AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 10 - Access Control Issues 2 - Intent Filter Vulnerability (2)


ACCESS CONTROL ISSUES 2 - INTENT FILTER VULNERABILITY (2)


- Layout for this exercise:




- Connecting from Santoku to Nexus 5 with ADB:





- Launching the application: 





- Clicking the tab for challenge 10:




- The applications asks the user to register at a website in order to get a PIN, valid to login and see the content of some API credentials related to a third party application:




- Using a false PIN, the access is denied:




- The goal of this challenge would be to access the third party API credentials from outside the application, without using any PIN. 

- Looking at the AndroidManifest.xml, inside the activity for this challenge it is defined the intent filter jakhar.aseem.diva.action.VIEW_CREDS2:







- We could try using the Activity Manager and starting the intent filter, but it does not work because it just prompts the user for registering:







- However, using Drozer will be a lot more powerful. Setting up the Drozer server at Nexus 5:

















- Launching the Drozer client at Linux Santoku:






- Running the info option, the activity APICreds2Activity is detected:




- Opening the Java source code of the activity APICreds2Activity:









- It is noticeable that a boolean is compared to the value "true", and then asked for registering at a website.





- Opening the AccessControl2Activity.java for this challenge:









- So, as mentioned, a boolean is defined to validate the PIN entered by the user.

- Going to the code of the application, a string called check_pin is defined:







- Now, from Drozer the value of check_pin is changed from "true" to "false", and the intent filter started with Activity Manager in order to bypass the access control protection: 




- The result is successful because the API Credentials are now available for the user without entering any valid or invalid PIN: