2023-10-06 13:39:08 +00:00
|
|
|
# Kakaotalk 10.3.7 Analysis
|
2023-04-19 10:23:16 +00:00
|
|
|
|
2023-05-09 20:36:44 +00:00
|
|
|
- [Setup](#setup)
|
2023-10-06 13:39:08 +00:00
|
|
|
- [Recon](#recon)
|
|
|
|
|
- [Findings](#findings)
|
2023-05-09 20:36:44 +00:00
|
|
|
|
2023-04-19 10:23:16 +00:00
|
|
|
## Setup
|
|
|
|
|
|
2023-10-06 13:39:08 +00:00
|
|
|
See [here](SETUP.md).
|
2023-04-19 10:23:16 +00:00
|
|
|
|
2023-10-06 13:39:08 +00:00
|
|
|
## Recon
|
2023-04-19 10:23:16 +00:00
|
|
|
|
2023-10-06 13:39:08 +00:00
|
|
|
See [here](RECON.md).
|
2023-04-19 10:23:16 +00:00
|
|
|
|
2023-10-06 13:39:08 +00:00
|
|
|
## Findings
|
2023-04-19 13:25:29 +00:00
|
|
|
|
2023-10-06 13:39:08 +00:00
|
|
|
### TO-DOs
|
2023-04-26 10:37:51 +00:00
|
|
|
|
2023-10-06 13:39:08 +00:00
|
|
|
- Find a proxy Activity to start `MyProfileSettingsActivity` -> steal token
|
|
|
|
|
- Find a `setResult()` call to access `content://com.kakao.talk.FileProvider`
|
|
|
|
|
- Test Secret Chat interception with `mitmproxy` script
|
|
|
|
|
* Use value from `pt` field to compute the nonce
|
|
|
|
|
* Does a warning pop up?
|
|
|
|
|
* What about the master secret?
|
|
|
|
|
- Test CFB bit flipping
|
|
|
|
|
- Create a `Plus Friend` or `Kakao Business` page or an `Open Chat Room` to deliver malicious JS
|
|
|
|
|
- Connect with Sergey Toshin
|
|
|
|
|
- Check out https://github.com/oversecured/ovaa
|
|
|
|
|
- I can load URLs in `CommerceShopperWebViewActivity` and `KGPopupActivity` -> check for vulns
|
