Week 9 Flashcards
Exploiting Insecure Content Providers
Android’s content providers historically insecure, often containing sensitive data.
Default export settings for content providers in earlier Android versions, making them vulnerable.
Addressed in Android API version 17, but still relevant if android:targetSdkVersion is below 17.
Unprotected Content Providers
Content providers often insecure due to incorrect assumptions.
Use ‘dz> run app.provider.info -a com.mwr.example.sieve’ to gather information about exported content providers in the Sieve app.
‘-u’ shows content providers that are NOT exported.
Identifying Content URIs
Use app.provider.finduri module in Drozer to find content URIs.
Output from module reveals various content URIs in the Sieve app, including unexpected paths like /Passwords.
Querying Unprotected Content Providers
Querying /Passwords path in DBContentProvider exposes sensitive data.
Use dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords to retrieve information.
Potential for an attacker to insert or update entries in another app’s content provider.
Android versions 4.1.1 Jelly Bean and later include a
script at /system/bin/content for interacting with
content providers:
content query –uri
content://com.mwr.example.sieve.DBContentProvider/Passwords
Inserting Entries in Unprotected Content Providers
To insert new entries into a content provider, the
app.provider.insert module in drozer can be
used. e.g:
dz> run app.provider.insert
content://com.mwr.example.sieve.DBContentProvider/Passwords –integer _id 3 –string service Facebook –
string username tyrone –string password zA76WR9mURDNNEw4T –string email tyrone@gmail.com
SQL Injection in Content Providers
Content providers often connected to SQLite databases, making them susceptible to SQL injection.
scanner.provider.injection module in Drozer can automatically detect SQL injection vulnerabilities.
Demonstrating a SQL injection attack via the
projection parameter:
Method call:
query(Uri.parse(“content://settings/system”), new
String[] {“* from sqlite_master–”}, null, null,
null);
Resulting SQL Query: select * from sqlite_master–*
from system
Web Interface Maping - sqlmap
Content providers can also be mapped to a web
interface using drozer’s auxiliary.webcontentresolver
module.
dz> run auxillary.webcontentresolver -p 9999
Use /query?uri=content://…
SQLi Syntax
The dashes in the SQL injection example act as
comments, ensuring the rest of the original query is
ignored while forming a valid injected query.
Injecting a single quote into the projection parameter
disrupted the query structure in SQLite.
Attacking Insecure Services
Started services can be interacted with using app.service.start module in Drozer.
Bound services allow applications to interconnect directly via remote procedure calls (RPCs).
The onBind() method is essential for this, and implementation options include extending the Binder class, using a Messenger, or using AIDL for IPC.
Security issues may arise depending on the code within the onStartCommand() and onBind() methods.
Parameters sent with intents to started services might cause unintended actions under certain conditions.
Services, even if not exported, can be started and stopped from a privileged context using the startservice and stopservice features of the Android am (Activity Manager) utility.
Unprotected Started Services
If a service is exported (explicitly or implicitly), it can interact with other apps on the device.
Started services use the onStartCommand() method, receiving intents meant for them.
Parameters sent with intents might cause unintended actions under certain conditions.
Use app.service.start module in Drozer to interact with started services.
Services, like other Android app components, can be started and stopped from a privileged context, even if they are not exported.
Achieve this using the startservice and stopservice features of the Android am (Activity Manager) utility.
Unprotected Bound Services
Bound Services allow applications to interconnect directly via remote procedure calls (RPCs).
The onBind() method is essential, returning an IBinder for RPC mechanism.
Implementation options include extending the Binder class, using a Messenger, or using AIDL for IPC.
Extending the Binder class allows caller access to public methods in the service class but is limited to the same application and process.
Using a Messenger facilitates inter-application messaging but does not support direct method interaction.
Using AIDL enables method access between applications over the sandbox using IPC.
Custom object transmission is possible if both client and service have the class code and the class implements the Parcelable protocol.
Drozer’s scanner.provider.injection module can automatically detect SQL injection vulnerabilities in content providers.
