Author:@蒸米@Spark
Email:zhengmin1989@gmail.com
0x00 Introduction
Before we start, let’s look at some viewpoints of security leaders in China about the HT (hacking team) leak:
@tombkeeper: The exposure of Stuxnet made the public realize that : “this is really happening”. Further more, Snowden issue told us: “there are more of such events” . what’s, HT leak told us : “This can even be a business.”
@赵武在路上: Back in 2011, HBGray was hacked. Many people didn’t realize what the incident represents, since it concerns national security. Until recently, the public still are confused about Hacking Team being hacked. The leaked data includes client list and 0day exploits. But I pay more attention on the code of RCS. In the old days, the industry was filled with a lot of unprofessional demos with few engineering things. A new age is opened, especially for the network underground industry chains.
It can be said that HT leak is another “Snowden issue” in influence. This time, HT was not simply exposed to the public, but came with 415G of leaked data in total. It includes Flash 0day exploit, Windows font 0day exploit, IOS enterprise backdoor app, android selinux exploit, WP8 trojan and so on. They are nuclear-level exploits and tools. So let’s get down to the business.
0x01 Overview
The file takes 415.77G, which means you need a lot time to download the data. A good news is someone has already uploaded the entire image to the Internet. If you are interested, please visit: http://HT.transparencytoolkit.org/. It is said that the data consists a large amount of emails, which makes the data volume to be that large. But don’t worry, there is also a refined version which is only 1.3GB. You can get it from:https://mega.co.nz/#F!5YVWRDBb!nsghWe6lN4DSRedB2FsVUQ Before you get the full version, we are going to analyze the refine version first.
The data looks like that:
HACKING TEAM PASSWORDS AND TWEETS.pdf saved the accounts and passwords of Christian Pozzi and the screenshots of his twitter. It is likely that he is the one whose computer was hacked, which leads to the dump of the git server that connects to HT’s intranet, the Knowledge Base and the data in email server of HT.
The data in Hacking Team Saudi Arabia Training.pdf may not be complete. Its outline mainly introduces how to install and use RCS (Remote Control System) system. There is no doubt, the RCS system is the best that HT has. They have successful made their RCS system applicable to all platforms (including Windows phone). Here is a screenshot of their system:
You cannot imagine that every monitoring information can be that detailed. We don’t know exactly how many people are under their surveillance.
The public keys from the members in git server and the projects that each is responsible are saved in gitosis-admin-master.zip. By viewing the ”gitosis.conf”, we will know who’s responsible for which project. For instance, Placidi is primarily on Android-related projects. Naga, Daniele, Zeno, Diego, Ivan are responsible for fuzzer. Matteo, Zeno, Daniele several main focus on virus detection.
So we will explain the details according to the category they belong to in the following chapters.
0x02 Android
1 core-Android-audiocapture-master.zip mainly uses the hook framework created by Collin Mulliner to conduct voice and call monitoring. The final build of the program is saved to the “pack” folder. While Collin Mulliner’s PPTs are saved in the “references” folder. And the whole project is modified based on another project in https://github.com/crmulliner/ADBI. Note that the intercepted audio is not in WAV format,which has to be decoded by the tools in the “decoder” folder. It seems that the app not only monitors telephone calls, but also intercepts the audios on wechat, whatsapp and skype.
2 core-Android-market-master.zip is a projects used to upload a spy tool to Google Play. Although Google Play has deployed a detection system, but it fails to identify such malware used for the APT attack. The account and password of HT developers are also saved in \core-Android-market-master\doc\readme.txt. But when I tried to sign in, I found the password was changed a few hours ago.
3 gitosis-admin-master.zip is actually the source code of HT’s Android RCS system. Other than some gradle files used in compile, all of the source code are stored in the “\core-android-master\RCSAndroid” directory. This RCS app can perform basic information monitoring and get information from popular social media apps.
In terms of application reinforcement, the RCS app has used DexGuard for obfuscation and virtual machine detection techniques. According to its log, this project seems to use a lot of 0day tricks to obfuscate the application. It deserves to be further researched. Then it’s the highlight – root exploit. The main code is in the directory\core-android-master\RCSAndroid\jni, you can see the file “exploit_list.c” , which can use various exps to get the root privilege:
In addition, core-android-master\RCSAndroid\jni\selinux_exploit contains the exploit to bypass the SELinux enforcing mode.
4 core-Android-native-master.zip contains more specific root projects and descriptions in the “legacy_native” folder: Suidext contains all of the shells. Local2root contains the the root exps used in version <=4.1. In the “selinux_native” folder, “Put_user_exploit”: contains the exp of put_user calls. ” Kernel_waiter_exploit “includes the exp of towelroot. Suidext has a new shell. All complied exp through “build.sh” is in the “bin” directory (these exp can kill SELinux in Android 5.0). Please refer to the file README.txt in the reference directory to view other files. The language used is Italian, please use Google to translate it.
