From c6570f7c0dc0fc0fabcfb395df1e86f84988a5dc Mon Sep 17 00:00:00 2001 From: StingraySA Date: Thu, 17 Sep 2020 08:36:15 +0200 Subject: [PATCH 1/2] Android Firebase Scanner --- agent/src/android/scanner.ts | 15 ++++++++++++ agent/src/rpc/android.ts | 4 +++ objection/commands/android/scanner.py | 35 +++++++++++++++++++++++++++ objection/console/commands.py | 10 ++++++++ 4 files changed, 64 insertions(+) create mode 100644 agent/src/android/scanner.ts create mode 100644 objection/commands/android/scanner.py diff --git a/agent/src/android/scanner.ts b/agent/src/android/scanner.ts new file mode 100644 index 00000000..d0a87b8d --- /dev/null +++ b/agent/src/android/scanner.ts @@ -0,0 +1,15 @@ +import { wrapJavaPerform, getApplicationContext } from "./lib/libjava"; + +export namespace scanner { + export const getfbdatabase = (): Promise => { + return wrapJavaPerform(() => { + // -- Sample Java + // + // String dburl = (String)getString(R.string.firebase_database_url); + const context = getApplicationContext(); + const myid = context.getResources().getIdentifier("firebase_database_url", "string", context.getPackageName()); + const dburl = context.getString(myid); + return dburl; + }); + } +} \ No newline at end of file diff --git a/agent/src/rpc/android.ts b/agent/src/rpc/android.ts index 7560e75f..fc19bc63 100644 --- a/agent/src/rpc/android.ts +++ b/agent/src/rpc/android.ts @@ -10,6 +10,7 @@ import { sslpinning } from "../android/pinning"; import { root } from "../android/root"; import { androidshell } from "../android/shell"; import { userinterface } from "../android/userinterface"; +import { scanner } from "../android/scanner"; export const android = { // android clipboard @@ -67,6 +68,9 @@ export const android = { androidRootDetectionDisable: () => root.disable(), androidRootDetectionEnable: () => root.enable(), + // android scanner declarations + androidGetFbDatabase: () => scanner.getfbdatabase(), + // android user interface androidUiScreenshot: () => userinterface.screenshot(), androidUiSetFlagSecure: (v: boolean): Promise => userinterface.setFlagSecure(v), diff --git a/objection/commands/android/scanner.py b/objection/commands/android/scanner.py new file mode 100644 index 00000000..9114ee08 --- /dev/null +++ b/objection/commands/android/scanner.py @@ -0,0 +1,35 @@ +import click +import requests + +from objection.state.connection import state_connection + +def firebase(args: list) -> None: + """ + Search for a Firebase Database and check if it's leaking data. + + :param args: + :return: + """ + api = state_connection.get_api() + try: + fbdb = api.android_get_fb_database() + click.secho('Scanning FireBase DB: {0}'.format(fbdb), fg='green') + click.secho('Note: If the DB is exposed, it may take a while to download', fg='red') + response = requests.get(fbdb + '/.json') + if response.status_code == 401: + click.secho('Firebase DB is not leaking data', fg='green') + elif response.status_code == 200: + click.secho('Firebase DB is leaking data!', fg='red') + if len(response.text) < 1000: + click.secho('Size: {:,.0f}'.format(len(response.text)) + "B", fg='red') + elif len(response.text) >= 1000 and len(response.text) < 1000000: + click.secho('Size: {:,.0f}'.format(len(response.text)/float(1<<10)) + "KB", fg='red') + elif len(response.text) >= 1000000: + click.secho('Size: {:,.0f}'.format(len(response.text)/float(1<<20)) + "MB", fg='red') + else: + click.secho('Something weird happened. Please report the issue.', fg='red') + except: + click.secho('Application doesn''t make use of FireBase', fg='red') + + #Now we've got the FireBase URL, lets request some data + diff --git a/objection/console/commands.py b/objection/console/commands.py index 35e2ebb6..6b80abfc 100644 --- a/objection/console/commands.py +++ b/objection/console/commands.py @@ -18,6 +18,7 @@ from ..commands.android import keystore from ..commands.android import pinning as android_pinning from ..commands.android import root +from ..commands.android import scanner as android_scanner from ..commands.ios import binary from ..commands.ios import bundles from ..commands.ios import cookies @@ -277,6 +278,15 @@ 'meta': 'Execute a shell command', 'exec': command.execute }, + 'scanner': { + 'meta': 'Command used to invoke the scanner', + 'commands': { + 'firebase': { + 'meta': 'Scan for leaking firebase DBs', + 'exec': android_scanner.firebase + }, + }, + }, 'hooking': { 'meta': 'Commands used for hooking methods in Android', 'commands': { From 8bd0cf03c44bc74b3d7e0e75bf5d3524d0e86313 Mon Sep 17 00:00:00 2001 From: