AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 10 - Access Control Issues 2 - Intent Filter Vulnerability (2)


ACCESS CONTROL ISSUES 2 - INTENT FILTER VULNERABILITY (2)


- Layout for this exercise:




- Connecting from Santoku to Nexus 5 with ADB:





- Launching the application: 





- Clicking the tab for challenge 10:




- The applications asks the user to register at a website in order to get a PIN, valid to login and see the content of some API credentials related to a third party application:




- Using a false PIN, the access is denied:




- The goal of this challenge would be to access the third party API credentials from outside the application, without using any PIN. 

- Looking at the AndroidManifest.xml, inside the activity for this challenge it is defined the intent filter jakhar.aseem.diva.action.VIEW_CREDS2:







- We could try using the Activity Manager and starting the intent filter, but it does not work because it just prompts the user for registering:







- However, using Drozer will be a lot more powerful. Setting up the Drozer server at Nexus 5:

















- Launching the Drozer client at Linux Santoku:






- Running the info option, the activity APICreds2Activity is detected:




- Opening the Java source code of the activity APICreds2Activity:









- It is noticeable that a boolean is compared to the value "true", and then asked for registering at a website.





- Opening the AccessControl2Activity.java for this challenge:









- So, as mentioned, a boolean is defined to validate the PIN entered by the user.

- Going to the code of the application, a string called check_pin is defined:







- Now, from Drozer the value of check_pin is changed from "true" to "false", and the intent filter started with Activity Manager in order to bypass the access control protection: 




- The result is successful because the API Credentials are now available for the user without entering any valid or invalid PIN:





ANDROID PT - DIVA / 9 - Access Control Issues 1 - Intent Filter Vulnerability (1)


ACCESS CONTROL ISSUES 1 - INTENT FILTER VULNERABILITY (1)

- Layout for this exercise:





- Connecting from Santoku to Nexus 5 with ADB:




- Launching the application: 





- Clicking the tab for challenge 9:



- The application allows to see the API credentials:








- However, the goal of this challenge is to access the API credentials from outside the application, taking advantage of the incorrect validation system used in this activity.

- Let's have a look at the Java source code of the activity for this challenge, AccessControl1Activity

  

- The jakhar.aseem.diva.action.VIEW_CREDS is the intent filter responsible for allowing the credentials to be displayed by the application:
































- Opening the Java source code for APICredsActivity.java:






- Also, the AndroidManifest.xml indicates the presence of the mentioned intent filter:




- Now, using the Activity Manager tool we can start the intent filter jakhar.aseem.diva.action.VIEW_CREDS from Santoku Linux, without using the DIVA application interface at the Nexus 5 device:







-The result is the application starting by itself and showing the API credentials:




- By the way, an apart for the previous exercise, Activity Manager can also be used for other tasks. For instance, to open a web browser remotely at the mobile device:









ANDROID PT - DIVA / 8 - Input Validation Issues 2 - File Protocol


INPUT VALIDATION ISSUES 2 - FILE PROTOCOL 


- Layout for this exercise:



- Connecting from Santoku to Nexus 5 with ADB:




- Launching the application: 





- Clicking the tab for challenge 8:






- The application asks for an URL, for instance https://dgmsp.blogspot.com:





































- The browser opens the website of this blog, as expected:




- However, this circumstance can be used to exploit the browser using a different protocol than HTTP, for instance the File protocol, to read the contents of the internal file system, or even data at external storage.

- From a previous exercise, we have some credentials stored at this path:







- Using the File protocole, access to the uinfo file can be achieved:




- Introducing the File path as input, the content of the uinfo file is displayed:




- In the same way, this input validation vulnerability can be used for accessing data at external storage. For instance, let's say that there is a Key file at the SD card:








- Introducing the path to the external storage or SD card, the content of the Key file is displayed: