source of THeapWalk class from. :-|

However, the main question still remains: why is it worth for anyone to hack the host process' heap?

Tote

GÃ¡bor TÃ¶rÃ¶k
Software architect, Agil Eight
http://www.agileight.com

A simulation of THeapWalk for Symbian 9

oasisfeng — Fri, 27 Apr 2007 14:46:45 +0200

Hi, Tote

Maybe you are looking into the SDK of Symbian 9. THeapWalk is a public API in pre-Symbian 9 SDKs. And even though this API is stripped away since version 9, you can still get a simulation of THeapWalk from my blog: (As I mentioned in the footer of the tutorial)

http://blog.oasisfeng.com/2007/02/23/theapwalk-for-symbian9/

(This blog post is written in Chinese, however the code snippet is still English.

I think the potential malware plug-in is not just a problem of Symbian, it also exists in most common OSes including Linux and Windows. So that'll be necessary if you want to build up a secure plug-in interface.

Still not convinced

tote — Fri, 27 Apr 2007 14:33:35 +0200

Hi again,

Although I had concerns if your solution really worked, I now accept that it does. Why not?

However, my main concern was more general than solely limited to Font & Bitmap server's plug-in API (since the title of your article is more general than that). First off, I still can't see how anyone can implement their own solution when THeapWalk class is not available in the public SDK. For example, how could you do it?

Then based on what you wrote each developer of such a program that exposes public plug-in API should consider that the client of their API is a potential malware wanting to hack the main process' heap. And for that reason, they must apply strict policy on how those plug-ins can attach to the process. For example, by requiring that plug-ins hold ProtServ capability - or even more.

Tote
----
GÃ¡bor TÃ¶rÃ¶k
Software architect, Agil Eight
http://www.agileight.com

Approved solution

oasisfeng — Fri, 27 Apr 2007 14:17:56 +0200

Hi, Tote

This is an approved solution, and I've been using it in my freeware project "FontRouter" for quite a long time. It's available even in Symbian 9 which is considered to be the most secure Symbian OS ever.

Surely all server side ECOM plug-in in Symbian 9 need the "PROTSERV" capability, but this capability does no classification on access level to the server resources. As we all know, the common heap is open to all the threads within a process, so there's no more control that could be applied to a plug-in other than "PROTSERV" as a whole. Of course, "PROTSERV" capability is one of the must-sign capabilities, so official signing process is needed if you want to publish a server-side plug-in.

About your final question, I'm sure my freeware project "FontRouter" is a good example. It handles all the system font request, and forward it to more than one pre-defined fonts for different charsets, as you configurated. It's a perfect solution for reading an information mixed up with more than one languages on Symbian. (:

FontRouter is only available to Chinese users at present, and I'm now working on expanding it to an international version. I'm sure you can meet it soon.

Does it really work?

tote — Fri, 27 Apr 2007 12:10:33 +0200

Hi,

First, I wonder how this solution work when most developers have no access to THeapWalk class.

Second, if I were the designer of a program offering a plug-in API (i.e. one that accepts plug-ins), I would make it so that some (not necessarily strong) capabilities would be required for plug-ins in order for them to attach to my process. Any capabilities would do, but of course, the more sensitive the data they can access the stronger capabilities would be required. And the stronger capability is required the more likely that your program will have to be officially undergo some testing. And even if your plug-in undergoes testing and does damage later on, you're still accountable. Of course, I'm not sure (as I can't be) if Font & Bitmap server has been designed this way, but I would be surprised if not.

So finally my question is if it's worth analyzing a process' heap? What can you do once you have the information you were looking for?

Tote
---
GÃ¡bor TÃ¶rÃ¶k
Software architect, Agil Eight
http://www.agileight.com

Attachment

oasisfeng — Fri, 27 Apr 2007 05:33:57 +0200

Sorry, attachment link is missing:
http://www.newlc.com/files/HeapSearch.txt

Explore and Hack the Server Heap in Symbian

oasisfeng — Thu, 26 Apr 2007 19:00:47 +0200

One of the most important design in Symbian is the well-known server/client framework. As the server and client are in different process spaces, hacking the server is generally difficult to achieve by means of normal application. This tutorial reveals a new way to hack the server heap and make a patch as you want.