StingraySA Date: Thu, 17 Sep 2020 14:01:02 +0200 Subject: [PATCH 2/2] Android FCM Scanner --- agent/src/android/scanner.ts | 29 ++++++++++++++++ agent/src/rpc/android.ts | 1 + objection/commands/android/scanner.py | 49 ++++++++++++++++++++++++++- objection/console/commands.py | 4 +++ 4 files changed, 82 insertions(+), 1 deletion(-) diff --git a/agent/src/android/scanner.ts b/agent/src/android/scanner.ts index d0a87b8d..aa614ddb 100644 --- a/agent/src/android/scanner.ts +++ b/agent/src/android/scanner.ts @@ -1,4 +1,6 @@ +import { getNSMainBundle } from "../ios/lib/helpers"; import { wrapJavaPerform, getApplicationContext } from "./lib/libjava"; +import { ArrayList } from "./lib/types"; export namespace scanner { export const getfbdatabase = (): Promise => { @@ -12,4 +14,31 @@ export namespace scanner { return dburl; }); } + export const getapikeys = (): Promise => { + return wrapJavaPerform(() => { + const keynames = [ + "google_maps_geocoder_key", + "notification_server_key", + "server_key", + "com.google.android.geo.API_KEY", + "com.google.android.maps.v2.API_KEY", + "googlePlacesWebApi", + "google_crash_reporting_api_key", + "google_api_key" + ]; + const context = getApplicationContext(); + var keys : string[] = new Array; + var count = 0; + for (var i = 0; i < keynames.length; i++) { + try { + var key = context.getResources().getIdentifier(keynames[i], "string", context.getPackageName()); + keys[count] = context.getString(key); + count++; + } catch (error) { + + } + } + return keys; + }); + } } \ No newline at end of file diff --git a/agent/src/rpc/android.ts b/agent/src/rpc/android.ts index fc19bc63..828f783d 100644 --- a/agent/src/rpc/android.ts +++ b/agent/src/rpc/android.ts @@ -70,6 +70,7 @@ export const android = { // android scanner declarations androidGetFbDatabase: () => scanner.getfbdatabase(), + androidGetApiKeys: () => scanner.getapikeys(), // android user interface androidUiScreenshot: () => userinterface.screenshot(), diff --git a/objection/commands/android/scanner.py b/objection/commands/android/scanner.py index 9114ee08..9337a9bb 100644 --- a/objection/commands/android/scanner.py +++ b/objection/commands/android/scanner.py @@ -1,5 +1,6 @@ import click import requests +import re from objection.state.connection import state_connection @@ -31,5 +32,51 @@ def firebase(args: list) -> None: except: click.secho('Application doesn''t make use of FireBase', fg='red') - #Now we've got the FireBase URL, lets request some data +def apikeys(args: list) -> None: + """ + Search for Firebase Cloud Messaging API Keys. + Ref: https://abss.me/posts/fcm-takeover/ + + :param args: + :return: + """ + api = state_connection.get_api() + output = [] + output = api.android_get_api_keys() + # Firebase Cloud Messaging Web API Key + pattern = r'AIzaSy[0-9A-Za-z_-]{33}' + # Firebase Cloud Messaging Server Key + pattern2 = r'AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}' + + data = '{"registration_ids":["ABC"]}' + + for x in output: + if re.search(pattern2, x): + # Now lets create the request to validate the keys + # If the keys validate, they are server keys and can be used to + # send messages + headers = { + 'Authorization': 'key={0}'.format(x), + 'Content-Type': 'application/json', + } + response = requests.post('https://fcm.googleapis.com/fcm/send', headers=headers, data=data) + if response.status_code == 200: + click.secho('FCM Server Key: {0}'.format(x) + ' - [VALID]', fg='green') + elif response.status_code == 401: + click.secho('FCM Server Key: {0}'.format(x) + ' - [INVALID]', fg='red') + if re.search(pattern, x): + # Now lets create the request to validate the keys + # If the keys validate, they are server keys and can be used to + # send messages + headers = { + 'Authorization': 'key={0}'.format(x), + 'Content-Type': 'application/json', + } + response = requests.post('https://fcm.googleapis.com/fcm/send', headers=headers, data=data) + if response.status_code == 200: + click.secho('Legacy FCM Server Key: {0}'.format(x) + ' - [VALID]', fg='green') + elif response.status_code == 401: + click.secho('Web API Key: {0}'.format(x) + ' - [Nothing to do here]', fg='red') + + diff --git a/objection/console/commands.py b/objection/console/commands.py index 6b80abfc..8ed15572 100644 --- a/objection/console/commands.py +++ b/objection/console/commands.py @@ -285,6 +285,10 @@ 'meta': 'Scan for leaking firebase DBs', 'exec': android_scanner.firebase }, + 'apikeys' : { + 'meta': 'Scan for Firebase Cloud Messaging Keys', + 'exec': android_scanner.apikeys + } }, }, 'hooking': {