1
00:00:00,350 --> 00:00:05,250
- Hello all and welcome to the new video
of Android Security and Exploitation

2
00:00:05,250 --> 00:00:09,720
training series by Pentester Academy. My
name is Aditya and I'm your course

3
00:00:09,720 --> 00:00:14,008
instructor for this entire training
series. You can check out the course at

4
00:00:14,008 --> 00:00:18,376
PentesterAcademy.com and you can
also have a look at the certifications at

5
00:00:18,376 --> 00:00:24,431
securitytube-training.com. So in
the previous videos we had a look at some

6
00:00:24,431 --> 00:00:29,104
of the vulnerabilities in the different
content providers. Also different flaws

7
00:00:29,104 --> 00:00:32,761
with the permissions in content providers
and these kind of things. Now, in this

8
00:00:32,761 --> 00:00:36,986
case we are going to have a look at an
application called Dropbox which most of

9
00:00:36,986 --> 00:00:41,376
you might be familiar with. So in this
particular application, there was a

10
00:00:41,376 --> 00:00:45,825
vulnerability in content provider and you
could have simply identified the

11
00:00:45,825 --> 00:00:51,738
vulnerability just by having a look at the
AndroidManifest.xml file and the

12
00:00:51,738 --> 00:00:56,100
vulnerability was even though the content
providers were not directly exported but

13
00:00:56,100 --> 00:01:03,236
the additional parameters that were set up
with the protecting the content providers

14
00:01:03,236 --> 00:01:07,994
was not secure enough. There's something
called as path permission which we'll have

15
00:01:07,994 --> 00:01:12,991
a look at it later on. So that wasn't
properly set. This vulnerability was

16
00:01:12,991 --> 00:01:18,071
discovered by Intrepidus Group. They also
made a POC application which we'll have

17
00:01:18,071 --> 00:01:23,658
a look at in this particular video. The
first thing which we will do is, we will

18
00:01:23,658 --> 00:01:31,479
have a look at the dropbox.apk, which is
in downloads/training/vulnapps and here we

19
00:01:31,479 --> 00:01:44,685
have dropbox.apk. Let's first of all
decompile the dropbox.apk and have a look

20
00:01:44,685 --> 00:01:55,027
at its AndroidManifest.xml file. So vi
dropbox/AndroidManifest.xml. This is how

21
00:01:55,027 --> 00:02:00,980
the AndroidManifest looks like and if you
look for provider, you'll see that there

22
00:02:00,980 --> 00:02:07,360
is a content provider declared over here
and it has the Android authorities, the

23
00:02:07,360 --> 00:02:11,850
name of the content provider and it also
has a particular flag called

24
00:02:11,850 --> 00:02:22,922
grant-uri-permission. Now if you go to the
Android documentation, Android grant uri

25
00:02:22,922 --> 00:02:32,003
permission and if you have a look at it,
you'll see that it specifies which

26
00:02:32,003 --> 00:02:36,616
particular data subsets are allowed to
access the content provider. And it also

27
00:02:36,616 --> 00:02:46,083
has some more attributes like pathPrefix
and if you look in pathPrefix, it says a

28
00:02:46,083 --> 00:02:51,509
path identifying the data subsets that the
permission can be granted for. And if you

29
00:02:51,509 --> 00:02:56,933
look in the dropbox manifest file it has
the path prefix set to as "/". What this

30
00:02:56,933 --> 00:03:01,748
means is they are declaring the content
provider and they are trying to protect it

31
00:03:01,748 --> 00:03:07,477
using grant uri permission and pathPrefix
by specifically allowing permissions but

32
00:03:07,477 --> 00:03:12,962
the thing that went wrong was the path
prefix to be declared as "/". So what

33
00:03:12,962 --> 00:03:19,404
slash means is they have granted access to
their provider to the entire file system

34
00:03:19,404 --> 00:03:25,132
of Android with the "/". So anything that
this provider interacts with is now

35
00:03:25,132 --> 00:03:30,294
accessible to all the applications or even
the entire Android file system in general.

36
00:03:30,294 --> 00:03:38,441
What can be done with this? Let's have a
look at adb shell and let's go to the

37
00:03:38,441 --> 00:03:48,620
dropbox data directory. Here I'll go to
databases and there's a database called

38
00:03:48,620 --> 00:03:59,753
prefs.db. Look in prefs.db. There is
android_metadata table. If you do

39
00:03:59,753 --> 00:04:10,399
android_metadata...let's turn on the
headers. Once you change the mode to line,

40
00:04:10,399 --> 00:04:22,609
select * from android_metadata. Okay.
So right now there's nothing. Also there's

41
00:04:22,609 --> 00:04:32,199
something called as Android account prefs.
Let's see what's in there. So this has the

42
00:04:32,199 --> 00:04:37,380
entire access key and these kind of
things. There's an email and the other

43
00:04:37,380 --> 00:04:43,881
authentication token and these kind of
things. If you somehow get access to this

44
00:04:43,881 --> 00:04:48,899
particular table and maybe upload this
prefs.db to some particular public folder,

45
00:04:48,899 --> 00:04:53,878
we'll be able to access it by another
system or an attacker can be able to

46
00:04:53,878 --> 00:05:00,724
access it. That means its entire security
has been compromised. That's what we are

47
00:05:00,724 --> 00:05:08,852
going to do with this particular Dropbox
vulnerability. So we have a DropboxVuln

48
00:05:08,852 --> 00:05:15,495
application which came along with the POC
created by the Intrepidus group. If you

49
00:05:15,495 --> 00:05:26,344
look in the code for this application...in
activity, so it simply takes the prefs.db

50
00:05:26,344 --> 00:05:36,299
and put it inside the files to be
uploaded. So it takes the prefs.db and

51
00:05:36,299 --> 00:05:42,639
tells that this particular file has to be
uploaded to the public folder. So whenever

52
00:05:42,639 --> 00:05:47,697
this DropboxVuln will start, it will add
this particular file to Dropbox queue and

53
00:05:47,697 --> 00:05:51,679
whenever Dropbox will start, it will start
uploading this particular prefs.db to its

54
00:05:51,679 --> 00:05:58,830
public folder. So let's try to see it in
action over here. So if I go to Dropbox in

55
00:05:58,830 --> 00:06:04,722
the public folder, it's currently empty.
If I try to run DropboxVuln, it simply

56
00:06:04,722 --> 00:06:13,946
says Hello world but now if go back to
Dropbox and open up the public folder, you

57
00:06:13,946 --> 00:06:21,216
can see that a file is getting uploaded
over here. Once it gets done we can be

58
00:06:21,216 --> 00:06:26,256
able to access it from anywhere. So
prefs.db got uploaded and it's in the

59
00:06:26,256 --> 00:06:30,786
public folder so it can be accessed from
different locations. And this particular

60
00:06:30,786 --> 00:06:35,336
SQLite database contains all the different
account tokens and the other sensitive

61
00:06:35,336 --> 00:06:39,909
information of the user. So this is how
you can find different kinds of

62
00:06:39,909 --> 00:06:43,566
vulnerabilities in content providers and
this was one such particular case study

63
00:06:43,566 --> 00:06:48,930
which might be useful for you. That's all
for the content provider based

64
00:06:48,930 --> 00:06:54,070
vulnerability. I hope you liked the video
and if you have any feedback or queries,

65
00:06:54,070 --> 00:06:58,479
feel free to reach out to me at
adi@attify.com or you can also tweet out

66
00:06:58,479 --> 00:07:01,000
to me @adi1391.
Thank you.