Damn Insecure and Vulnerable Application – Part VI

In this post I would continue to solve the challenges that is in the vulnerable application “diva”. In the end of the post you may find a document related to deploying / using of Jadx.

Till now we have discussed about the following things:

  • Android Platform
  • Android Architecture
  • Android Application Architecture
  • Android device virtualisation
  • Connecting to the android device using android debug bridge
  • Using shell commands on the device
  • Installing android application using adb
  • Knowing about the process which is executed when we click to launch the application
  • Getting the logs of the android application
  • Checking for sensitive data in the log
  • Hardcoding issues of developer
  • Insecure data storage in xml file
  • Insecure data storage in SQLite database file
  • Insecure data storage in randomly generated temporary file
  • Insecure data storage in hidden text file
  • Input Validation Issues which leads to SQL injections
  • Input Validation Issues which leads to Local File Inclusion
  • Access control issues can lead to sensitive data exposure
  • Access control issues can help in bypassing of some security / conditions in the code

If you don’t know about the above points, then I would recommend you read the following posts:

  1. Android Platform Architecture
  2. Android Application and it’s Architecture (PPT)
  3. Damn Insecure and Vulnerable Application – Part I
  4. Damn Insecure and Vulnerable Application – Part II
  5. Damn Insecure and Vulnerable Application – Part III
  6. Damn Insecure and Vulnerable Application – Part IV
  7. Damn Insecure and Vulnerable Application – Part V

As we have completed the first eight challenges, so now, let’s move on to the 11th challenge which is “Access Control Issues Part 3”.

Challenge 11

Objective: This is a private notes application. You can create a PIN once and access your notes after entering the correct pin. Now, try to access the private notes from outside the app without knowing the PIN.

Hint: Components of an app can be accessed from other apps or users if they are not properly protected and some may also accept external inputs. Components such as activities, services, content providers are prone to this.

Fig 1 : DIVA Challenge 11

We can see that the above screen is presented when we click for Challenge 11 and it asks to create a 4 digit PIN. Let’s create the PIN.

Fig 2 : DIVA Challenge 11 – PIN created

When you have entered the PIN and clicked the button, you would notice a new button “GO TO PRIVATE NOTES” has popped up. So, let’s click on it.

Fig 3 : DIVA Challenge 11 – Access Notes

After clicking the button, we would see the above screen, that would require a PIN. If we enter the Pin which we had created then,

Fig 4 : DIVA Challenge 11 – Access Notes

We would find the below screen, which contains the private notes. Our goal is to call / find out the notes without requiring the PIN.

Fig 5 : DIVA Challenge 11 – PrivateNotes

As mentioned in the hint, we need to check for improperly protected activities, services and content providers. So, let’s find out the way to access the content of the notes.

Since we have check activities, Let’s try out the exploitations regarding content provider.

Note:- Content provider has a URI scheme to get called by some other application. If the those are not protected then anybody can get the information (in the application), just by calling content provider.

By knowing the above fact, let’s try to find the content URI in the DIVA application. The below code would the desired output easily:-

strings diva-beta.apk | grep “content://”
Fig 6 : DIVA Challenge 11 – Strings

Now to get the information related to the above content provider, we can use the following command:-

adb shell content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes
Fig 7 : DIVA Challenge 11 – ADB Content Query

Yupieeee!!!!!! Mission accomplished!!!!!

Moving on with the next challenge.

Challenge 12

Objective: Find out what is hardcoded and where.

Hint: Developers sometimes will hardcode sensitive information for ease.

Fig 8 : DIVA Challenge 12

In this challenge we need to find the vendor key from the code. So, let’s have a look on the code.

Fig 9 : DIVA Challenge 12 – Jadx

In the above screen, we may see that, an object is been created using the user created class “DivaJni”. Let’s see what is in that class.

Fig 10 : DIVA Challenge 12 – Jadx

In the above figure we can find that, a library is getting called. Now let’s find the library, we might get something from it.

If we start looking into the lib folder ( which was created by apktool kit), then we may find the file with name “libdivajni.so”. If we get all the strings from that file then, we might find something like the below figure.

Fig 11 : DIVA Challenge 12 – Strings

Except the highlighted part, every other word is related to programming. So let’s try to enter the highlighted word in the text field provided by the diva application.

Fig 12 : DIVA Challenge 12

Yooooooo!!!! Access granted !!!!!

Challenge completed….

Let’s get going.

Challenge 13

Objective: This is a Missile Launch App. Spread love not War! DOS the Damm thing! Your objective here is NOT find the code then launch the missiles, rather it is to crash the app (and then find the root cause the crash).

Hint: Improper or no input validation issue arise when the input is not filtered or validated before using it. When developing components that take input from outside, always validate it. This is a classic memory corruption vulnerability.

Fig 13 : DIVA Challenge 13

In this challenge we need to crash the application. The one way to crash the application is buffer overflow attack. Let’s try that.

Before try that attack, lets simply start the adb logcat.

Fig 14 : DIVA Challenge 13 – Logcat

And then try to find the buffer length by entering in the text field provided.

At first I entered one “a”

Fig 15 : DIVA Challenge 13

Then I tried to enter 7 “a”s (No luck)

Then I tried with 30 “a”s. (No luck)

Now I entered, 40 “a’”s.

Fig 16 : DIVA Challenge 13

Yup it worked. Now let’s look into the logs, which might let us find the root cause.

Fig 17 : DIVA Challenge 13 – Logcat

The first highlighted part gives that Fatal error / signal was generated due to with the state of Activity was changed (which can be seen in the second highlighted part). This led to the crash / forced stop of the application.

Mission Accomplished !!!!!

This ends my 6 part post series. I hope you all liked it. 😊

Doc related to Deploying or using of Jadx