SSL Pinning Bypass Trick PT1(Copying Burp certificate to CA Directory)

By -

 Hi everyone as you are aware I update this blog when I get stuck in some situation and after multiple attempts if I bypass that situation I write a blog about it.

So today we will be discussing multiple issues which I faced while bypassing SSL pinning in one Application. lets call it 1APP

So 1APP is configured in a way that normal installing burpsuite certificate in Andriod was not working. Running the application with normal burp certificate it was giving error like "java.security.cert.certpathvalidatorexception" webhook etc.

After decompiling the app using online tools or you can use APKTOOL. In "resources\res\xml" directory I checked for "network_security_config.xml" after reviewing the XML file it was clear application is only trusting those certificate which are installed in CA directory of Device.

So it was cleared that we have to copy our certificate to Android CA directory. After alot of searching I came across an awesome article where he explained it very nicely (article Link: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/)

I will write the article  details here also, incase in future the above article is not available

=================================

Export and convert the Burp CA The first step is to get the Burp CA in the right format. Using Burp Suite, export the CA Certificate in DER format. I saved it as cacert.der



Save the certificate with any name e.g cacert.der

Next we would need openssl for that you can use Kali Linux or if you are using windows you have to install GIT and GIT BASH. 

Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0.

Note: if you are using OpenSSL <1.0, it’s actually just the subject_hash, not the “old” one

Use openssl to convert DER to PEM, then output the subject_hash_old and rename the file:

Run below commands using kali linux or git bash. if you are using kali make sure to copy the cacert.der to kali linux

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
mv cacert.pem <hash>.0

The 1st command will change the DER file to PEM file.

second command will give you the hash value (Alpha-number value)

note down the hash value and run the 3rd command make sure to replace <hash> with your hash value

For example, with my certificate:


Next we have to move this <hash>.0 file to Android device. Make sure you know how to connect to your device using ADB Shell. After connecting the device run below command

adb push <cert>.0 /sdcard/

make sure you change <cert> value to the hash value which we noted before

it will copy the certificate to /sdcard/ directory of your device. Next we need to copy this file from sdcard to "/system/etc/security/cacerts/" of android but for that we need to have write access on cacerts directory. which can be achieve using 2 methods. the 1st method worked on my genymotion device but wasnt working on real tablet. so i will share both methods here

1. Method:

adb root
adb remount
mv /sdcard/<cert>.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<cert>.0
reboot

make sure you change <cert> value to the hash value which we noted before

if remount command gives u error. or MV command gives you error of access denied in that case follow the 2nd method

2. Method

adb shell
su
mount -o rw,remount,rw /
mv /sdcard/<cert>.0 /system/etc/security/cacerts/
chmod 644 /system/etc/security/cacerts/<cert>.0
reboot

make sure you change <cert> value to the hash value which we noted before

After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA.

Now run the application and we were able to bypass SSL pinning.


Thanks













Comments

Post a Comment

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef...
Read more

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

By -
Image
  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner...
Read more

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)

By -
Image
This post is related to CSV injection in netskope Admin UI (Version 75.0) where an unauthenticated user can inject malicious payload in audit logs of admin portal and once the admin extract and open the report, the malicious payload will be executed. CVE ID : CVE-2020-28845 Test case : The audit logs consist of login attempts which includes username, for test case I have injected a non-malicious payload in username field, this payload was reflecting in audit logs and was executed once we download and open the report. Exploitation :  In below screenshot you can see a sample csv injection payload and a dummy password. To verify if our payload is reflecting in Audit logs of admin portal, we logged-in as an admin and in below screenshot our payload can be seen    Admin of Netskope admin extracted and downloaded the report.  Admin opens the downloaded reported and our payload got executed. This Vulnerability has been fixed now in the latest version of NetSkope and CVE ID ...
Read more