From 929677876e963c044015d9cfadce3237233162e7 Mon Sep 17 00:00:00 2001 From: stulle123 Date: Fri, 6 Oct 2023 15:39:08 +0200 Subject: [PATCH] Update write-up --- README.md | 206 ++++----------------------------------- RECON.md | 8 +- SETUP.md | 197 +++++++++++++++++++++++++++++++++++++ recon/webview/WEBVIEW.md | 1 - 4 files changed, 219 insertions(+), 193 deletions(-) create mode 100644 SETUP.md diff --git a/README.md b/README.md index 9f9f48f..31a5762 100644 --- a/README.md +++ b/README.md @@ -1,197 +1,29 @@ -# Kakaotalk 10.3.3 Analysis +# Kakaotalk 10.3.7 Analysis - [Setup](#setup) - - [SSH](#ssh) - - [Setup Burp Suite](#configure-emulator-to-work-with-burp-suite) - - [Setup Frida](#setup-frida-to-disable-certificate-pinning) - - [Kakaotalk Login](#kakaotalk-account-setup) - - [Tools to try](#tools-to-play-with) -- [Misc Commands](#misc-commands) -- [Resources](#resources) +- [Recon](#recon) +- [Findings](#findings) ## Setup -Prepare your `~/.bashrc` or `~/.zshrc`: +See [here](SETUP.md). -```bash -JAVA=/usr/local/opt/openjdk/bin -export PATH=$JAVA:$PATH -export ANDROID_HOME=/usr/local/share/android-commandlinetools -export PATH=$PATH:$ANDROID_HOME/emulator -``` +## Recon -Install Android Emulator on a MAC M1: +See [here](RECON.md). -```bash -# Install Homebrew -/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" -# Install Java -brew install openjdk -# Install Android SDK -brew install --cask android-commandlinetools -sdkmanager "emulator" -sdkmanager "platforms;android-30" -sdkmanager "system-images;android-30;google_apis;arm64-v8a" -# Install Platform Tools -brew install android-platform-tools -# Create AVD Image (without Google Play Store) -avdmanager create avd -n kakao -k "system-images;android-30;google_apis;arm64-v8a" -# Start the emulator once and shut it down (this will create the 'config.ini' file) -emulator @kakao -# Configure AVD Image -sed -i -r 's/hw.keyboard = no/hw.keyboard = yes/' ~/.android/avd/kakao.avd/config.ini -sed -i -r 's/hw.mainKeys = yes/hw.mainKeys = no/' ~/.android/avd/kakao.avd/config.ini -``` +## Findings -Install required tools: +### TO-DOs -- Get latest [jadx](https://github.com/skylot/jadx) (or install via `brew`) -- Get [Burp Suite](https://portswigger.net/burp/communitydownload) -- `$ brew install apktool jadx nuclei sqlite db-browser-for-sqlite` -- `$ pip3 install --upgrade frida-tools mitmproxy` -- Install [Kakaotalk for Windows](https://app-pc.kakaocdn.net/talk/win32/KakaoTalk_Setup.exe) via [wine and brew](https://wiki.winehq.org/MacOS) - -### SSH - -```bash -# Download Termux from https://github.com/termux/termux-app and install it, e.g.: -adb install termux-app_v0.118.0+github-debug_arm64-v8a.apk -# Install openssh in Termux -pkg upgrade -pkg install openssh -# Set a password for the SSH login in Termux -passwd -# Start SSH in Termux -sshd -# On your host set up redirection through the emulator console -cat ~/.emulator_console_auth_token -telnet localhost 5554 -auth -redir add tcp:4444:8022 -exit -# SSH into the emulator (no need to specify a user name) -ssh -p 4444 localhost -``` - -### Configure Emulator to work with Burp Suite - -- Export Burp's CA certificate in `DER` format -- Next, follow these steps: -```bash -# Convert DER to PEM -openssl x509 -inform DER -in burp_ca_cert.der -out burp_ca_cert.pem -# Get subject_hash_old -openssl x509 -inform PEM -subject_hash_old -in burp_ca_cert.pem | head -1 -# Rename burp_ca_cert.pem to .0 -mv burp_ca_cert.pem 9a5ba57.0 -# Start emulator and copy certificate -emulator @kakao -writable-system -http-proxy 127.0.0.1:8080 -adb root -adb remount -adb push 9a5ba57.0 /system/etc/security/cacerts/ -adb shell "chmod 644 /system/etc/security/cacerts/9a5ba57.0" -adb reboot -``` -**Note**, that you have to start the emulator with `-writable-system`. Otherwise, Burp's certificate doesn't show up in Androids's trusted CA store (`Settings` -> `Security` -> `Encryption and credentials` -> `Trusted credentials`) πŸ™ˆ - -### Setup Frida to disable Certificate Pinning - -```bash -# Install Frida -pip3 install frida-tools -# Download frida-server from https://github.com/frida/frida/releases -# **The version of frida-tools and frida-server must match** -wget https://github.com/frida/frida/releases/download/16.0.15/frida-server-16.0.15-android-arm64.xz -O frida-server.xz -unxz frida-server.xz -adb root -adb push frida-server /data/local/tmp/ -adb shell "chmod 755 /data/local/tmp/frida-server" -# Start frida-server (this might hang, but frida-server is started anyways) -adb shell "/data/local/tmp/frida-server &" -# Quick test -frida-ps -U -# Export Burp's CA certificate in DER format and copy to emulator -adb push burp_ca_cert.der /data/local/tmp/cert-der.crt -# Disable Certificate Pinning -frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -U -f com.kakao.talk -``` - -### KakaoTalk Account Setup - -- Grab a trash email account (e.g., from https://ulm-dsl.de/) -- Grab a trash phone number to receive SMS messages (e.g., https://onlinesim.io) - - One phone number per account only -- Open a new Incognito window, go to https://accounts.kakao.com and create an account: -``` -rogerthat -erich.hiller@ulm-dsl.de -kBB5mmmE - -affirmative -artur.ruff@ulm-dsl.de -fMcz2Jtr -``` -- In the KakaoTalk app, login with your email address: - - When prompted add your phone number. You'll receive a SMS with a pin number. - - You may have to send a SMS including a base64 string (e.g., `KakaoTalk HgAAABIwAGgAQGQAAAAAAjEABwAAADE1Mjc2MAAA`) to a KakaoTalk phone number (you won't receive any SMS response back). After that, you need to tap/click the `Check verification` button in the app and the registration process should be completed. - -image - -### Tools to play with - -- https://github.com/Ch0pin/medusa -- https://github.com/quark-engine/quark-engine -- Frida scripts - - https://github.com/WithSecureLabs/android-keystore-audit - - https://codeshare.frida.re/@fadeevab/intercept-android-apk-crypto-operations/ - - https://codeshare.frida.re/@dzonerzy/aesinfo/ -- https://github.com/sensepost/objection - - Run: `$ objection -g com.kakao.talk explore` - - `com.kakao.talk on (Android: 9) [usb] # android hooking watch class com.kakao.talk.secret.LocoCipherHelper` (for me this only worked for SDK 28) -- https://github.com/MobSF/Mobile-Security-Framework-MobSF -- https://github.com/JakeWharton/pidcat - - Hint: if only color codes are printed, try this [fix](https://github.com/JakeWharton/pidcat/issues/182) -- Nuclei - - Download Android templates: `git clone https://github.com/optiv/mobile-nuclei-templates` - - Run: `$ echo kakaotalk_apktool_decoded_folder | nuclei -t ~/mobile-nuclei-templates/Android -o nuclei_android_results.txt` - -## Misc Commands - -```bash -# Start KakaoTalk -adb shell am start com.kakao.talk -# Stop KakaoTalk -adb shell am force-stop com.kakao.talk -# Start Termux -adb shell am start com.termux/.HomeActivity -# Launch Settings -adb shell am start -a android.settings.SETTINGS -# List 3rd-party Packages -adb shell pm list packages -f -3 -# Get Activities of an app -PACKAGE=com.termux -adb shell dumpsys package | grep -Eo $(printf "^[[:space:]]+[0-9a-f]+[[:space:]]+%s/[^[:space:]]+" "${PACKAGE}") | grep -oE "[^[:space:]]+$" -# Show current activity -adb shell dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp|mInputMethodTarget|mSurface' -# Show file system access -adb shell 'am start kakaotalk://main && ps -A | grep -m 1 "kakao" | tr -s " " | cut -d " " -f2 | xargs strace -f -p 2>&1 | grep -i /data' -``` - -Sign an app: -```bash -# Decompile -apktool d -rf my-app.apk -# Generate signing key -keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 -# Build APK -apktool b -f -d com.myapp -# Sign APK -jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore com.myapp/dist/com.myapp.apk alias_name -``` - -## Resources - -Third-party Kakaotalk clients: - -- https://github.com/KiwiTalk/KiwiTalk -- https://github.com/jhleekr/kakao.py \ No newline at end of file +- Find a proxy Activity to start `MyProfileSettingsActivity` -> steal token +- Find a `setResult()` call to access `content://com.kakao.talk.FileProvider` +- Test Secret Chat interception with `mitmproxy` script + * Use value from `pt` field to compute the nonce + * Does a warning pop up? + * What about the master secret? +- Test CFB bit flipping +- Create a `Plus Friend` or `Kakao Business` page or an `Open Chat Room` to deliver malicious JS +- Connect with Sergey Toshin +- Check out https://github.com/oversecured/ovaa +- I can load URLs in `CommerceShopperWebViewActivity` and `KGPopupActivity` -> check for vulns \ No newline at end of file diff --git a/RECON.md b/RECON.md index a9584ca..ef02934 100644 --- a/RECON.md +++ b/RECON.md @@ -21,7 +21,7 @@ - [Native Libs](#native-libs) - [Open-Source Libs](#open-source-libs) - [Crypto](#crypto) - - [E2E](#e2e) + - [Secret Chat](#secret-chat) ## Related Work @@ -230,9 +230,7 @@ Many many (exported) `BROWSABLE` Activities. ## WebViews -Cookies are encrypted with the hard-coded passphrase `KaKAOtalkForever`. - -**TO-DO**: Check for interesting [WebViews](./recon/nuclei_android_results.txt). +See [here](./recon/webview/WEBVIEW.md). ## Firebase @@ -455,7 +453,7 @@ Version: 3 ******************************************* ``` -### E2E +### Secret Chat E2E is opt-in only. Most people probably don’t use Secret Chat since `In a secret chatrooom, features including free calling, polls, events and chatroom album are currently not available`. diff --git a/SETUP.md b/SETUP.md new file mode 100644 index 0000000..1d8540f --- /dev/null +++ b/SETUP.md @@ -0,0 +1,197 @@ +# Setup + +- [Install Tools](#install-tools) + - [SSH](#ssh) + - [Setup Burp Suite](#configure-emulator-to-work-with-burp-suite) + - [Setup Frida](#setup-frida-to-disable-certificate-pinning) + - [Kakaotalk Login](#kakaotalk-account-setup) + - [Tools to try](#tools-to-play-with) +- [Misc Commands](#misc-commands) +- [Resources](#resources) + +## Install Tools + +Prepare your `~/.bashrc` or `~/.zshrc`: + +```bash +JAVA=/usr/local/opt/openjdk/bin +export PATH=$JAVA:$PATH +export ANDROID_HOME=/usr/local/share/android-commandlinetools +export PATH=$PATH:$ANDROID_HOME/emulator +``` + +Install Android Emulator on a MAC M1: + +```bash +# Install Homebrew +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" +# Install Java +brew install openjdk +# Install Android SDK +brew install --cask android-commandlinetools +sdkmanager "emulator" +sdkmanager "platforms;android-30" +sdkmanager "system-images;android-30;google_apis;arm64-v8a" +# Install Platform Tools +brew install android-platform-tools +# Create AVD Image (without Google Play Store) +avdmanager create avd -n kakao -k "system-images;android-30;google_apis;arm64-v8a" +# Start the emulator once and shut it down (this will create the 'config.ini' file) +emulator @kakao +# Configure AVD Image +sed -i -r 's/hw.keyboard = no/hw.keyboard = yes/' ~/.android/avd/kakao.avd/config.ini +sed -i -r 's/hw.mainKeys = yes/hw.mainKeys = no/' ~/.android/avd/kakao.avd/config.ini +``` + +Install required tools: + +- Get latest [jadx](https://github.com/skylot/jadx) (or install via `brew`) +- Get [Burp Suite](https://portswigger.net/burp/communitydownload) +- `$ brew install apktool jadx nuclei sqlite db-browser-for-sqlite` +- `$ pip3 install --upgrade frida-tools mitmproxy` +- Install [Kakaotalk for Windows](https://app-pc.kakaocdn.net/talk/win32/KakaoTalk_Setup.exe) via [wine and brew](https://wiki.winehq.org/MacOS) + +### SSH + +```bash +# Download Termux from https://github.com/termux/termux-app and install it, e.g.: +adb install termux-app_v0.118.0+github-debug_arm64-v8a.apk +# Install openssh in Termux +pkg upgrade +pkg install openssh +# Set a password for the SSH login in Termux +passwd +# Start SSH in Termux +sshd +# On your host set up redirection through the emulator console +cat ~/.emulator_console_auth_token +telnet localhost 5554 +auth +redir add tcp:4444:8022 +exit +# SSH into the emulator (no need to specify a user name) +ssh -p 4444 localhost +``` + +### Configure Emulator to work with Burp Suite + +- Export Burp's CA certificate in `DER` format +- Next, follow these steps: +```bash +# Convert DER to PEM +openssl x509 -inform DER -in burp_ca_cert.der -out burp_ca_cert.pem +# Get subject_hash_old +openssl x509 -inform PEM -subject_hash_old -in burp_ca_cert.pem | head -1 +# Rename burp_ca_cert.pem to .0 +mv burp_ca_cert.pem 9a5ba57.0 +# Start emulator and copy certificate +emulator @kakao -writable-system -http-proxy 127.0.0.1:8080 +adb root +adb remount +adb push 9a5ba57.0 /system/etc/security/cacerts/ +adb shell "chmod 644 /system/etc/security/cacerts/9a5ba57.0" +adb reboot +``` +**Note**, that you have to start the emulator with `-writable-system`. Otherwise, Burp's certificate doesn't show up in Androids's trusted CA store (`Settings` -> `Security` -> `Encryption and credentials` -> `Trusted credentials`) πŸ™ˆ + +### Setup Frida to disable Certificate Pinning + +```bash +# Install Frida +pip3 install frida-tools +# Download frida-server from https://github.com/frida/frida/releases +# **The version of frida-tools and frida-server must match** +wget https://github.com/frida/frida/releases/download/16.0.15/frida-server-16.0.15-android-arm64.xz -O frida-server.xz +unxz frida-server.xz +adb root +adb push frida-server /data/local/tmp/ +adb shell "chmod 755 /data/local/tmp/frida-server" +# Start frida-server (this might hang, but frida-server is started anyways) +adb shell "/data/local/tmp/frida-server &" +# Quick test +frida-ps -U +# Export Burp's CA certificate in DER format and copy to emulator +adb push burp_ca_cert.der /data/local/tmp/cert-der.crt +# Disable Certificate Pinning +frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -U -f com.kakao.talk +``` + +### KakaoTalk Account Setup + +- Grab a trash email account (e.g., from https://ulm-dsl.de/) +- Grab a trash phone number to receive SMS messages (e.g., https://onlinesim.io) + - One phone number per account only +- Open a new Incognito window, go to https://accounts.kakao.com and create an account: +``` +rogerthat +erich.hiller@ulm-dsl.de +kBB5mmmE + +affirmative +artur.ruff@ulm-dsl.de +fMcz2Jtr +``` +- In the KakaoTalk app, login with your email address: + - When prompted add your phone