-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add 2 new demos for insecure hashing with cryptokit and commoncrypto
- Loading branch information
1 parent
f684cc1
commit 2df91f5
Showing
13 changed files
with
257 additions
and
0 deletions.
There are no files selected for viewing
Binary file added
BIN
+116 KB
demos/ios/MASVS-CRYPTO/MASTG-DEMO-0011/Payload/MASTestApp.app/MASTestApp
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| --- | ||
| platform: ios | ||
| title: Uses of Insecure Hashing Algorithms in CommonCrypto with r2 | ||
| code: [swift] | ||
| id: MASTG-DEMO-0015 | ||
| test: MASTG-TEST-0211 | ||
| --- | ||
|
|
||
| ### Sample | ||
|
|
||
| {{ MastgTest.swift }} | ||
|
|
||
| ### Steps | ||
|
|
||
| 1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`. | ||
| 2. Open the app binary with @MASTG-TOOL-0073 with the `-i` option to run this script. | ||
|
|
||
| {{ cchash.r2 }} | ||
|
|
||
| {{ run.sh }} | ||
|
|
||
| ### Observation | ||
|
|
||
| The output contains all uses of CommonCrypto hash functions in the binary, the xrefs for `CC_MD5` and `CC_SHA1` and the disassembled code of the region where each of these functions is called. | ||
|
|
||
| {{ output.txt }} | ||
|
|
||
| ### Evaluation | ||
|
|
||
| The test fails because the MD5 and SHA1 algorithms were found in the code. | ||
|
|
||
| Remember that the context is important when evaluating the use of these algorithms. In some cases, the use of MD5 or SHA1 may be acceptable, for example, when the algorithm is used for checksums or non-cryptographic purposes. In order to determine that you should further analyze the reverse-engineered code and try to learn more about the context in which these algorithms are used. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| import Foundation | ||
| import CommonCrypto | ||
|
|
||
| struct MastgTest { | ||
| // Function to generate a SHA-1 hash | ||
| static func generateSHA1Hash(data: Data) -> String { | ||
| var hash = [UInt8](repeating: 0, count: Int(CC_SHA1_DIGEST_LENGTH)) | ||
| data.withUnsafeBytes { | ||
| _ = CC_SHA1($0.baseAddress, CC_LONG(data.count), &hash) | ||
| } | ||
| return hash.map { String(format: "%02hhx", $0) }.joined() | ||
| } | ||
|
|
||
| // Function to generate an MD5 hash | ||
| static func generateMD5Hash(data: Data) -> String { | ||
| var hash = [UInt8](repeating: 0, count: Int(CC_MD5_DIGEST_LENGTH)) | ||
| data.withUnsafeBytes { | ||
| _ = CC_MD5($0.baseAddress, CC_LONG(data.count), &hash) | ||
| } | ||
| return hash.map { String(format: "%02hhx", $0) }.joined() | ||
| } | ||
|
|
||
| static func mastgTest(completion: @escaping (String) -> Void) { | ||
| let input = "This is a sample text".data(using: .utf8)! | ||
|
|
||
| // Generate SHA-1 hash | ||
| let sha1Hash = generateSHA1Hash(data: input) | ||
|
|
||
| // Generate MD5 hash | ||
| let md5Hash = generateMD5Hash(data: input) | ||
|
|
||
| let value = """ | ||
| Original: \(String(data: input, encoding: .utf8)!) | ||
| SHA-1 Hash: \(sha1Hash) | ||
| MD5 Hash: \(md5Hash) | ||
| """ | ||
|
|
||
| completion(value) | ||
| } | ||
| } |
Binary file added
BIN
+116 KB
demos/ios/MASVS-CRYPTO/MASTG-DEMO-0015/Payload/MASTestApp.app/MASTestApp
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| !printf "\n\n" | ||
|
|
||
| !printf "Uses of CommonCrypto hash function:\n" | ||
| afl~CC_ | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "xrefs to CC_MD5:\n" | ||
| axt @ 0x1000071a8 | ||
|
|
||
| !printf "xrefs to CC_SHA1:\n" | ||
| axt @ 0x1000071b4 | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "Use of MD5:\n" | ||
