Monday, December 19, 2016

ANDROID PT / Path Traversal Vulnerability


- Layout for this exercise:

- Connecting from Santoku to Nexus 5:

- The goal of this exercise is to perform a Path Traversal attack, aiming to access files and directories that are stored outside the root folder. 

- By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using complete file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. 

- This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

- For instance, let's try to read the content of a file, a secret KEY, stored at the SD Card of the mobile device:

- For this exercise, a vulnerable application will be used, by exploiting one of its Content Providers. The adobe.apk is referred to a reported vulnerability about a past Acrobat Reader version, at this moment already patched.

- The attack is based int the fact that the application allows to read files from External Storage, according to the established permissions, as it will be seen later.

- Installing the application into the mobile device. 

- Now, let's make sure that Drozer is running at the mobile device:

- Also, let's forward port TCP 31415 so that a connection is established with Drozer between Santoku and Nexus 5:

- Launching Drozer:

- Searching for any package related with Adobe:

- Finding the attack surface for the application, there is a vulnerable Content Provider:

- There is just one Content Provider, so for sure it is the vulnerable one:

- However, querying directly into the Content Provider, the result is unsuccessful:

-  Getting some information about the package, an interesting fact is found, because there is a READ_EXTERNAL_STORAGE permission associated to the package:

- Reading the Content Provider using the direct path of the application does not yield any result. The reason is because that path is not the complete path from the root of the file system:

- However, adding some backtrack directory traversals (../../), once the root of the file system is reached, the reading process is successful and the KEY is discovered:

- Let's take into account that Drozer applications does not hold the permission READ_EXTERNAL_STORAGE:


- So, it is important to notice that the attack has been successful due to the vulnerability of the Adobe Reader application, having available the permission READ_EXTERNAL_STORAGE, as seen before. In other words, the Adobe Reader cad read files from the SD card, but Drozer cannot.