Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UIAutomator2 lets anyone on the network control/view your device! #134

Closed
n0kovo opened this issue Dec 8, 2020 · 18 comments
Closed

UIAutomator2 lets anyone on the network control/view your device! #134

n0kovo opened this issue Dec 8, 2020 · 18 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@n0kovo
Copy link
Contributor

n0kovo commented Dec 8, 2020

I discovered something very concerning just now.

When using uiautomator2, which is what GramAddict is based around, it silently installs the application ATX-Agent on your device, which opens a webserver on TCP port 7912, that lets anyone on the network, with ZERO form of authentication, execute code, install apps, exfiltrate private data etc. on your device and view the screen remotely.

As soon as you're running GramAddict, this webserver is started. This is a HUGE security concern, and should be addressed immediately!

Try it yourself:

  1. Find the Wi-Fi IP address of your device:
    adb shell ip route | awk '{print $9}'
    (NOTE: It is trivial for anyone on the same network to discover your device and the running webserver)

  2. Run GramAddict as ususal.

  3. Using another device on the same network, go to http://[PHONE IP]:7912 in your browser.

This is what you're presented with:
image

image

(censored for my privacy)
image

(Not showing the API page, as it exposes too much personal info. You can view its endpoints and capabilities at the ATX Agent page linked above)

This is extremely worrying!

@philip-ulrich
Copy link
Contributor

Thanks for the heads up on this. In theory this shouldn’t be a problem if you are on your home network, but I do understand the concern. We are looking into this further

@philip-ulrich philip-ulrich changed the title Running GramAddict lets anyone on the network control/view your device! UIAutomator2 lets anyone on the network control/view your device! Dec 8, 2020
@philip-ulrich
Copy link
Contributor

We’ve spoken internally about this. Short term we’re going to add back the ability to use the stock uiautomator (which is slow and terrible) and issue a warning. This should be added back in the next release: v1.2.0.

Long term, we’re going to look into forking uiautomator2 and the agent to add the ability to set a random password via ADB

@n0kovo
Copy link
Contributor Author

n0kovo commented Dec 8, 2020

Problem is, the webserver seems to keep running after quitting GramAddict. If you don't notice that and stop ATX-Agent manually, your device is fully exposed on any network you join subsequently (at least I think this is the case. I will do some more testing ASAP).

Also, you don't always have control over who is connected to your primary network. It could be guests, roommates, or of course, hackers.

As a person working with information security, I am puzzled as to why openatx wouldn't have implemented some sort of authorization. It seems insane to expose your device to the whole network. And the silent installation of ATX-Agent (or any software on the device in use, for that matter) without the user's knowledge, is super sketchy too.

@n0kovo
Copy link
Contributor Author

n0kovo commented Dec 8, 2020

Whoops, didn't see your last reply there. Sounds like a great approach. Thanks for taking this seriously.

@philip-ulrich
Copy link
Contributor

philip-ulrich commented Dec 8, 2020

The agent stops automatically after a few minutes of inactivity. The readme (once you translate it) says security is something on their todo laughably.

Admittedly we didn’t look into the project too much. Insomniac was already using it when we forked and it just worked really well. We have plans in place to address this quickly. Thanks for reporting - we’ll keep this issue open until it’s addressed.

@n0kovo
Copy link
Contributor Author

n0kovo commented Dec 8, 2020

It seems that, on my device at least, the agent keeps running for at least half an hour (haven't tested longer). Even when force killing the app, it restarts and the webserver is still listening.

@philip-ulrich
Copy link
Contributor

I saw the timeout mentioned somewhere in the docs. I don’t have the time to search it out again right now, but I recall it being configurable.

There are two levels of stopping the agent - one is the agent and the other is the server. If you stop both via the android app the server should go away. I think we can do both of those via adb and just force quit it after we finish. It gets auto restarted by the uiautomator2 framework on the next run. If we can, I’ll make sure that gets added to the next update as well.

@philip-ulrich
Copy link
Contributor

So there is a lot to this issue and it's not all going to be fixed with 1.2.0. We'll keep it open for the meanwhile though.

The easy fix would be to firewall the app. The problem though is that the thing running the webserver is actually a subprocess of the minicab app and doesn't appear to show up in the non-rooted firewalls. I think this is at least partially why your killing of the processes didn't remove the server. Best way we found to kill that server is to do adb shell pkill atx-agent and this killed the server. This is now done after instagram is closed (which is the last action of the script before it pauses on repeat or ends). We are still evaluating ways to more properly solve this, but UIA2 is needed for now. The org behind UIA2 is aware it's a security issue, but I'll open an issue to see if we can ask them to resolve it properly. Otherwise - we'll likely have to create a fork of their code which is a whole 'nother issue.

