|Vulnerable Android App|
Okay, so this was a little journey to create the most vulnerable Android app for a competition by Jack Mannino (first prize was Motorola XOOM).
I must say, I've been creating lots of vulnerable programs in the past as PoCs/research, but it was usually just one security bug or two, so it was easy to determine when it was the actual security bug for the research or another bug, by mistake.
In this app, there are so many bugs, and we've also decided to write it as bad as possible with as much bad code habits we can possibly create (like tons of variables that are used for the same string or not being used at all, etc), a thing which led it to be almost impossible to debug and add features.
What I think we should have done was creating a working application first, and then adding vulnerabilities and making the code as bad as possible.
The App requests more permissions than it uses. In-app exploitation will not lead to root, but will lead to very high capabilities which another app didn't initially have requested upon installation.
Also,this app can be remotely exploited.
Download the MoshZuk Application: contains the following vulnerabilities:
- Stack Overflow
- Heap Overflow
- SQL Injection
- Command Injection
- Format Strings
- Double Free
- Directory Traversal
- Race Condition
- Hardcoded Passwords
- Bad code habits
- Overblown permissions
- Bad file permissions
e.g Unchecked permissions (or unchecked sender) may lead to -> Directory traversal + RACE Condition + Heap(or stack) Overflows / Command injection.
First the APK will be released only, so you can test it out and use it to find vulnerabilities within it. After a while we will release some demos and exploitation methods. I hope that we will be able to maintain it to add more vulnerabilities + ways to exploit it, remote and locally (possibly via intents to make it easier).
What the app does is to send from one GTalk client to another (must have 2 email accounts). A Gtalk message will be sent to the user which will be able to respond a message according to a protocol of MoshZuk.
What is it being used for? Send yourself quick notes so you can remind yourself later via reading the log file or via reading GTalk history.
The protocol for incoming messages is delimited by ":", any other message will receive a "Not supported in protocol" message [HINT: Only 2 ":" are needed per message].
I can tell more about it, by I prefer that you will reverse it and enjoy it more!
Check logcat for details on debug info!
Download MoshZuk APK is here, I will release the code later on!
The application was developed by Moshe Vered and Itzhak 'Zuk' Avraham, Feel free to hack it as much as possible, don't forget to write your exploits in the comment section :)