ACCESS CONTROL ISSUES 2 - INTENT FILTER VULNERABILITY (2)
- Layout for this exercise:
- Connecting from Santoku to Nexus 5 with ADB:
- Launching the application:
- Clicking the tab for challenge 10:
- The applications asks the user to register at a website in order to get a PIN, valid to login and see the content of some API credentials related to a third party application:
- Using a false PIN, the access is denied:
- The goal of this challenge would be to access the third party API credentials from outside the application, without using any PIN.
- Looking at the AndroidManifest.xml, inside the activity for this challenge it is defined the intent filter jakhar.aseem.diva.action.VIEW_CREDS2:
- We could try using the Activity Manager and starting the intent filter, but it does not work because it just prompts the user for registering:
- However, using Drozer will be a lot more powerful. Setting up the Drozer server at Nexus 5:
- Launching the Drozer client at Linux Santoku:
- Running the info option, the activity APICreds2Activity is detected:
- Opening the Java source code of the activity APICreds2Activity:
- It is noticeable that a boolean is compared to the value "true", and then asked for registering at a website.
- Opening the AccessControl2Activity.java for this challenge:
- So, as mentioned, a boolean is defined to validate the PIN entered by the user.
- Going to the code of the application, a string called check_pin is defined:
- Now, from Drozer the value of check_pin is changed from "true" to "false", and the intent filter started with Activity Manager in order to bypass the access control protection:
- The result is successful because the API Credentials are now available for the user without entering any valid or invalid PIN:
