Hacking iOS Game Center and Passbook with Proxies October 3, 2013
Hacking iOS Game Center and Passbook with Proxies Louisville Metro Infosec Conference: October 3, 2013 Who am I? • Karl Fosaaen Senior Security Consultant At NetSPI Twitter: @kfosaaen Presentation Overview • Intercepting iOS Traffic • Why and How • Tools • Certificates • Identifying Pinning • Attack Examples • GameCenter Scores • GameCenter Hashes • Passbook files • Conclusions Intercepting traffic: Why • iOS traffic can be interesting ‒ Most apps use web service calls ‒ Most apps are web browsers • Traffic tampering ‒ Can you name your own price? ‒ Submit a higher score? • Server responses can be interesting ‒ Modify what the server says to trick your app ‒ Intercepting files (ie: Passbook Passes) Intercepting traffic: How • Use an intercepting proxy ‒ Set it up to capture your traffic ‒ Store and forward allows for tampering • SSL Interception ‒ Requires a trusted certificate ‒ Some apps don’t trust iOS • This is a good thing, just a pain for interception • Traffic sniffing ‒ Some apps send requests in the clear ‒ Packet sniffing can be useful Intercepting traffic: Tools • Burp • iOS simulator • Other Proxies Intercepting Traffic: Certs • Exporting the Burp Root CA Intercepting Traffic: Certs • Exporting the Burp Root CA Intercepting Traffic: Certs • Exporting the Burp Root CA • Save the root cert as PortSwiggerCA.crt • Send the cert to yourself via email and add it to your iOS device • Instructions from Portswigger: http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone Intercepting Traffic: Certs • Exporting the Burp Root CA • Certificate installed on iPhone Intercepting Traffic: Burp • Burp Set Up Intercepting Traffic: Burp • iOS Proxy Set Up Intercepting Traffic: Burp • Intercepted iOS traffic • HTTPS request to Google from iPhone Intercepting Traffic: Burp • A quick warning… ‒ Watch your credentials • • Exchange ActiveSync sends encoded passwords Your login creds for other apps and sites will get stored in your proxy ‒ Mostly watch the data getting stored in your proxy • You never know when you will need to send your Burp session to someone else Intercepting Traffic: Certs • Identifying pinned apps • Able to intercept normal browser SSL traffic • Can’t get app specific data • Pinning might be in use • The app may also be looking for specific cert parameters • This is not pinning • It’s cert checking Attack Examples • GameCenter High Scores • GameCenter Email Hashes • Passbook files ‒Boarding Passes ‒Coupons ‒Gift Cards Attack Examples: GameCenter • Attacking High Scores ‒GameCenter scores update with HTTPS POST requests ‒No input validation on “score-value” parameter • Max score of 9,223,372,036,844,775,807 Attack Examples: GameCenter Attack Examples: GameCenter • Attack Process ‒Set up intercepting proxy ‒Play a game • Beat the first level or • Trigger a score update ‒ Intercept the score update • Look for “submitScores” page ‒ Replace score value with 9,223,372,036,844,775,807 Attack Examples: GameCenter Attack Examples: GameCenter Attack Examples: GameCenter ‒ Bad News • • This was fixed in iOS 7 There’s a token now = Attack Examples: GameCenter Capturing GameCenter Email Hashes Attack Examples: GameCenter • Capturing Email Hashes • SHA1 email hashes can be leaked by requesting player information • This can be done for current friends and accounts of “friends of friends” • What can we do with these? • Why would anyone want those? Attack Examples: GameCenter • Capturing Email Hashes • Step One: Add a bunch of friends • Current recommendations, leaderboards, friends of your friends Attack Examples: GameCenter • Capturing Email Hashes • Step Two: Get a list of all of their friends • • So “friends of friends” Use Burp for this Attack Examples: GameCenter • Capturing Email Hashes • Results! Attack Examples: GameCenter • Capturing Email Hashes • Step Three: Friend request all of them Attack Examples: GameCenter • Capturing Email Hashes • RETURN to Step One multiple times • Step Four: Query the email