Suninatas Game 25

Posted on Edited on In Views: Disqus:

challenges

Game 25

We have another Android APK to reverse engineer. Extract and decompile it:

1
2
3
4
5
6
❯ file Suninatas25
Suninatas25: Zip archive data, ...

❯ unar Suninatas25
mv Suninatas25 Suninatas25.apk
# Open with jadx

The decompiled code reveals the app’s logic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
public class Suninatas25 extends Activity {
    public void onCreate(Bundle savedInstanceState) {
        // Reads contact with name "SuNiNaTaS"
        String conId = Suninatas25.this.getContacts("id");
        String conNum = Suninatas25.this.getTel(conId);

        // Constructs URL with contact name and number
        Uri uri = Uri.parse("http://www.suninatas.com/challenge/web25/chk_key.asp?id=" +
            id.toString() + "&pw=" + pw.toString() + "&Name=" + conName.toString() +
            "&Number=" + conNum.toString());
        Intent it = new Intent("android.intent.action.VIEW", uri);
        Suninatas25.this.startActivity(it);
    }

    public String getTel(String Idno) {
        // Retrieves phone number for contact ID
        StringBuffer tnum = new StringBuffer();
        Cursor phones = getContentResolver().query(
            ContactsContract.CommonDataKinds.Phone.CONTENT_URI, null,
            "contact_id=" + Idno, null, null);
        while (phones.moveToNext()) {
            String phoneNumber = phones.getString(phones.getColumnIndex("data1"));
            tnum.append(phoneNumber);
        }
        return tnum.toString();
    }

    public String getContacts(String Sel) {
        // Searches for contact named "SuNiNaTaS"
        StringBuffer sb = new StringBuffer();
        Cursor contacts = getContentResolver().query(
            ContactsContract.Contacts.CONTENT_URI, null, null, null, null);
        while (contacts.moveToNext()) {
            String displayName = contacts.getString(contacts.getColumnIndex("display_name"));
            String contactId = contacts.getString(contacts.getColumnIndex("_id"));
            if (displayName.equals("SuNiNaTaS")) {
                if (Sel.equals("id")) {
                    sb.append(contactId);
                }
            }
        }
        return sb.toString();
    }
}

The vulnerability: the app reads the device’s contacts and looks for a contact named exactly SuNiNaTaS. To exploit it:

  1. Create a test account
  2. Add a contact to the phone with display name SuNiNaTaS and any phone number
  3. Run the app to extract the contact’s phone number
  4. Submit the request with the contact info:

Or directly enter the URL:

1
http://www.suninatas.com/challenge/web25/chk_key.asp?id=testuser&pw=testpass&Name=SuNiNaTaS&Number=1234567890

The server verifies the contact information and returns the auth key.

FanTast1c aNdr0id w0r1d!