1 00:00:00,520 --> 00:00:05,670 - Hello all and welcome to the new video of Android Security and Exploitation by 2 00:00:05,670 --> 00:00:10,800 Pentester Academy. My name is Aditya and I'm your course instructor for this entire 3 00:00:10,800 --> 00:00:16,210 training series. So in the previous video, we had a look at how you can use Drozer to 4 00:00:16,210 --> 00:00:22,000 exploit some of the content providers of a vulnerable application. But oftentimes 5 00:00:22,000 --> 00:00:27,000 content provider are not exactly vulnerable to the type of vulnerability 6 00:00:27,000 --> 00:00:30,030 we saw on the previous video. So there could be different kinds of 7 00:00:30,030 --> 00:00:34,900 vulnerability in the content providers. That's what we are going to have a look at 8 00:00:34,900 --> 00:00:40,460 in this particular video. This is a vulnerability in Adobe Reader, where 9 00:00:40,460 --> 00:00:44,070 instead of querying a particular content provider, you can use the 10 00:00:44,070 --> 00:00:49,070 vulnerable content provider to perform a Path Traversal attack and read any 11 00:00:49,070 --> 00:00:53,900 arbitrary files from the file system. Now, one of the interesting exploitation 12 00:00:53,900 --> 00:00:58,240 scenarios for this particular vulnerability would be to use the Adobe 13 00:00:58,240 --> 00:01:03,010 Reader vulnerability in order to read files from the SD card which is the 14 00:01:03,010 --> 00:01:08,670 external storage. Now the thing to note here is Adobe Reader has the external 15 00:01:08,670 --> 00:01:14,650 storage read permission whereas Drozer does not have. Now if we can read files 16 00:01:14,650 --> 00:01:20,150 from the SD card using Drozer and exploit content provider of Adobe then that means 17 00:01:20,150 --> 00:01:25,070 Adobe is vulnerable. Now this vulnerability was discovered by Sebastian 18 00:01:25,070 --> 00:01:30,390 and you can also have a look at the blog post to read more about the vulnerability. 19 00:01:30,390 --> 00:01:40,650 So let's jump into the vulnerability. So, I have my Genymotion running over here and 20 00:01:40,650 --> 00:01:45,329 this is my Santoku VM... 21 00:01:58,440 --> 00:02:02,586 So let me just start up a terminal over here. 22 00:02:10,720 --> 00:02:25,140 Right now no devices are connected, connect it to this device. I've now 23 00:02:25,140 --> 00:02:37,830 enlisted in my adb devices. So let me just start up Dozer. The first thing I want to 24 00:02:37,830 --> 00:02:42,910 do is to find out the package name for Adobe Reader. So I can just do a run 25 00:02:42,910 --> 00:02:52,990 app.package.list. I can look for Adobe. Here is the package name for Adobe that's 26 00:02:52,990 --> 00:03:02,460 com.adobe.reader. I can now figure out the attack surface and look into what all 27 00:03:02,460 --> 00:03:06,730 different components are vulnerable. So you can simply do run 28 00:03:06,730 --> 00:03:18,370 app.package.attacksurface and parse in the package name of the application. It says 29 00:03:18,370 --> 00:03:22,470 one content provider is exported over here. This means that there is a 30 00:03:22,470 --> 00:03:27,900 vulnerable content provider which is exported and we can use it to perform any 31 00:03:27,900 --> 00:03:32,642 kind of exploitation of the application. Now if I look at what all different 32 00:03:32,642 --> 00:03:38,640 content providers are there using app.provider.finduri, I'll get that 33 00:03:38,640 --> 00:03:43,740 particular one content provider. So this is the content provider basically both of 34 00:03:43,740 --> 00:03:49,350 them are the same thing . So I've got one content provider. Now if I proceed in the 35 00:03:49,350 --> 00:03:56,750 normal way like try to query this, I might not get the desired result. So if I try to 36 00:03:56,750 --> 00:04:02,420 query using this content provider, I get an unknown error. Now, this is because 37 00:04:02,420 --> 00:04:08,970 this particular content provider is not able to be queried or it's not like it's 38 00:04:08,970 --> 00:04:13,350 attached to some database which can fetch you some information. In this particular 39 00:04:13,350 --> 00:04:19,790 scenario, we'll use the app.provider.read and try to read from arbitrary files. 40 00:04:19,790 --> 00:04:23,920 Before we actually do that let's first confirm that we have a file on the SD card 41 00:04:23,920 --> 00:04:31,130 which we are going to read. So I'll go to mnt/sdcard and I have a secret.txt over 42 00:04:31,130 --> 00:04:40,140 here which simply says this is a secret. Also, let's have a look at the permissions 43 00:04:40,140 --> 00:04:52,740 of both Drozer which has a package named com.mwr.dz -a. So Drozer has the 44 00:04:52,740 --> 00:04:55,920 permission, Android permission internet which means it just has the internet 45 00:04:55,920 --> 00:04:59,630 permission and it can't read files from the SD card because it does not have the 46 00:04:59,630 --> 00:05:05,820 permission whereas at the same time if we try to get informed about the Adobe 47 00:05:05,820 --> 00:05:12,840 Reader, we see that it has a read external storage permission. This means, Adobe 48 00:05:12,840 --> 00:05:19,750 Reader can read files from the SD card whereas Drozer can't. Quite simple. Let's 49 00:05:19,750 --> 00:05:25,660 just try to exploit it using the Path Traversal Vulnerability. So instead of 50 00:05:25,660 --> 00:05:32,920 query, we'll use read. Put in the provider name. Now here just after the content 51 00:05:32,920 --> 00:05:38,530 provider, we have to put in the path of the application. If we try to put in the 52 00:05:38,530 --> 00:05:47,260 path, mnt/sdcard/secret.txt. It doesn't bring up the expected result. This is 53 00:05:47,260 --> 00:05:53,420 because this particular path is not the correct path because com.adobe.reader file 54 00:05:53,420 --> 00:05:58,260 provider, content provider, might be reading from one particular location and 55 00:05:58,260 --> 00:06:02,660 if we try to go into the mnt/sdcard. I'll try to go from that particular location 56 00:06:02,660 --> 00:06:08,110 instead of from the root of the file system. So all we have to do here is just 57 00:06:08,110 --> 00:06:14,030 put in a few directory traversals so that we reach the top of the file system and 58 00:06:14,030 --> 00:06:22,020 from there we go into mnt sdcard. Then try to read the secret.txt. Awesome. Now, in 59 00:06:22,020 --> 00:06:27,490 this way we're able to read the secret.txt which is located in sdcard and even if 60 00:06:27,490 --> 00:06:31,970 Drozer does not have the permission it can exploit the permissions of Adobe. So this 61 00:06:31,970 --> 00:06:39,730 is another kind of exploitation scenario of content providers and this is something 62 00:06:39,730 --> 00:06:43,310 which you might see in a lot many different applications as well. So 63 00:06:43,310 --> 00:06:46,910 whenever you look for vulnerabilities in content providers make sure apart from 64 00:06:46,910 --> 00:06:50,330 just checking for query, you also check for the read-based content provider 65 00:06:50,330 --> 00:06:54,730 vulnerability. So that's all for this video. If you have any feedback or 66 00:06:54,730 --> 00:06:59,500 queries, feel free to reach me out at adi@attify.com. If you want to do the 67 00:06:59,500 --> 00:07:03,520 certifications, you can do it at securitytube-training.com. Thank 68 00:07:03,520 --> 00:07:04,000 you.