This leads to the conversation of UIA1. UIA1 sucks - bad. Quite a lot of what we've written has been written specific to UIA2 and in general UIA2 works 100x better than UIA1. In fact, when trying to port some of the things specific to UIA2, we end up with more issues in UIA1. In trying to get UIA1 working, it also seems like instagram is able to detect it somehow and tweak their layout to make it break. It sounds fishy, but that's at least part of why #141 exists. We won't be able to likely get v1 of UIA working stable in a reasonable time so we'll likely be releasing 1.2.0 with a half-baked UIA1 implementation while we try to work out the bugs over time. Our main UIA guy has been out and I'm hitting brick walls trying to fix it.

TL;DR: We've made some progress on this, but it's not done and likely won't be done for 1.2.0.

This was referenced Dec 14, 2020
@philip-ulrich philip-ulrich added enhancement New feature or request help wanted Extra attention is needed labels Dec 14, 2020
@n0kovo
Copy link
Contributor Author

n0kovo commented Feb 2, 2021

Any news on this?

I know it would require a huge rewrite, but if fixing openatx/uiautomator2 is not viable, maybe appium could be an alternative.

@itsallmathematics
Copy link

I saw the help-wanted tag on this. I'm new to GramAddict and don't know the codebase super well (nor have I programmed with UIAnimator2 before), but would be happy to help any way that I could. I mostly do software security development work & research.

@n0kovo
Copy link
Contributor Author

n0kovo commented Feb 19, 2021

@itsallmathematics Awesome! I think creating a fork of UiAutomator2 to implement some kind of authentication would be a great strategy in many ways.

@Prisscillia
Copy link

Prisscillia commented Feb 19, 2021

@itsallmathematics @NarkoPolo Just a heads up I was planning on forking this repo and reading through the code base in an attempt at the same thing. Hopefully we can get this fixed together

@Prisscillia
Copy link

https://vuldb.com/?id.170126

"A vulnerability was found in GramAddict up to 1.2.3. It has been rated as critical. Affected by this issue is an unknown code block of the component UIAutomator2/ATX-Agent. Impacted is confidentiality, integrity, and availability."
...
...
...

"There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product."

@itsallmathematics
Copy link

itsallmathematics commented Feb 20, 2021

@itsallmathematics Awesome! I think creating a fork of UiAutomator2 to implement some kind of authentication would be a great strategy in many ways.

also @Prisscillia , so I took a look at https://github.com/openatx/uiautomator2/search?q=atx-agent and it looks like ATX-Agent is in its own repo: https://github.com/openatx/atx-agent . It's implemented in Golang. I don't see anything auth-related in there currently. I also cannot read Chinese which seems to be the docs language. However, I used e.g. https://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=https%3A%2F%2Fgithub.com%2Fopenatx%2Fatx-agent%2F to get a better understanding.

Yes, they mention security issues twice on there actually under "todo." So, looks like we'll need to modify UIAutomator2 to point to the forked ATX-Agent since it seems to use a hardcoded URL to retrieve it IIUC, add an auth layer for when the client connects, so GramAddict can set it as needed. Oh btw, I think vulndb picked it up because I see it has a CVE now.

@philip-ulrich
Copy link
Contributor

Hello! I’ve had other things hit a higher level of priority in my personal so I haven’t had much time to put into this aside from our quick “fix” of killing the agent when not in use.

Honestly forking and maintaining a fork of UIA2 will probably be a lot of work. If something like appium will fit our needs, then it’d prob be worth the effort to port over. We just can’t go back to UIA1... it’s trash.

Everything we need the library to do, is basically in the device facade file so if someone can match everything we are doing to an appium call... and appium works well.. then it could be a good move. It does seem to be a pretty active project (and not Chinese 😂) so that’s a ++

@philip-ulrich
Copy link
Contributor

Btw, if any of you want to become official contributors... we need some folks. 🙂 Happy to discuss further. [email protected]

@mastrolube
Copy link
Contributor

@NarkoPolo openatx/atx-agent#82 I also checked and it's fixed with v1.23.1.
Thanks @philip-ulrich

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

5 participants