0x03 iOS & Mac OS
1 The main codes of RCS is in the “core” folder of core-IOS-master.zip. It mainly uses dylib injection to monitor user input, GPS and the screen information.
The IOS-newsstand-app is another IOS application source code. The code is possible used to replace the IME of IOS, then log the keystroke, which can attack the devices that doesn’t jailbreak. ” The “Keybreak” folder that includes the source code of lockdownd remote exploit is to crack the password for lock screen. “IOS-install-Win32″ and “IOS-install-OSX” folder contain the tools used to install apps for ipad in Windows and Mac OS. Besides, HT also owns an IOS enterprise accounts used to publish the enpublic app: UID=DE9J4B8GTF, CN=iPhone Distribution: HT srl, OU=DE9J4B8GTF, O=HT srl, C=IT。 I’ve talked about the dangers of enpublic app in my previous articles and papers.
2 In vector-IPA-master.zip there should be another IOS Trojan’s source code. This Trojan is an application instead of an underlying network agent which can be used to monitor or control the system network traffic.
3 The source code of Mac OS RCS is saved in the core-MacOS-master\core folder of core-macos-master.zip. This in fact is a Mac OS Trojan similar to a Windows Trojan.
0x04 Windows Phone & symbian & blackberry
1 core-winphone-master.zip is a RCS Trojan for Windows Phone. The implementation of “Activation Track” on WP devices leverages a 0day exploit in system, which allows the third-party code application to run it as trusted on the system. This RCS can also retrieve information such as contact list, calendar, call history, locations, SMS and sensor status. The Program ID is 11B69356-6C6D-475D-8655-D29B240D96C8.
2 core-blackberry-master.zip and core-symbian-master.zip are respectively the RCS system for Blacberry and symbian.
0x05 Fuzzer
1 The source code of fuzzer for Windows is saved in fuzzer-windows-master.zip, which inludes the Fuzzer testing system targeting IE and fonts.
2 The source code of fuzzer for android is saved in fuzzer-android-master.zip, which includes the Fuzzer testing system targeting jpg, sms, and system call. Trinity is mainly used to perform system call fuzz, such as the ioctl() system call used by binder.
0x06 AV Detection
test-av-master.zip is the first generation product and test-av2-master.zip is the second generation. HT names them as AVMonitor. The system is used to guarantee their products can bypass the AV detection. The AV products they use and their serial numbers are saved in test-av2-master.zip\test-av2-master\doc\AVTEST
The test-av2-master\doc\whiteboard folder even includes the whiteboard they used in a meeting
0x07 Exploit & 0day
vector-exploit-master.zip is another highlight. First, you will find the two exps for flash: one is a Flash 0day: ActionScript ByteArray Buffer Use After Free; the other is the CVE-2015-0349 that Nicolas Joly used in the Pwn2Own 2015 competition. In order to bypass the sandbox mechanism of IE and chrome to fully control the user system, Hacking Team also leverages a kernel driver in Windows: Adobe Font Driver(atmfd.dll) which has a font 0day exploit that can be used to escalate privilege and bypass the sandbox mechanism. This 0day exploit exists in Windows XP-8.1, both x86 and x64 platforms are affected. Qihoo360 has released their analysis report about this exploit. If you are interested, please go to http://drops.wooyun.org/papers/6968.
Apart from the two flash exps and font 0day , There is an Android browser exploit in the directory vector-exploit-master\src\ht-webkit-Android4-src. This exploit can install apk on targeted devices after the user browses a webpage through the android browser. The exploit influences Android 4.0-4.3. As can be seen from its source code, the exploit process is extremely complex. There are at least four stages needed for exp exploit. Other than that, techniques like information leak and heap spray are employed as well. PS:In vector-exploit-master\src\ht-webkit-Android4-src\docs, there is a photo taken during the meeting about this exp.
0x08 What Else
1 The GeoTrust certificate of HT is saved in GeoTrust-master Signing Keys.zip .
2 There are lots of audio recordings in http://ht.transparencytoolkit.org/audio/
3 HT leaves a SQL backdoor in their products for query. http://ht.transparencytoolkit.org/rcs-dev%5cshare/HOME/ALoR/htdocs/conf.php
4 Many legal Keys for VMProtect Professional are leaked.
5 We provide a flash 0day test page at: http://zhengmin1989.com/HT/index.htm. If your browser pops up a calculator, it means your flash has this 0day vulnerability. Please update it quickly.
6 You can get another font 0day demo from http://zhengmin1989.com/HT/32bitwin81.zip. We tested successfully on Win 8.
7 You can get all the email record from this website: https://wikileaks.org/hackingteam/emails/.
8 You could get the customers list from: https://ht.transparencytoolkit.org/Amministrazione/01%20-%20CLIENTI/5%20-%20Analisi%20Fatturato/2015/02%20-%20Client%20Overview%202015/Client%20Overview_list_20150603.xlsx
The post A Overview of Hacking Team’s Leaked Data appeared first on HaCoder.