| pd-- 5 @ 0x1000048c4 | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "Use of SHA1:\n" | ||
| pd-- 5 @ 0x10000456c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| Uses of CommonCrypto hash function: | ||
| 0x1000071a8 1 12 sym.imp.CC_MD5 | ||
| 0x1000071b4 1 12 sym.imp.CC_SHA1 | ||
|
|
||
| xrefs to CC_MD5: | ||
| (nofunc) 0x1000048c4 [CALL:--x] bl sym.imp.CC_MD5 | ||
| xrefs to CC_SHA1: | ||
| (nofunc) 0x10000456c [CALL:--x] bl sym.imp.CC_SHA1 | ||
|
|
||
| Use of MD5: | ||
| 0x1000048b0 ffe301f8 stur xzr, [sp, 0x1e] | ||
| 0x1000048b4 ff0f00f9 str xzr, [sp, 0x18] | ||
| 0x1000048b8 e01b00f9 str x0, [sp, 0x30] | ||
| 0x1000048bc e0630091 add x0, sp, 0x18 | ||
| 0x1000048c0 01008052 mov w1, 0 | ||
| ; CODE XREF from sym.func.100004728 @ +0xf0(x) | ||
| 0x1000048c4 390a0094 bl sym.imp.CC_MD5 | ||
| 0x1000048c8 e00316aa mov x0, x22 | ||
| 0x1000048cc e10314aa mov x1, x20 | ||
| 0x1000048d0 7d000094 bl sym.func.100004ac4 | ||
| ; CODE XREF from sym.func.100004728 @ +0x184(x) | ||
| 0x1000048d4 e00316aa mov x0, x22 | ||
|
|
||
| Use of SHA1: | ||
| 0x100004558 ffe301f8 stur xzr, [sp, 0x1e] | ||
| 0x10000455c ff0f00f9 str xzr, [sp, 0x18] | ||
| 0x100004560 e01b00f9 str x0, [sp, 0x30] | ||
| 0x100004564 e0630091 add x0, sp, 0x18 | ||
| 0x100004568 01008052 mov w1, 0 | ||
| ; CODE XREF from sym.func.1000043cc @ +0xf4(x) | ||
| 0x10000456c 120b0094 bl sym.imp.CC_SHA1 | ||
| 0x100004570 e00316aa mov x0, x22 | ||
| 0x100004574 e10314aa mov x1, x20 | ||
| 0x100004578 53010094 bl sym.func.100004ac4 | ||
| ; CODE XREF from sym.func.1000043cc @ +0x188(x) | ||
| 0x10000457c e00316aa mov x0, x22 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| r2 -q -i cchash.r2 -A ./Payload/MASTestApp.app/MASTestApp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| --- | ||
| platform: ios | ||
| title: Uses of Insecure Hashing Algorithms in CryptoKit with r2 | ||
| code: [swift] | ||
| id: MASTG-DEMO-0016 | ||
| test: MASTG-TEST-0211 | ||
| --- | ||
|
|
||
| ### Sample | ||
|
|
||
| {{ MastgTest.swift }} | ||
|
|
||
| ### Steps | ||
|
|
||
| 1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`. | ||
| 2. Open the app binary with @MASTG-TOOL-0073 with the `-i` option to run this script. | ||
|
|
||
| {{ cryptokit_hash.r2 }} | ||
|
|
||
| {{ run.sh }} | ||
|
|
||
| ### Observation | ||
|
|
||
| The output contains all uses of `CryptoKit.Insecure` functions in the binary, the xrefs for `Insecure.MD5` and `Insecure.SHA1` and the disassembled code of the region where each of these functions is called. | ||
|
|
||
| {{ output.txt }} | ||
|
|
||
| ### Evaluation | ||
|
|
||
| The test fails because the MD5 and SHA1 algorithms were found in the code. | ||
|
|
||
| Remember that the context is important when evaluating the use of these algorithms. In some cases, the use of MD5 or SHA1 may be acceptable, for example, when the algorithm is used for checksums or non-cryptographic purposes. In order to determine that you should further analyze the reverse-engineered code and try to learn more about the context in which these algorithms are used. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| import Foundation | ||
| import CryptoKit | ||
|
|
||
| struct MastgTest { | ||
| // Function to generate a SHA-1 hash | ||
| static func generateSHA1Hash(data: Data) -> String { | ||
| let hash = Insecure.SHA1.hash(data: data) | ||
| return hash.compactMap { String(format: "%02x", $0) }.joined() | ||
| } | ||
|
|
||
| // Function to generate an MD5 hash | ||
| static func generateMD5Hash(data: Data) -> String { | ||
