mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/generic-hacking/esim-javacard-exploitation.md'] to sw
This commit is contained in:
Translator
parent
f4aa73ba57
commit
789a16d994
@ -77,6 +77,7 @@
|
||||
# 🧙♂️ Generic Hacking
|
||||
|
||||
- [Brute Force - CheatSheet](generic-hacking/brute-force.md)
|
||||
- [Esim Javacard Exploitation](generic-hacking/esim-javacard-exploitation.md)
|
||||
- [Exfiltration](generic-hacking/exfiltration.md)
|
||||
- [Reverse Shells (Linux, Windows, MSFVenom)](generic-hacking/reverse-shells/README.md)
|
||||
- [MSFVenom - CheatSheet](generic-hacking/reverse-shells/msfvenom.md)
|
||||
|
||||
88
src/generic-hacking/esim-javacard-exploitation.md
Normal file
88
src/generic-hacking/esim-javacard-exploitation.md
Normal file
@ -0,0 +1,88 @@
|
||||
# eSIM / Java Card VM Exploitation
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
## Overview
|
||||
Embedded SIMs (eSIMs) zinafanywa kama **Embedded UICC (eUICC)** kadi za smart ambazo zinaendesha **Java Card Virtual Machine (JC VM)** juu ya kipengele salama.
|
||||
Kwa sababu profaili na applets zinaweza kutolewa *over-the-air* (OTA) kupitia Remote SIM Provisioning (RSP), kasoro yoyote ya usalama wa kumbukumbu ndani ya JC VM inakuwa mara moja primitive ya utekelezaji wa msimbo wa mbali **ndani ya kipengele chenye mamlaka zaidi ya simu**.
|
||||
|
||||
Ukurasa huu unaelezea uhalisia wa kuathiriwa kabisa kwa eUICC ya Kigen (Infineon SLC37 ESA1M2, ARM SC300) ulio sababishwa na ukosefu wa ukaguzi wa usalama wa aina katika bytecodes za `getfield` na `putfield`. Mbinu hiyo hiyo inaweza kutumika dhidi ya wauzaji wengine wanaokosa uthibitisho wa byte-code kwenye kadi.
|
||||
|
||||
## Attack Surface
|
||||
1. **Remote Application Management (RAM)**
|
||||
Profaili za eSIM zinaweza kuingiza applets za Java Card zisizo na mipaka. Utoaji unafanywa kwa APDUs za kawaida ambazo zinaweza kupitishwa kupitia SMS-PP (Short Message Service Point-to-Point) au HTTPS. Ikiwa mshambuliaji ana (au anapata) **RAM keys** za profaili, wanaweza `INSTALL`/`LOAD` applet mbaya kwa mbali.
|
||||
2. **Java Card byte-code execution**
|
||||
Baada ya usakinishaji, applet inatekelezwa ndani ya VM. Ukosefu wa ukaguzi wa wakati wa utekelezaji unaruhusu uharibifu wa kumbukumbu.
|
||||
|
||||
## The Type-Confusion Primitive
|
||||
`getfield` / `putfield` zinapaswa kufanya kazi tu kwenye **marejeleo ya vitu**. Katika Kigen eUICC, maagizo haya hayawahi kuthibitisha ikiwa operandi kwenye stack ni *kitu* au *marejeleo ya array*. Kwa sababu neno `array.length` linaishi kwenye offset sawa na uwanja wa kwanza wa mfano wa kitu cha kawaida, mshambuliaji anaweza:
|
||||
|
||||
1. Kuunda byte-array `byte[] buf = new byte[0x100];`
|
||||
2. Kuibadilisha kuwa `Object o = (Object)buf;`
|
||||
3. Kutumia `putfield` kubadilisha *thamani yoyote* ya 16-bit ndani ya kitu kilichokaribu (ikiwemo VTABLE / ptr translation entries).
|
||||
4. Kutumia `getfield` kusoma *kumbukumbu zisizo na mipaka* mara tu viashiria vya ndani vinapohijacked.
|
||||
```java
|
||||
// Pseudo-bytecode sequence executed by the malicious applet
|
||||
// buf = newarray byte 0x100
|
||||
// o = (Object) buf // illegal but not verified
|
||||
// putfield <victimObject+offset>, 0xCAFE // arbitrary write
|
||||
// ... set up read-what-where gadgets ...
|
||||
```
|
||||
Primitive inatoa **kusoma / kuandika bila mipaka** katika nafasi ya anwani ya eUICC - ya kutosha kutoa funguo za kibinafsi za ECC ambazo zinaithibitisha kadi kwa mfumo wa GSMA.