hashes for all of your friends and all of their friends too • • This will be done with intruder in Burp Much like step three – Send the request on the next slide to intruder Attack Examples: GameCenter Attack Examples: GameCenter • Next Steps ‒ So you have some hashes, so what… • You have their handle, first and last names too ‒ What’s your email address? • Common email user names • • • • First.last FirstinitialLast Handle/username NameBirthYear (or other “significant” number) ‒ Who’s your email provider? • Gmail, yahoo, hotmail, AOL Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to Guess Email user names • [email protected] • [email protected] • [email protected] • [email protected] • [email protected] • [email protected] ‒ Append the top 500 email domains to the end and SHA1 the whole thing Attack Examples: GameCenter • Cracking Email Hashes ‒ PowerShell Script to SHA1 hash the guessed emails • This was basic, but worked well ‒ Use the email guesses as a dictionary for Hashcat • The rule set can be customized to make cracking easier Attack Examples: GameCenter • Final Numbers: ‒222 friends added* (as of 9/9/13) *Records collection stopped after 45 friends ‒1,635 records gathered • 1,534 after Unicode removal ‒300 email hashes cracked (19.5%) Records Example: 591542B50A99EAA8E41136305075F9FF708F1992 bubblefishgumpop Deb Morgan Attack Examples: Passbook Passbook Attack Examples: Passbook • Multiple Apps are now available with Passbook • Mostly used to store loyalty cards, coupons, and boarding passes ‒ Gift cards are now getting adopted • Can actually be pretty convenient to use Attack Examples: Passbook • Common Application Issues: • Failure to securely deliver .pkpass files • No HTTPs or certificate pinning • Failure to validate pass information on backend systems • Do you really have $1,000 on that gift card? Attack Examples: Passbook • Passes are sent as .pkpass files ‒.pkpass is just a renamed .zip file ‒Required contents: • manifest.json • pass.json • Signature • • A signature file for integrity Prevents file replacement and a re-zip Attack Examples: Passbook • Creating your own ‒ Join the Apple Developer Program ($99) ‒ Modify the pass.json to match your needs • The teamIdentifier and passTypeIdentifier fields need to be modified to match your Apple cert • Modify the pass details that you want to ‒ Use the signpass application (from Apple) to generate the new .pkpass file ‒ Can be done in Windows • Apple Developer cert is still needed Attack Examples: Passbook • Deployment ‒ Can be done via email or web server Attack Examples: Passbook • Attack overview ‒ Set up your intercepting proxy ‒ Request a Passbook pass from the app • Look for the “Add to Passbook” button ‒ Intercept the request for the pass • Usually to a third party site ‒ Request and save the pass in your browser ‒ Modify your pass ‒ Resign and use your new and improved pass Attack Examples: Passbook • Avoiding issues with cert pinned apps • • • • Open the app without the proxy enabled Get up to the page where you request the pass Switch over to your preferences • Turn on the Proxy Request the pass Attack Examples: Passbook Example Time! Attack Examples: Passbook • Delta Boarding Passes ‒ One of many Passbook apps, but it’s the one that I use the most ‒ Main Delta App does not do certificate pinning Attack Examples: Passbook • Delta Boarding Passes ‒ Request for Passbook pass Attack Examples: Passbook • Delta Boarding Passes ‒ Extracted pkpass file ‒ Extracted Sky Priority pkpass file Attack Examples: Passbook • Delta Boarding Passes ‒ Modify the pass.json file ‒ And include the footer images in the directory Attack Examples: Passbook • Delta Boarding Passes ‒ Run the Signpass utility and email yourself the pass Attack Examples: Passbook • Original/Modified Delta Boarding Pass Conclusions •Fixes • • • Certificate pinning Better input validation Limiting data leakage from apps • Questions? Hacking iOS Game Center and Passbook • Karl Fosaaen ‒ Security Consultant at NetSPI ‒ Twitter: @kfosaaen
© Copyright 2024