If you are here for the URLās go all the way to the bottom, you can find them there and also the instructions to play noooob!. This is an assessment writeup so, it will be LONG and in-depth. These writeups are written only after a patch has been released or some of the information is not disclosed to you and only use it for educational purpose.
Before we get into details, there are few things to consider:
- No permanent damage is done to the platform code or to the servers.
- This vulnerability is already patched or it doesnāt revealed here.
- This is not a DDOS attack and i recommend you not to do it too.
- This writeup doesnāt provide a step by step by instruction to hack anything but gives you the basic idea behind the approach.
- Last but not least this is only for educational purpose.
Approach
This time, the approach would be different because itās the first time iāve encountered a Generic STB(Set-Top Box) powered by android. Now letās see what we can do! My initial plan(This may change):
- Play with the built-in settings and collect any dev(it means technical) info which can be useful to do some naughty stuffš.
- Itās basically Android, How i know? Because of the U.I and what do you think they are going develop a new O.S like L.G WebOS, itās BS!. So, letās find a way to extract the apkās from the STB. Hmm! possible i think.
- Itās also an IPTV and obviously it uses IP address to stream through TCP(If they are dumb!) or UDP. If we can get the Channel specific URLās you can watch free T.V from anywhere and from any device. We have to somehow capture the data without disassemblingš§ the STB(Because my mom warned me not toš).
Tech factā: Typically live video-streaming appliances are not designed with TCP streaming in mind. If you use TCP, the OS must buffer the unacknowledged segments for every client. This is undesirable, particularly in the case of live events; presumably, your list of simultaneous clients is long due to the singularity of the event. Pre-recorded video-casts typically donāt have as much of a problem with this because viewers stagger their replay activity; therefore TCP is more appropriate for replaying a video-on-demand. - My another epic ā ļø idea is to backup the whole android .img and decompile it in my MAC and analyze the hex code and reverse engineer it and then re-flash it. I know itās pretty time consuming and analyzing the code will definitely be a challenge for me. We have to ready for it as the last resort.
- There is a less complicated method, which is to connect the STB to my MAC using TYPE-A to TYPE-A cable. I donāt know whether i can get any data from it but if there is a failsafe mode for the STB to enable debugging. If we choose this path we have to find the method to put it in the failsafe or recovery mode. Obviously, a recovery mode will be present because any device would have one, otherwise, it is made by a dumbš¤ person.
- If none of the above will work then we will think for more approaches. Until then letās start executing.
Analysis
- I was able to jump in the advance settings menu and successfully opened the ANDROID SETTINGS app. From there you know, i was able to enable the developer options and soon i find out that there is no adb over wireless and there is no USB debugging option. So bascially it means data extraction using TYPE-A cable is not possible. FIRST BLOW-UPš¤Æ letās move on!
- Digging in the settings app, I opened the Applications section and find some interesting system installed apps there. Itās the APSFL app, yes this app acts as the default launcher and basically itās what makes the IPTV as AP Fibertv. So, finally we got a leadšØāš».
- Extracting the apk from stb: I canāt connect the STB to the MAC so i cannot backup the apk. But what if i can use the android itself to help me backup the apk. Let me explain!
- Fortunately, our beloved manufacturer i.e Dasan Networks has installed a chrome browser to let the users browse the Internet but we can use it to download the apps too.
- Iāve downloaded the ESfileExplorer(Obviously!) apk from the apkpure.com and i opened it, the android helped because itās the android default behavior to launch package installer if any app is downloaded without opening any file manager to browse the app(which is not possible in our case). Thanks Androidš¤!
- Created a Backup of the APSFL.apk and connected a pendrive to the USB port and copied the file to the pendrive with the help of ES Explorer(Another Thanks to EsFileExplorerš¤).
- As the APSFL app acted as a launcher and controlled all the T.V operations such as Authentication, STB-menu, Streaming..etc. This is our gateway for everything.
- Installed the apk in the emulator and opened it, To my excitement the app has authentication and data is transmistted through the HTTPS protocol (Itās encrypted!). Now checkout the below
vulnerabilityvulnerabilities sectionšš».
- Installed the apk in the emulator and opened it, To my excitement the app has authentication and data is transmistted through the HTTPS protocol (Itās encrypted!). Now checkout the below
Vulnerabilitiesš
- Bypassing the encryptionš”: Basically to monitor the traffic data from the app to the server the data should be non-encrypted data. Installing a custom cert will do the trick but the android api should be 23 or below. Reinstalling the Emulator with android 6.0, Setting up a proxy server to listen to the traffic has been completed. See the below authentication data.
- As you can see the authentication has done through the MAC address of the device which is pretty reasonable.
- The response is in json format and if the authentication is successful we are served with some pretty useful data.
- Spoofingš the Mac Address: I have to get pass the authentication by spoofing my emulator MAC address which is 0C:65:EE:6E:CE:68(You can see in the GET request above) with my stb MAC Id. I have changed my mac id thanks to the virtual box network interface. My initial thoughts were that once the authentication is bypassed i can play live tv from my android deviceš¤·.