number. You'll receive a SMS with a pin number. + - You may have to send a SMS including a base64 string (e.g., `KakaoTalk HgAAABIwAGgAQGQAAAAAAjEABwAAADE1Mjc2MAAA`) to a KakaoTalk phone number (you won't receive any SMS response back). After that, you need to tap/click the `Check verification` button in the app and the registration process should be completed. + +image + +### Tools to play with + +- https://github.com/Ch0pin/medusa +- https://github.com/quark-engine/quark-engine +- Frida scripts + - https://github.com/WithSecureLabs/android-keystore-audit + - https://codeshare.frida.re/@fadeevab/intercept-android-apk-crypto-operations/ + - https://codeshare.frida.re/@dzonerzy/aesinfo/ +- https://github.com/sensepost/objection + - Run: `$ objection -g com.kakao.talk explore` + - `com.kakao.talk on (Android: 9) [usb] # android hooking watch class com.kakao.talk.secret.LocoCipherHelper` (for me this only worked for SDK 28) +- https://github.com/MobSF/Mobile-Security-Framework-MobSF +- https://github.com/JakeWharton/pidcat + - Hint: if only color codes are printed, try this [fix](https://github.com/JakeWharton/pidcat/issues/182) +- Nuclei + - Download Android templates: `git clone https://github.com/optiv/mobile-nuclei-templates` + - Run: `$ echo kakaotalk_apktool_decoded_folder | nuclei -t ~/mobile-nuclei-templates/Android -o nuclei_android_results.txt` + +## Misc Commands + +```bash +# Start KakaoTalk +adb shell am start com.kakao.talk +# Stop KakaoTalk +adb shell am force-stop com.kakao.talk +# Start Termux +adb shell am start com.termux/.HomeActivity +# Launch Settings +adb shell am start -a android.settings.SETTINGS +# List 3rd-party Packages +adb shell pm list packages -f -3 +# Get Activities of an app +PACKAGE=com.termux +adb shell dumpsys package | grep -Eo $(printf "^[[:space:]]+[0-9a-f]+[[:space:]]+%s/[^[:space:]]+" "${PACKAGE}") | grep -oE "[^[:space:]]+$" +# Show current activity +adb shell dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp|mInputMethodTarget|mSurface' +# Show file system access +adb shell 'am start kakaotalk://main && ps -A | grep -m 1 "kakao" | tr -s " " | cut -d " " -f2 | xargs strace -f -p 2>&1 | grep -i /data' +``` + +Sign an app: +```bash +# Decompile +apktool d -rf my-app.apk +# Generate signing key +keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 +# Build APK +apktool b -f -d com.myapp +# Sign APK +jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore com.myapp/dist/com.myapp.apk alias_name +``` + +## Resources + +Third-party Kakaotalk clients: + +- https://github.com/KiwiTalk/KiwiTalk +- https://github.com/jhleekr/kakao.py \ No newline at end of file diff --git a/recon/webview/WEBVIEW.md b/recon/webview/WEBVIEW.md index c174be3..448f331 100644 --- a/recon/webview/WEBVIEW.md +++ b/recon/webview/WEBVIEW.md @@ -76,7 +76,6 @@ curl -i -s -k -X $'POST' \ --data-binary $'client_id=24b2ff717557a8090279253242652f80&code=pYn2ksN-KH8bIaCHp3OwiM98G5xgdzkEvIgA4HDBhUT-uVcrTXzHiEgp1vA1HrERSESLXQoqJY8AAAGI3iGODg&grant_type=authorization_code&android_key_hash=S2FrYW9JIE1hc3RlciBLZXkg&redirect_uri=kakao24b2ff717557a8090279253242652f80%3A%2F%2Foauth' \ $'https://kauth.kakao.com/oauth/token' ``` -- I can MITM TLS connections. There's just a security warning in KakaoTalk's UI that the user can accept (no need to put a Burp CA cert into Android trusted CA store). - I can start arbitrary components via the `intent:` scheme in `CommerceBuyActivity` (`kakaotalk://buy`) - I can exfiltrate files by sending Intents with `content://` URLs to `MyProfileSettingsActivity`: ```javascript