Android Enterprise Work Profile Required-App Replacement

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Uso wa mashambulizi

Android Enterprise Work Profiles zimewekwa kama secondary Android users (mfano wa BYOD: user 0 = personal, user 1 = work). Kila mtumiaji ana miti huru ya /data/user/<id>, system apps, Play Services instances na policy objects zinazoendeshwa na MDM. Wakati MDM kama Microsoft Intune inapoelekeza app kuwa required kwa Work Profile, Work-Profile Play Store (Finsky) mara kwa mara inathibitisha kuwa package ipo na kuisakinisha kwa njia ya auto ikiwa haipo.

Hata baada ya patch ya CVE-2023-21257 ambayo inazuia ADB sideloads wakati DISALLOW_INSTALL_APPS au DISALLOW_DEBUGGING_FEATURES vimewekwa, mlolongo ufuatao unamruhusu mshambuliaji kubadilisha app yoyote Intune-required kwa Work Profile na nambari yoyote:

1. Tumia njia ya Android Studio ya “Install for all users” kuweka APK hatarishi inayofanana na update ya managed package.
2. Acha MDM itambue kuwa app iliyohitajika haipo. Intune inasababisha Work-Profile Finsky instance kuisakinisha tena.
3. Finsky inalinganisha version ya APK iliyowekwa na version ya Play Store na kwa kimyakimya inasakinisha versionCode kubwa zaidi, ikiepuka vizuizi vya awali.

Uchunguzi na ukaguzi wa mahitaji ya awali

• Confirm multi-user layout and user IDs:

adb shell pm list users
# Expect user 0 = Owner, user 1 = Work profile (or higher if multiple profiles exist)

• Usakinishaji za moja kwa moja ndani ya mtumiaji wa kazi zinashindwa chini ya sera (hitilafu iliyotarajiwa):

adb install --user 1 legit.apk
# java.lang.SecurityException: Shell does not have permission to access user 1

• Lazima uwe na ufikiaji wa kimwili kwa muda kwa BYOD iliyofunguliwa ili kuwezesha Developer Options + USB debugging.
• Tambua package name ya app ya Work-Profile iliyotajwa kama required (kwa mfano com.workday.workdroidapp).

Kuifanya kuwa silaha: Android Studio multi-user installer

Run/Debug configuration ya Android Studio bado inaweza kusukuma builds zenye flag INSTALL_ALL_USERS. Kabla ya kukimbia, wezesha Deploy as instant app → Install for all users.

Tengeneza malicious payload yenye same package name kama managed app na much larger versionCode ili PackageManager/Finsky iichukulie kama toleo jipya:

android {
namespace = "com.workday.workdroidapp"
defaultConfig {
applicationId = "com.workday.workdroidapp"
versionCode = 900000004
versionName = "9000000004.0"
}
}

When Android Studio deploys:

1. Personal user (0) anaweka kifurushi chenye hasidi kama kawaida.
2. Work Profile user (1) anapokea APK kwenye eneo la staging la muda na anajaribu kuihudumia kama sasisho.
3. Mantiki ya CVE-2023-21257 inaona mtumiaji amewekewa vizuizi → ufungaji unakataliwa, lakini app halali inayosimamiwa imewekwa alama kama imefutwa na APK iliyowekwa staging inabaki kwenye cache.

Intune/Finsky auto-install bypass

Ndani ya ~1–10 dakika (kipindi cha upya sera):

1. Intune/Company Portal inagundua kifurushi inayohitajika kinakosekana kutoka Work Profile.
2. Mfano wa Work-Profile Finsky unaombwa kuisakinisha tena.
3. Wakati wa utatuzi wa toleo Finsky inalinganisha:

• metadata ya Play Store kwa com.workday.workdroidapp.
• APK iliyowekwa staging kwa ndani kutoka jaribio la kusakinisha lililopita.

4. Kwa sababu build ya ndani ina juu zaidi ya versionCode, Finsky inaamini hiyo kama toleo la hivi karibuni na inaisakinisha ndani ya Work Profile iliyo na vizuizi bila tena kuendesha ukaguzi wa DISALLOW_INSTALL_APPS / DISALLOW_DEBUGGING_FEATURES.

Binary yenye hasidi sasa iko ndani ya Work Profile chini ya jina halisi la kifurushi na inachukuliwa kuwa inakidhi masharti na MDM.

Post-exploitation opportunities

• Work-profile data access – apps nyingine za kampuni zinaendelea kuamini Intents/content providers zilizounganishwa na kifurushi kilichobadilishwa, kuruhusu wizi wa data za ndani na uhamisho wa siri wa data kutoka Work Profile kwenda miundombinu ya mwizi.
• Per-app VPN hijack – ikiwa kifurushi kilichobadilishwa kimepangwa kwa Intune per-app VPN (MS Tunnels + Defender), build yenye hasidi inapata moja kwa moja profaili ya VPN, ikitoa upatikanaji wa moja kwa moja kwa host za ndani kutoka kwa mchakato unaodhibitiwa na mwizi.
• Persistence – kwa sababu MDM sasa inaamini app inayohitajika imewekwa, itafanya kuiweka tena build yenye hasidi kila wakati mtumiaji au mdhibiti anapoifuta, ikitoa mtego wa muda mrefu kwenye Work Profiles za BYOD.

References

• Bypassing CVE-2023-21257 via Intune Required-App Auto-Install

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.