- Ofcourse without hiccups how can hacking will be challenging. The problem i faced is a weird one which is the video which is streaming is not supported by the android emulator which i was using. And believe me itās pretty hard to find a emulator which has support for root, api 23, stable and for macš¤¦āāļø.
- I have experimented with various images with various architectures both arm64 and x86. By the way our STB runs on arm architecture. But i always landed in some kind of problems related to connection, mac spoofing, rooting ..etc. The problem here is that there are no required video codecs in the android img to playback the video.
- There are some things i have observed during this time:
- Why canāt i capture the video stream URLās through proxy? My raw guess is that they are using UDP protocol for multicasting which is not supported by my tool. So, i have changed the tool to wireshark and started analyzing the complicated UDP packets and stitching them together(Believe me analysing UDP packets is difficult when filtering all the mac traffic too). Still, no luck SECOND BLOW-UPš¤Æ.
- Decompiling the apk: Their is no other way but to reverse engineer the apk itself, started by decompiling the apk and converting the .smali resources to .java files using both fern flower and byte code decompilers at the same time.
- First thing i have done is to modify the ConnectionManager condition to true. I have already told you that i had faced connection issues in the app in ANDROID TV emulator which does have video codecs but didnāt get pass through this connection issue. I think the problem is with android connection libraries present in the android tv image. I was sure if i can get past this i can stream the live tv there. Unfortunately there are two many connection checks and if i try to change all of the conditions itās gonna break at some point(i mean the app will crash, unfortunately stopped!).
- My options are limited now, i was frustrated with the lag in emulators and rooting the tv image everytime i restart as the root is non-persistence(donāt ask me why, they havnāt found a way to keep persistence in default android emulator). I was going through the other stuff in decompiled apk and found the assets folder.
- Analysing the Assetsš: It looks interesting in the assets folder because there are html, js, css files and i have opened the index.html file in the browser and the whole APSFL layout opened in the browserš»,and checking the console logs which are huge. There is a gut feeling in me that we can crack it!
- The working is simple, The authenticationš” part is done by the android and the layouts, streaming are handled by the web part. They share data between them using some off-the-shelf library known as TornadoApp(weird nameš§æ).
- So the operations are all handled by javascript file named as āap_fiber_stb.min.jsā which is freaking 1.5 mb in size and it is 41,000 lines long. Anyways i started analyzing the .js file, man! itās big. At last i have found out that itās deeply integrated with the android library and their is nothing i can do THIRD BLOW-UPš¤Æ.
- Java Script Time: In the browser i have observed that the js file has console logs everywhere. Another idea strike my mind, I can monitor these logs in realtime in the emulator by using a simple app known as lOGCAT.
- Basically app-specific logs are blocked in a production apk, but the javascript present in the app is handled by the android webview, which by default omits the console logs. I analyzed those logs and finally i managed to find a UDP url starting with udp@//ipaddress. I traced it back to the origin and found the file(json)[HAPPY MEš] which has all the urlās of every channel present in the APFIBER NET IPTV. š¤©JACKPOTš¤©
Collecting the URLās
The json file has too much data and it makes sense, that it is 1mb(The file with 1mb size in terms of coding is considered huge). I have filter the json data to only show URLās and Channel names. Below is the code.
Result
I can watch all the channels from my android device using MX PLAYER OR VLC.
- Open VLC or MX PLAYER.
- Select the network stream option.
- Paste The Below URLās. (Only works when connected to the AP FIBER WiFi)
I DIDN'T REVEAL SOME VULNERABILITIES PRESENT IN THERE WEB PLATFORM BECAUSE I WAS WAITING FOR THEM TO FIX BEFORE I REVEAL ANYTHING. MAYBE IN FUTURE ASSESSMENT WRITEUP. THESE URL's I HAVE LEAKED ARE BASICALLY USELESS TO THE PEOPLE WHO ARE OUTSIDE THE NETWORK OF APSFL FIBERNET WIFI OR WIRED CONNECTION(YES THEY WORK LOCAL ONLY AND DON'T BLAME ME! THE DESIGN ITSELF IS LIKE THAT. IT'S EFFICIENT IN THIS WAY). I THINK IT'S LEGAL TO WATCH THESE ON YOUR MOBILE AS LONG AS YOU OWN APFIBER IPTV STB.
Finally, NĢ¶0Ģ¶ SĢ¶yĢ¶5Ģ¶tĢ¶3Ģ¶mĢ¶ 1Ģ¶sĢ¶ SĢ¶@fĢ¶3Ģ¶ dot!
ššPOHās Attached below
Check out all the urlās Here
šš©ā“šāÆ: Assessment of commercial companies requires a certification such as Certified Ethical Hacker(Not limited to CEH) but for personal tests not at all needed, go ahead. There are so many things i have not listed because the more you go the more it comes visible in this path. Find your own way and your own approach. Happy Hacking!!!!
LINKS
APSFL 5.1 (.apk): Download Here Only for reverse engineering or experimenting not for usage. it doesnāt work on your device.
URLāS (.txt file) : Download Here