AdSense
Saturday, December 24, 2016
ANDROID PT / Backup Vulnerability
BACKUP VULNERABILITY
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
- Backup and restoration processes in some Android applications are vulnerable because the backup contents can be altered and later restore back without root privileges.
- Some of these vulnerabilities were discovered and investigated by Chris John Riley and Aditya Gutpa.
- In this exercise the Android Backup Extractor (abe) will be used:
https://sourceforge.net/projects/adbextractor/
- Once downloaded to Santoku, let's unzip abe:
- On the other hand, to test the backup vulnerability, the application box.apk will be used:
- Installing box.apk to the mobile device:
- Going to Settings, a passcode is introduced:
- From now, to access the application a passcode is needed after 1 minute of timeout:
- Detecting the name of the package used by the application:
- ADB helps to backup the application, from box.apk, creating the new file box.ab. The extension .ab means "android backup":
- The user is prompted to perform the backup at the mobile device:
- The backup process is successful:
- hexdump shows the hexadecimal content of box.ab, checking that it is actually an Android backup:
- It is important to notice that an Android Backup (*.ab) file is actually a compressed tar file, that can be created with the Android Backup Extractor, so unpacking box.ab to box.tar:
- Extracting with tar, all the files of box.tar are displayed:
- Listing the files of box.tar to a file box.list:
- Now, the whole package com.box.android is available to be analyzed:
- Going deeper into the folder's structure down to sp (shared preferences):
- Looking up into apps:
- A hardcoded encrypted pin is found at the file myPreference.xml:
- Opening myPreference.xml, the line with the encrypted pin is detected:
- With the purpose of altering the application, the line corresponding to the encrypted pin is just removed:
- Now, to rebuild the application once it has been altered, the pax command is used:
- Redirecting the list of files of box.list (altered) to a new file box1.tar:
- The Android Backup Extractor does the reverse process than before, now packing instead of unpacking, and creating a file box1.ab from the altered box1.tar:
- hexdump shows the hexadecimal content of box1.ab, checking that it is actually an Android backup:
- Restoring the backup with ADB:
- The user is prompted to perform the restoration (notice that neither passcode nor pin is requested):
- The restoration of data is eventually successful:
- We can also verify that the alteration is effective, by checking that now the Settings configuration says Require passcode = Never, although we set previously a required passcode:
Friday, December 23, 2016
ANDROID PT / Hooking with AndBug
HOOKING WITH ANDBUG
- Layout for this exercise:
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
0 - INSECURE BANK
- To illustrate the exercises of this post, it will be used the InsecureBank application, written by Dinesh Shetty.
- InsecureBank is an intentionally vulnerable application used to gain training on different Android platform attacks.
- In this exercise we'll see insecure logging and how to hook the application on the go with the tool AndBug.
- Installing the application from Santoku to Nexus 5, using ADB:
- InsecureBank.apk works in a client/server model, so the server runs at Santoku on port 8888 and the client on the mobile device.
- Starting the server on Santoku with the script app.py, located inside the folder AndroLabServer:
- Starting the application at the mobile device:
- Configuring the preferences:
- Serveip is Santoku's IP:
- Listening port for the server is 8080:
1 - INSECURE LOGGING
- Once the applications is running, let's detect its PID:
- Logging the application with ADB logcat:
- Introducing the default credentials and signing in:
username: dinesh
password: dines@123$
- logcat informs immediately about the login trial:
- Then, performing a transaction of 1 million dollar from Account 1111 to Account 2222:
- Again, the logging debugger logcat informs immediately about the trasaction:
2 - HOOKING WITH ANDBUG
- Hooking an application is a very useful technique to analyze and understand on the go how applications work.
- AndBug is a wrapper around the JavaTM Debug Wire Protocol (JDWP), what is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs, called the target VM.
- AndBug allows to analyze the methods and the passed arguments while the applications is being run, by setting trace and hookup points on those methods.
- AndBug can be found here:
https://github.com/swdunlop/AndBug
- Once AndBug downloaded and installed on Linux Santoku:
- Installing the setup.py file:
- Looking up for the PID of the application insecurebank.apk:
- Using the command andbug over the PID, and loading the classes for the package of the application:
- Checking what are the methods used by the .RestClient class:
- Setting up a hook for the .dotransfer method:
- Performing a transaction with the mobile application:
- When the .dotransfer method is called and the arguments passed to the application, AndBug displays remotely all the details about the transaction:
Thursday, December 22, 2016
ANDROID PT / Client Side Injection
CLIENT SIDE INJECTION
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
- The goal of this exercise is to inject a crafted SQL query to a database, so that the application yields the contents of the database due to the lack of proper input sanitization.
- Android mobile devices use SQLite as framework for local database storage, so let's install the application sqliteapp.apk into the mobile device:
- Clicking the icon of the application:
- The user is prompted to register:
- Registering a user:
- The valid user logins and his private details are displayed:
- With the purpose of bypassing the authentication proceses, let's disassemble the application with jadx and see how is written the source code:
- Running jadx over the application:
- A new directory is created:
- Going to the manifest to see what is the associated package:
- Moving trough the directory to reach the innermost folder of the package, the Java source code is found:
- Opening the connector to the database, there is a SQL instruction that takes credentials (username and password) from the user_records database:
- Now, taking advantage of the lack of input validation sanitization, let's try an "always true" SQL query.
- This SQL injection is based on the well-known fact that OR function yields TRUE whenever one the operands is 1:
0 OR 0 = 0
0 OR 1 = 1
1 OR 0 = 1
1 OR 1 = 1
- For instance: Joey1'or'1'='1'--
- The command injection is successful, because all the details about the user are displayed:
Subscribe to:
Posts (Atom)