How to find Android 0day in no time

[co4ie]

Today we are releasing WebContentResolver, an Android assessment tool which allows you to find Content-Provider vulnerabilities in no time. A Content-Provider is one of Androids IPC endpoints; it is commonly used to implement data storage in applications and to offer access to this data to other applications on the device. The Android browser bookmarks or Android contacts list are just two examples for Content-Providers implemented on every Android. Unfortunately these Content-Providers are often riddled with vulnerabilities which allow third party applications or compromised applications to gain access to sensitive data. Regularly we find vulnerabilities, such as directory traversal or SQL injection in providers installed as part of the Android system or by third party applications. As these issues are similar to issues that are commonly found in web applications it would be desirable to test Content-Providers in the same way web applications are tested. This will allow us to leverage the current skill set of web application tester and the currently available tool set for web application testing. This is exactly what WebContentResolver does. This blog post will walk you through an example on how to use WebContentResolver. For this example we use the new Google Galaxy Nexus phone with Android 4.0.

We start by installing the WebContentResolver.apk to the phone or emulator which we like to test. This will create an icon in the Launcher menu, which we start now.

This will start at a local web server listening on port 8080. We can forward this port to a desktop computer using the following command (For this USB debugging needs to be enabled):

./adb forward tcp:8080 tcp:8080

Once this is done we can access the web server from our desktop using the following URL: http://localhost:8080/

This will give us a very brief overview of the implemented methods. First of all we are interested in what content providers are available. We achieve this by browsing to http://localhost:8080/list . The overview we get includes the providers, names and permissions in the following format:

package:	com.android.providers.drm
authority:	drm
exported:	true
readPerm:	null
writePerm:	null
---------------------------------------------

package:	com.android.providers.media
authority:	media
exported:	true
readPerm:	null
writePerm:	null
---------------------------------------------

package:	com.android.providers.settings
authority:	settings
exported:	true
readPerm:	null
writePerm:	android.permission.WRITE_SETTINGS
---------------------------------------------

package:	com.android.providers.telephony
authority:	telephony
exported:	true
readPerm:	null
writePerm:	null

We can now move on to query one of the providers. In our example we choose the settings provider. Pointing the browser at http://localhost:8080/query?a=settings&path0=system will give us the content of the settings table in the Settings provider. Going to http://localhost:8080/query will give us a brief overview of the functionality of the query method.

Going to http://localhost:8080/query?a=settings&path0=system&selName=_id&selId=5 will show us a single row in the table:

Query successful:
Column count: 3
Row count: 1
|	_id	|	name		|	value	
|	5	|	volume_alarm	|	6

And http://localhost:8080/query?a=settings&path0=system&selName=_id&selId=5 will demonstrate the first vulnerability:

Exception: 
android.database.sqlite.SQLiteException: unrecognized token: "')": , while compiling: SELECT * FROM system WHERE (_id=5')
unrecognized token: "')": , while compiling: SELECT * FROM system WHERE (_id=5')

You can now choose to use your favourite web app testing tool, such as sqlmap to assess the provider further and to exploit the vulnerability.

Disclaimer: The use of tools like WebContentResolver will never replace proper audits and reviews of applications.

Sursa