| let hash = Insecure.MD5.hash(data: data) | ||
| return hash.compactMap { String(format: "%02x", $0) }.joined() | ||
| } | ||
|
|
||
| static func mastgTest(completion: @escaping (String) -> Void) { | ||
| let input = "This is a sample text".data(using: .utf8)! | ||
|
|
||
| // Generate SHA-1 hash | ||
| let sha1Hash = generateSHA1Hash(data: input) | ||
|
|
||
| // Generate MD5 hash | ||
| let md5Hash = generateMD5Hash(data: input) | ||
|
|
||
| let value = """ | ||
| Original: \(String(data: input, encoding: .utf8)!) | ||
| SHA-1 Hash: \(sha1Hash) | ||
| MD5 Hash: \(md5Hash) | ||
| """ | ||
|
|
||
| completion(value) | ||
| } | ||
| } |
Binary file added
BIN
+117 KB
demos/ios/MASVS-CRYPTO/MASTG-DEMO-0016/Payload/MASTestApp.app/MASTestApp
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| !printf "\n\n" | ||
|
|
||
| !printf "Uses of CryptoKit.Insecure functions:\n" | ||
| afl~Insecure. | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "xrefs to CryptoKit.Insecure.MD5:\n" | ||
| axt @ 0x100007280 | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "xrefs to CryptoKit.Insecure.SHA1:\n" | ||
| axt @ 0x10000728c | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "Use of MD5:\n" | ||
| pd-- 5 @ 0x1000046d8 | ||
|
|
||
| !printf "\n" | ||
|
|
||
| !printf "Use of SHA1:\n" | ||
| pd-- 5 @ 0x100004214 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Uses of CryptoKit.Insecure functions: | ||
| 0x100007274 1 12 sym.imp.CryptoKit.Insecure.SHA1Digest. | ||
| 0x100007280 1 12 sym.imp.CryptoKit.Insecure.MD5. | ||
| 0x10000728c 1 12 sym.imp.CryptoKit.Insecure.SHA1. | ||
| 0x100007298 1 12 sym.imp.CryptoKit.Insecure.MD5Digest. | ||
|
|
||
| xrefs to CryptoKit.Insecure.MD5: | ||
| sym.func.10000469c 0x1000046d8 [CALL:--x] bl sym.imp.CryptoKit.Insecure.MD5. | ||
|
|
||
| xrefs to CryptoKit.Insecure.SHA1: | ||
| sym.func.1000041d8 0x100004214 [CALL:--x] bl sym.imp.CryptoKit.Insecure.SHA1. | ||
|
|
||
| Use of MD5: | ||
| │ 0x1000046c4 48000090 adrp x8, reloc.Foundation.__DataStorage._bytes.allocator__UnsafeMutableRawPointer______ ; 0x10000c000 | ||
| │ 0x1000046c8 08d141f9 ldr x8, reloc.__stack_chk_guard ; 0x10000c3a0 | ||
| │ 0x1000046cc 080140f9 ldr x8, [x8] | ||
| │ 0x1000046d0 a8831af8 stur x8, [x29, -0x58] | ||
| │ 0x1000046d4 000080d2 mov x0, 0 | ||
| │ 0x1000046d8 ea0a0094 bl sym CryptoKit.Insecure.MD5. ; sym.imp.CryptoKit.Insecure.MD5. | ||
| │ 0x1000046dc f70300aa mov x23, x0 | ||
| │ 0x1000046e0 54000090 adrp x20, reloc.Foundation.__DataStorage._bytes.allocator__UnsafeMutableRawPointer______ ; 0x10000c000 | ||
| │ 0x1000046e4 947241f9 ldr x20, reloc.CryptoKit.Insecure.MD5. ; 0x10000c2e0 | ||
| │ 0x1000046e8 16805ff8 ldur x22, [x0, -8] | ||
|
|
||
| Use of SHA1: | ||
| │ 0x100004200 48000090 adrp x8, reloc.Foundation.__DataStorage._bytes.allocator__UnsafeMutableRawPointer______ ; 0x10000c000 | ||
| │ 0x100004204 08d141f9 ldr x8, reloc.__stack_chk_guard ; 0x10000c3a0 | ||
| │ 0x100004208 080140f9 ldr x8, [x8] | ||
| │ 0x10000420c a8831af8 stur x8, [x29, -0x58] | ||
| │ 0x100004210 000080d2 mov x0, 0 | ||
| │ 0x100004214 1e0c0094 bl sym CryptoKit.Insecure.SHA1. ; sym.imp.CryptoKit.Insecure.SHA1. | ||
| │ 0x100004218 f70300aa mov x23, x0 | ||
| │ 0x10000421c 54000090 adrp x20, reloc.Foundation.__DataStorage._bytes.allocator__UnsafeMutableRawPointer______ ; 0x10000c000 | ||
| │ 0x100004220 947a41f9 ldr x20, reloc.CryptoKit.Insecure.SHA1. ; 0x10000c2f0 | ||
| │ 0x100004224 16805ff8 ldur x22, [x0, -8] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| r2 -q -i cryptokit_hash.r2 -A ./Payload/MASTestApp.app/MASTestApp |