ACCESS CONTROL ISSUES 2 - INTENT FILTER VULNERABILITY (2)
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN3ysPFDiLz71tKNKtTbQ-gbYIMOvFyzCKI9CWL78TjPKjXRWYpCIlFmXgXhGx2AJ03-cD6Vx-LMBzN8gZzBhlbR1mLbvF3IFft3RoDMDfuNW6_eUA1t68o-9wqG_cxHU7to9FSgnsuPpq/s1600/screenshot.1.jpg)
- Connecting from Santoku to Nexus 5 with ADB:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPhk653C14QA8vth06HWnXBRzLa4itaCupLrevAArhsXls8xlPnBjqnB7G9OexQ9Gw-iTW0IdEsuYLhnHoyJgNyT3ta6dIQkIP20bRiI7-iGSeLanLEgnTEoAxE4-6vAsDxFRU1Bfsk6C/s1600/screenshot.2.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz26LudzftvVhlVECnYZvnq2eZHOOhCD0Ku501fUdU0VM2la60N2SRK0UcblEUUP2u7NKDULpBFOE4H4eZbq09qhg1-k-HFMB1AvTWLoaymRoY21KQJ5kMcplr3hUecqXdIup0YuKXvHjT/s400/screenshot.3.jpg)
- Clicking the tab for challenge 10:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuG28dY5Q6-qWmz9bUvXQQGoEZZU3Eyw1zxPT_ZPN_PXxxypAC9Qwk3PL4xj0SCU6pIziwSz5oId2KqZxOHx8yUEaWv2bL1MOQPfMfc8AL-xL6SoCVnfuVtzkqUhxFt25uLeuSM0VOb4rr/s400/screenshot.4.jpg)
- The applications asks the user to register at a website in order to get a PIN, valid to login and see the content of some API credentials related to a third party application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxSftDcoAHMRpszWEAtZwsqRjQaRD6eDSufAYIxBkKzBBn1JUMajEL0fdVWOFefpLi9T7fwzY63KGU5LuHLUqH8l93Ak6GBs9EW15fem0QmyqXychAZuBHHleQYoBlbdLMzewo2tJvrn_b/s1600/screenshot.5.jpg)
- Using a false PIN, the access is denied:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrZ0dQJtuv3lCcTPKjnb5tPtJJNINqwtC1s-nuaWJsJ10UGMmhX5gRqQhXDmg6PXqonfiJiXOob50WF5p_pToHeVSIGXceRQKaDHFzJNxmp_yH83xcRMVOcd7Ew32-TBhtW97-lyEEuL9a/s1600/screenshot.6.jpg)
- The goal of this challenge would be to access the third party API credentials from outside the application, without using any PIN.
- Looking at the AndroidManifest.xml, inside the activity for this challenge it is defined the intent filter jakhar.aseem.diva.action.VIEW_CREDS2:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8E70N-zxvsKnhuOjFR4yV02xWPqI-VTQ3mqZascYmrsfEr0t-LQXWLUJoNGQDdFJKwFQCiGAY7e0jn2PPc1PzVkgcf5unGi7TW0rxNbWuUn4bmWoHe-E415Ih6cQfd2DlV0rvkWIb4rxB/s1600/screenshot.9.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnF0LFdWvOJd4YvlJrI8NXZ9VgOTszxUWrmKlPrvU9YzK94esaOCXmPn966811xtU_YxMEas_DZKSOxMyeU895FeB-pX2p70lC-oUblkbero4nFIfyh-xgbWYZWgdZ-SbZZh7nGmD9Umz0/s1600/screenshot.8.jpg)
- We could try using the Activity Manager and starting the intent filter, but it does not work because it just prompts the user for registering:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRrNUtTxOm0C7c6gztqEMgoK7Oh2_JuNejlqZxyUre_LwROrJ5A1DMVZLQhsgsmjnoTd1A6TXi5ci-dz685W-yRPeg7cg5nQqK5boY_IDyx4mwtEgaD7VQN-uejjw20lE9PKT-o1z9IA5U/s1600/screenshot.10.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNf3kMEUgTlW2jH9vSX1_7ZmyULnYhmetk3DpxvSCxBUZLq6n55ZEsH1a00xxfXx5D-jA-pmxjaSOgnZ0ijYdkXPSQTOuWelAO8PNM_XU7EfP7vKEWr1vfQEwgPJrtCOwsmXtO04P_Ne_p/s1600/screenshot.11.jpg)
- However, using Drozer will be a lot more powerful. Setting up the Drozer server at Nexus 5:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Ri-ilFUe5yIqx8OBqMaW-VOsM84Mw2J5iZ0pckf429hubF4t05lTzOsesuTgjUE9Le-tkQMq67IUnqOLGsFx2pP1jF_E-6NMNXOqSwwLbNK0qZJ8mkv_QSk66nS4Uz8nurGEnZjjm7oB/s640/screenshot.14.jpg)
- Launching the Drozer client at Linux Santoku:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8VxFDNDBI0sr84ctgqvd6lEtPo3b06Q5syZIctJQNm-pKgVMckxt4FyGBY8zkQoEJTB2D3aBQtMBgL39XyBCtCWw6SRpBa0o7fyiEU0aTdSfHk4TEZX0pA-XmR8mqWvFlVY8pUGjdlauR/s1600/screenshot.13.jpg)
