Abusing Android ClipData

Overview This is going to be a quick and dirty post on some insecurities on using the Android's ClipBoardManager when making security critical decisions. The Clipboard Framework When you use Android's Clipboard Framework, you put data into a clip object, and then put that clip object on the system-wide clipboard.…

Writing a Simple Mach-O Parser with Python ctypes

Overview When trying to understand the file format for a given executable type, there is no better way of accomplishing that than writing a parser for it. In this post we will walk through how to build a simple parser using Python and ctypes for the Mach-O file format. There…

Inspecting Heap Objects with LLDB

When a new object is created in Objective-C, a chunk of space is allocated on heap for the object structure and a pointer saved to that structure on the stack. NSObject *myobj1 = [NSObject alloc] init]; Even though things seem to change slightly from version to version the structure of an…

ZipInputStream Armageddon

Overview For those who are not aware of the ZipInputStream Armageddon, it is happening right now ... and yes, it is just as bad as the movie. THIS: http://blog.quarkslab.com/remote-code-execution-as-system-user-on-android-5-samsung-devices-abusing-wificredservice-hotspot-20.html IS: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/ A: http://rotlogix.com/2015/08/22/…

Mercury Browser for Android RCE Redux

Overview In my previous post about this browser, I have already covered how you can abuse the insecure parsing of the Intent URI scheme into invoking the private WiFi Manager feature. I also described how you can exploit a path traversal vulnerability in the custom web server used by the…

Same Sh*t Different Android Browser

Overview I have been researching Android web browsers quite a bit over the last year, and have made some interesting discoveries. One of those discoveries has been the complete lack of understanding on how to securely implement the use of the Intent URI scheme. Vulnerabilities that stem from insecurely parsing…