Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how to analyze the APP vulnerabilities of electronic wallets. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

Thunder Snake pay (Razer Pay) is widely used in Singapore and Malaysia. In this Writeup, through APP reverse analysis and Frida debugging, the author found a loophole in user signature (Signature) generation in Thunder Snake payment Electronic Wallet (Razer Pay Ewallet), from which the user's chat records can be read, the user's bound bank account can be deleted and the user's personal sensitive information can be stolen. The loophole eventually won a reward of nearly $6000 from Thundersnake officials. The following is the author's ideas for finding loopholes, which can only be used as a reference for posture learning.

Loophole background

Razer Inc, a game peripherals company founded in Singapore, also known as "Green Light Factory", has entered the consumer electronics business in recent years. Thunder Snake has two headquarters in Singapore and San Diego, USA. Listed on the Hong Kong Stock Exchange in November 2017, the products are aimed at gamers, most of which are named after predators. E-wallet Razer Pay will be launched in 2018. In May 2020, production of surgical masks began.

In the request anti-tamper mechanism of Thunder Snake payment Electronic Wallet (Razer Pay Ewallet), in addition to auth_token, the parameter signature is also used to sign and verify the requests of different users. Each GET and POST request to the server is accompanied by an encoded signature parameter value and user id, as shown below:

Therefore, attempts to tamper and retransmit any request parameters will be invalid, but through APK reverse analysis, it is found that there is a loophole in user signature (Signature) generation in Thunder Snake payment Electronic Wallet (Razer Pay Ewallet). Combined with the analysis of Frida, a new user signature (Signature) can be generated automatically, which can lead to a lot of IDOR problems.

When I used Burp to grab the network request of Thunder Snake pay APP, I found that because of the protection of the user's signature (Signature) in the request, many of the parameters could not be tampered with. Therefore, I immediately thought of registering another Thunder Snake payment user for cooperation testing, but in the scenario of the same request of two users, after the replacement operation of the session Payload, the execution was invalid. The reason is that a session with a user signature (Signature) requests protection.

I decided to analyze the generation mechanism of user signature (Signature). With the help of decompilation of apktool and Jadx-Gui, I have a code-level understanding of the operation of its APP, and found that there is a method function called "MD5Encode", which is known from the name to use the MD5 encryption algorithm. After a combination of some parameters Payload, I decided to try to generate a user signature (Signature), but no matter how I tried to generate the correct user signature, I guess it may be the wrong order of parameters, or it is an unconventional MD5 encryption.

Delete other users' bound bank accounts

Do not give up, I copy out all the relevant code related to the generation of user signatures, and then try to generate it with the IDE debugging tool IntelliJ IDEA. Finally, in the application of the "MD5Encode" method, I combine the correct order of parameters, but due to code confusion, I still need to do some fine-tuning, but it is not too difficult. Finally, in the previously generated request body, insert the correct parameter values and use the above code to generate the correct user signature (Signature) string!

(according to the editor's analysis, in the process of generating the following multiple user signatures, the user's own token is used as one of the parameters, and then through the MD5Encode method, different user signatures corresponding to multiple user id can be generated, that is, each user signature Signature assigned to multiple users by the Thunder Snake server can be generated successfully.)

Therefore, my first thought is to test the ultra vires vulnerability (IDOR). I chose a more sensitive API interface / deleteBankAccount, that is, to delete the bank account bound by the user, and then in the test scenario of two accounts, I was able to successfully delete the bound bank account of another Thunder Snake payment (Razer Pay) user!

Join chat groups created by other users

At this point, I'm sure there are other Signature-protected API interfaces that have IDOR ultra vires, so I tried to do a wave of tests with the above method, but found nothing. And other API interfaces use different code obfuscation methods, causing me to spend a lot of time studying and analyzing. Do not have a clue, then use Frida to try, Frida is a very easy to use debugging tool, I can just use it to identify some methods that can be used by hook function, combined with the above MD5Encode method, to find the correct e-wallet code package, you can also use these method functions to generate new and correct user signature Signature.

For example, the following frida.js code implements the function of generating a new user signature for the current user to join the chat group created by other users:

/ / frida.js-Use this for recalculating signature for adding user to other people's chatgroup

Console.log ("Starting...")

Java.perform (function () {

Var MD5 = Java.use ('com.mol.molwallet.view.MD5')

MD5.MD5Encode.implementation = function (arg)

{

Console.log ("Hooking class MD5-method MD5Encode")

/ / Extra step-calculate new signature

Var ret_value = this.MD5Encode ("groupId=1x9&userIds=95xxx7&token=b6fxxxd3-2xxc-4xxf-bxx7-7fxxxxa6")

Console.log ("[+] signature=" + ret_value)

/ / Call method with original arguments so app doesn't crash..

Var ret_value = this.MD5Encode (arg) / / original value

Console.log ("original ARG:" + arg)

Return ret_value

}

})

However, to run Frida, you need root-level access. Fortunately, I found another server-side vulnerability that allows an attacker to perform operations on a root-enabled mobile device. Here is the command to start the Frida service on the mobile device:

$adb shell

# sudo su

# / data/local/tmp/frida-server

After that, under another terminal window, run the following command:

$frida-l frida.js-U com.mol.molwallet

Then, on the mobile device, I open the Thunder Snake pay APP, where any call to the hook method "MD5Encode" will execute the above frida.js script, and eventually I will be able to generate a valid and correct user signature Signature for a specific user request. The test case here is that I can generate a user signature for myself and use it to join chat groups created by other users for verification credentials. The harm of this approach is that you can join a group without anyone knowing it, and then get other people's chats, or click to pick up red packets sent by others.

Other security problems caused by

Using the above method, I tested all other API interfaces affected by Signature and found that the amount of red packets shared during group chat can be obtained from these API interfaces, as well as the ability to modify and view other users' transfer records and personal information.

Thank you for your reading. I believe you have a certain understanding of "how to analyze APP vulnerabilities in e-wallet". Go to practice quickly. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.