BootStomp – Find Android Bootloader Vulnerabilities


BootStomp is a Python-based tool, with Docker support that helps you find two different classes of Android bootloader vulnerabilities and bugs. It looks for memory corruption and state storage vulnerabilities.

BootStomp - Find Bootloader Vulnerabilities


Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.

How does BootStomp find Android Bootloader Vulnerabilities?

BootStomp implements a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution or its security features.

Using the tool the team found six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscovered one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks.

The vulnerabilities impact the Trusted Boot or Verified Boot mechanisms implemented by vendors to establish a Chain of Trust (CoT). The team using BootStomp discovered vulnerabilities in the bootloaders used by Huawei, Qualcomm, MediaTek, and NVIDIA.

The team analyzed bootloader implementations in many platforms, including Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), Nexus 9 (NVIDIA Tegra chipset), and two versions of the LK-based bootloader (Qualcomm).


How to use BootStomp

The easiest way to use BootStomp is to run it in a docker container. The folder docker contains an appropriate Dockerfile, these are the commands to use it:

For Android related security you can also check out:

Androguard – Reverse Engineering & Malware Analysis For Android

You can download BootStomp here:

BootStomp-master.zip

Or read more here.

Posted in: Hacking Tools

,


Latest Posts:


Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.
zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors


Comments are closed.