|
||||
|
||||
## Mchakato wa Utekelezaji wa Mwisho hadi Mwisho
|
||||
1. **Tathmini firmware** – Tumia kipengee kisichoorodheshwa `GET DATA` `DF1F`:
|
||||
```
|
||||
80 CA DF 1F 00 // → "ECu10.13" (iliyohatarishwa)
|
||||
```
|
||||
2. **Sakinisha applet mbaya OTA** – Tumia funguo zinazojulikana hadharani za TS.48 Generic Test Profile na kusukuma vipande vya SMS-PP vinavyobeba faili ya CAP (`LOAD`) ikifuatiwa na `INSTALL`:
|
||||
```
|
||||
// mnyororo wa APDU uliorahisishwa
|
||||
80 E6 02 00 <data> // LOAD (block n)
|
||||
80 E6 0C 00 <data> // INSTALL kwa ajili ya kupakia
|
||||
```
|
||||
3. **Chochea mkanganyiko wa aina** – Wakati applet inachaguliwa inatekeleza kuandika-nini-wapi ili kuiba jedwali la viashiria na kuvuja kumbukumbu kupitia majibu ya kawaida ya APDU.
|
||||
4. **Toa funguo za cheti za GSMA** – Funguo za EC za kibinafsi zinakopiwa kwenye RAM ya applet na kurudishwa kwa vipande.
|
||||
5. **Jifanya kuwa eUICC** – Jozi ya funguo iliyoporwa + vyeti inamruhusu mshambuliaji kujiithibitisha kwa *yoyote* RSP server kama kadi halali (kuunganisha EID kunaweza bado kuhitajika kwa waendeshaji wengine).
|
||||
6. **Pakua na badilisha profaili** – Profaili za maandiko wazi zina nyanja nyeti sana kama vile `OPc`, `AMF`, funguo za OTA na hata applets za ziada. Mshambuliaji anaweza:
|
||||
* Kununua profaili kwa eUICC ya pili (kuiba sauti/SMS);
|
||||
* Patch programu za Java Card (kwa mfano, ingiza spyware ya STK) kabla ya kupakia tena;
|
||||
* Toa siri za waendeshaji kwa matumizi makubwa.
|
||||
|
||||
## Onyesho la Kununua / Kuiba
|
||||
Kuweka profaili sawa kwenye **PHONE A** na **PHONE B** kunasababisha Kituo cha Kubadilisha Simu kuelekeza trafiki inayokuja kwa kifaa chochote kilichosajiliwa hivi karibuni. Kikao kimoja cha kukamata SMS ya 2FA ya Gmail kinatosha kupita MFA kwa mwathirika.
|
||||
|
||||
## Zana ya Mtihani wa Otomatiki & Utekelezaji
|
||||
Watafiti walitoa zana ya ndani yenye amri ya `bsc` (*Basic Security Check*) ambayo mara moja inaonyesha ikiwa Java Card VM ina hatari:
|
||||
```
|
||||
scard> bsc
|
||||
- castcheck [arbitrary int/obj casts]
|
||||
- ptrgranularity [pointer granularity/tr table presence]
|
||||
- locvaraccess [local variable access]
|
||||
- stkframeaccess [stack frame access]
|
||||
- instfieldaccess [instance field access]
|
||||
- objarrconfusion [object/array size field confusion]
|
||||
```
|
||||
Modules shipped with the framework:
|
||||
* `introspector` – mpelelezi kamili wa VM na kumbukumbu (~1.7 MB Java)
|
||||
* `security-test` – programu ya kuthibitisha ya jumla (~150 KB)
|
||||
* `exploit` – 100 % ya kuaminika Kigen eUICC kuathiri (~72 KB)
|
||||
|
||||
## Mitigations
|
||||
1. **Uthibitisho wa byte-code kwenye kadi** – tekeleza udhibiti kamili wa mtiririko wa udhibiti & ufuatiliaji wa aina ya data badala ya tu juu ya stack.
|
||||
2. **Ficha kichwa cha array** – weka `length` nje ya maeneo yanayoshirikiana ya vitu.
|
||||
3. **Sasisha sera za funguo za RAM** – usiwasilishe profaili zenye funguo za umma; zima `INSTALL` katika profaili za majaribio (iliyoshughulikiwa katika GSMA TS.48 v7).
|
||||
4. **Heuristics za upande wa seva za RSP** – punguza kasi ya upakuaji wa profaili kwa EID, angalia tofauti za kijiografia, thibitisha uhalali wa cheti.
|
||||
|
||||
## Quick Checklist for Pentesters
|
||||
* Query `GET DATA DF1F` – mfuatano wa firmware dhaifu `ECu10.13` inaonyesha Kigen.
|
||||
* Angalia kama funguo za RAM zinajulikana ‑> jaribu OTA `INSTALL`/`LOAD`.
|
||||
* Baada ya usakinishaji wa applet, fanya brute-force ya primitive rahisi ya cast (`objarrconfusion`).
|
||||
* Jaribu kusoma funguo za faragha za Domain ya Usalama – mafanikio = kuathiri kamili.
|
||||
|
||||
## References
|
||||
- [Security Explorations – eSIM security](https://security-explorations.com/esim-security.html)
|
||||
- [GSMA TS.48 Generic Test Profile v7.0](https://www.gsma.com/get-involved/working-groups/gsma_resources/ts-48-v7-0-generic-euicc-test-profile-for-device-testing/)
|
||||
- [Java Card VM Specification 3.1](https://docs.oracle.com/en/java/javacard/3.1/jc-vm-spec/F12650_05.pdf)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
Loading…
x
Reference in New Issue
Block a user