- Running the info option, the activity APICreds2Activity is detected:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-oyAR_0MUQd1OUpyocHG16aha1hyphenhyphen5EnS0fOmk7mGqCGgMXKDthseSLuHixhiQ7Q_44nKP9p_C8b4XCzTaUmoDMgMVJDS9IEhJpItvKg_gAf0GgEvvj-IPw3LBv_W7ODRz17VlE4YXHYlR/s1600/screenshot.15.jpg)
- Opening the Java source code of the activity APICreds2Activity:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmzH7aOygeKxti9RugSYWDRRp9VoxA-VUZ_R4mWUVjoG-RZvx8nyJ18sSbglM8akGc9mW1etZDIk4DcbKjl-PxeGwCGbEUQKyh7luYufat5Zh7jzYhGQQZGBLChTXyG3b4Mvcjf-3Vn1I/s1600/screenshot.16.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWrNS0dsQSIO956pkISEp9vPPB-cH1HoFS_ezNtKByTY_XKZRAPeeVSinesbWtOQfbmC715FtyW5q62AoASXwQW-P6Bmd4YJgZUiRg-tAV0Dk-iCZ8mfwM6fPZYW4JBaHEUpooYnJq6Pzc/s1600/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvsV3s9syqkSQJG0OAd3YeqvzFogod2dh3NvflTGj6IMYJ4H4I3UND28B41cGxSdpE8wgpxWabUj9t9yNAi0glVIh-3xIMFfncswkK-xtuuUbE3NBkAvmQoKOC2CjpzwcReKn5ZlJUo1nw/s1600/screenshot.21.jpg)
- It is noticeable that a boolean is compared to the value "true", and then asked for registering at a website.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQurFQT95_XAmMdckD25-vnN1M5JcW9SXvbFI8-qCjCcNw-PBY3kasANcOR_r-XaiD-Pw41gyDx5h5EFMmndzwb8ztMUby1xegyLUSXPKOeeTidnHXleHrgzpm0ZPIPe9m-Rv7A9e1uG-t/s1600/screenshot.23.jpg)
- Opening the AccessControl2Activity.java for this challenge:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnHA02ZfuOKYoApgeKx_cpCHxY2ezru37BAsgKDE-BhQ41bTOrJMUZ3T-mLoyr1wOgkUwTgBuN6caqIdSSarZhfpYtGxesDilHc4K6Pt6oUN5kpMrTgN4ukXlXXKgjmjk1R_B_mg8o5gbu/s1600/screenshot.18.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-NJtnGO6DNcI6DTK9b7OBZ0NLMc3G63PYgQ5p2VVIHDt8k16641Wpcm-NQKuI2_-SYIXlptLwPIpDcun8IVZoNr24rAcaay4L7OR_GvnMSw72ebAWjOWR7FRwuTteTWTFZwRD8gCnG3JZ/s1600/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipdAx142L9pxDNv7OC6Yv0fjsJbChc-G6TE7XF7w5vUfy837fBeX1Sot5jCQ7I2MtPhoOOP0efCLZ3WEuT414BxLJrl2nn8QTSY_iXR_jUqmQ5CvHNGTj46S06pzBAUPYFeRhvT0knNRE1/s1600/screenshot.20.jpg)
- So, as mentioned, a boolean is defined to validate the PIN entered by the user.
- Going to the code of the application, a string called check_pin is defined:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaHfvMtO13PzfmzSVoAxOnjxLTjxVmCIFAt9XCYVghiZsSR2XXb15ckZcPxD3P6GB-bfFXEt47GKBmIr5L0IwYU4jGIdjo4Z1lqW972WNrt0yPGy1nBmyQilgLOoNiGxwAEwbJ6-UMdPnm/s1600/screenshot.24.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMUWliePQjjoCIslc5_7mz1qYOnPAYkNDvA-Aq8xiWmNF5q6L8EyoYIshD5qJ8GtEulOgw_pkxP1HI8RpUMAVVfZ4JJ3_RdNskbcuiL2YCG1baWnb5VINm4aCTGLIodkc8UAHkPjWf8uF/s1600/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilLp2MK2sriuVp1GjU8xqt5QCwJAN7jbkDVjTBr1C38HRasmZS1lZpeVl2Gc1CpKZUADfivUM4HIc4e437trM62zXeOOEpWgMtlgaZZ3iEP9Q3bZ-KvS1uXv4QYsCJk49LFGgQYWdqHZj1/s1600/screenshot.25.jpg)
- Now, from Drozer the value of check_pin is changed from "true" to "false", and the intent filter started with Activity Manager in order to bypass the access control protection:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4SkKUb4Ed1vPkOe4s4PTWkNlPORSzc-rW2I0TyNrJqPNef1eo8PVL94q52iqtQx6bHOnkPmIe1qyjEQ9n9yGO3fuhiOVNDXvXEGss4DZ4tTQVRsXr3Z8djcBwh38FJ8j4S2i5Pt3O1KQ6/s1600/screenshot.27.jpg)
- The result is successful because the API Credentials are now available for the user without entering any valid or invalid PIN:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiehB77uf_h6OwZ4q4KONy0ic99RWFdUfEY8V1npu_VC8UOcGPKq1LcunmAdKIgGZH0XamIMz52krJdKKp1vgHxpcvHCbp3Bh1lpUEZBB2LkRxdf4txNW5FwySKcMt-GjUPAliAPbo0Zfcz/s1600/screenshot.28.jpg)