Monday, December 19, 2016
PATH TRAVERSAL VULNERABILITY
- Layout for this exercise:
- Connecting from Santoku to Nexus 5:
- The goal of this exercise is to perform a Path Traversal attack, aiming to access files and directories that are stored outside the root folder.
- By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using complete file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
- This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
- For instance, let's try to read the content of a file, a secret KEY, stored at the SD Card of the mobile device:
- For this exercise, a vulnerable application will be used, by exploiting one of its Content Providers. The adobe.apk is referred to a reported vulnerability about a past Acrobat Reader version, at this moment already patched.
- The attack is based int the fact that the application allows to read files from External Storage, according to the established permissions, as it will be seen later.
- Installing the application into the mobile device.
- Now, let's make sure that Drozer is running at the mobile device:
- Also, let's forward port TCP 31415 so that a connection is established with Drozer between Santoku and Nexus 5:
- Launching Drozer:
- Searching for any package related with Adobe:
- Finding the attack surface for the application, there is a vulnerable Content Provider:
- There is just one Content Provider, so for sure it is the vulnerable one:
- However, querying directly into the Content Provider, the result is unsuccessful:
- Getting some information about the package, an interesting fact is found, because there is a READ_EXTERNAL_STORAGE permission associated to the package:
- Reading the Content Provider using the direct path of the application does not yield any result. The reason is because that path is not the complete path from the root of the file system:
- However, adding some backtrack directory traversals (../../), once the root of the file system is reached, the reading process is successful and the KEY is discovered:
- Let's take into account that Drozer applications does not hold the permission READ_EXTERNAL_STORAGE:
- So, it is important to notice that the attack has been successful due to the vulnerability of the Adobe Reader application, having available the permission READ_EXTERNAL_STORAGE, as seen before. In other words, the Adobe Reader cad read files from the SD card, but Drozer cannot.
Sunday, December 18, 2016
CONTENT PROVIDERS VULNERABILITIES
- Layout for this exercise:
- Connecting from Linux Santoku to the mobile device Nexus 5:
0 - CONTENT PROVIDERS
- The purpose of a Content Provider is to manage access to a central repository of data. An application may have implemented many providers.
- For instance, Content Providers may be used to store data in the databases of the application, and also to query, retrieve or share that information afterwards.
- Content Providers may allow attackers potential leakage of information if proper security controls are not enforced in the application.
1 - PREPARING THE APPLICATION AND WRITING A NOTE EXAMPLE
- For the purpose of illustrating some vulnerabilities associated with Content Providers, in this exercise it will be used the application Catch Notes. It was a very popular application used to take and save notes. Catch Notes was available for Android devices up to recently , until the service was discontinued:
- Installing the application into the mobile device:
- Now, Catch is available at Nexus 5:
- Clicking the application icon:
- Adding a note:
- A private text is written and saved:
- The goal of this exercise will be to reveal the content of the previous note from outside the Nexus 5 mobile device, using Santoku Linux as the attacking platform, and exploiting the application in three different ways.
2 - EXPLOITING WITH DROZER
- Drozer is a security and attack framework for Android, by MWR InfoSecurity:
- In this exercise Drozer will be used to reveal the content of the note, previously entered by the user.
- The main feature of this framework is that using Drozer there is no need of rooting to perform a successful attack.
- Drozer works into a client-server mode, so it must be installed both at the Android device (server) and Santoku (client).
- Downloading the application to Santoku:
- Downloading the Agent.apk to Nexus 5:
- Installing Drozer at Nexus 5:
- Drozer is now running at Nexus 5, working as a service at port 31415:
- From Santoku, port 31415 must be forwarded so that communication with Nexus 5 is enabled over TCP:
- Launching Drozer, a list of available commands is displayed:
- Starting the Drozer console:
- Running the list of all applications installed at the mobile device, the package corresponding to the Catch application is found, with name com.threebanana.notes:
- The app.package.attacksurface option shows some of the possible vector attacks present at the application, two of them related with Content Providers:
- Running the app.provider.finduri the /notes folder is found under .provider.Notepad:
- Querying what is inside the /notes folder, the text entered by the user is found:
- Let's notice that no special permission or privilege has been used to reach the text, meaning that it is actually a vulnerability because there is some leaking data as a result of using Drozer over a Content Provider.
3 - EXPLOITING WITH ADB (ANDROID DEBUG BRIDGE)
- Also, the application can be exploited using directly the ADB debugger for looking up into the internal databases.
- However, in this case the key difference to perform this attack, in comparison with the Drozer's one, is the need of being root. It means that only with root privileges (or the user himself) will be possible to access the inner of the package:
- Searching with ADB into the data directory, inside the package of the applications there is a folder called databases:
- Listing the contents, a note_pad.db is found:
- Opening the note_pad.db Sqlite3 database:
- There are four tables, one of them named notes:
- Selecting all the content from notes, the text is revealed again:
4 - EXPLOITING WITH APKTOOL
- Another way of exploiting the application stems of the analysis of the .apk binary.
- Pulling the .apk binary to Santoku:
- Let's decompile the application with Apktool and see its internal structure:
- As a result of the decompilation, a new folder is created:
- Listing the content of the new folder:
- Grepping with -iRn options (-i=ignoring case sensitive, -R=recursive, -n=numbering the lines) all starting with 'content://' a long list of all Contents Providers used by the application is displayed. However, the Content Provider of interest for us is that including the folder /notes:
- Again, querying what is inside /notes:
- The output shows the text entered by the user: