Related
Has any Android developer considered the possibility of converting the open source Impostor SSO Proxy to Android?
http ://impostor.sourceforge.net/
It's already written in Java, and I could see it as being incredibly useful. Many people encounter a need to logon to various websites from insecure locations but don't have a dedicated server to run a single sign on proxy from, however if they had their Android phone with them the ability to start up & proxy through an app on the phone in order to avoid entering any logon credentials would alleviate that.
I have searched high.. and I have searched LOW... and I can find no solution for this problem:
}{Alienz}{ said:
Well the thing is I tried several browsers.
1. The default one that comes with Android
2. Opera mini
3. DolphinHD
All same thing. I'm now going to test with a beta build of Firefox for android (fennero was it called I forget) but its SUCH a stupid thing to not work. Every other device WORKS. Blackberries, Iphones, tablets, laptops....everything.
EDIT: The EXACT error I get is:
"There is a problem with the security certificate for this site. This certificate is not from a trusted authority." I get this AS it attempts to load the redirect login page (both university and at work now). Same issue. It's browser/certificate related. And its ANNOYING as hell.
EDIT 2: Found the problem. It's that stupid certificate.
"This is a result of your corporation using an in house Certificate Authority to provide SSL encryption on your mail server and clients.
Basically....the computer that issued the certificate isn't trusted by the android phone. I'm new to android so I'm not sure if you can add a trusted CA (I haven't seen any options for it).
I don't know about future updates like the above poster mentioned.
Most companies will purchase a certificate from one of the major Certificate Authorities on the internet, which are pre-programed into most operating systems to be trusted. Internal CA's are trusted by the domain environment at your work, but not by anyone else. External (Internet) CA's are trusted by everyone.
if you want an example, open up IE (gross I know) and go to your options. Click the content tab, then there should be a button label certificates. inside the certificates window select Trusted Root Certification Authorities.
That is a list of all the builtin trusted CA's provided by Microsoft and the companies that govern the internet. "
I STILL have no idea how to fix it and to make the phone accept the certificate though.
EDIT 3: Fennec (Mozilla Firefox for Android beta) managed to pull up the login page for my work network. Not sure if it will work for the university yet.
Click to expand...
Click to collapse
I can't use firefox because the Galaxy 3 isn't supported. (Hence, why I'm asking in the Galaxy 3 section.)
But there MUST be a way to accept a simple TOS.
Maybe an AP? Or a script that can be written?
I've rooted my phone... Maybe I can find a way to add the McDonald's certificate?
HELP!
Oh come now..
Sixty views, somebody could at least take a JAB at it.
TeamRainless said:
Oh come now..
Sixty views, somebody could at least take a JAB at it.
Click to expand...
Click to collapse
Alright the hell with it... I'LL take a jab at it:
I can't load the McDonald's site because Android doesn't like their certificate. So all I should have to do is add the McDonald's certificate to the list of sites that Android accepts and it should be sugar in the gas tank right?
So where is this list held?
Hi Guy's/Gal's,
As you may be familiar with my OLD Windows 8 Hack (Blog + Video), and that really wasn't too hard to figure out (since then the last windows release now actually doesn't fix it but makes it obvious how to do it, making it no longer a real hack... However, I have now figured out another one... This one exploits the security in Windows 8 to view a Folders contents and technically edit/open the contents without ever modifying ANY security settings.
You can read a bit more on my Blog (also has a How to video on the TechMeShow on YouTube) or just watch the Video.
Question is, why do I bother with these specific bypasses or point out what may not be useful to some? As a developer, I.T. Prof., and security expert and someone who gets paid to work in Enterprise, this is alarming and is NOT good for the future of Windows 8. They don't take my calls or emails and this information should be open until it gets fixed, plus they don't pay me but I do have other and worse hacks for Windows 8 but I hope I won't have to publicly release them cause I will have to uninstall Windows 8.
Thanks,
Lance
lseidman said:
Hi Guy's/Gal's,
As you may be familiar with my OLD Windows 8 Hack (Blog + Video), and that really wasn't too hard to figure out (since then the last windows release now actually doesn't fix it but makes it obvious how to do it, making it no longer a real hack... However, I have now figured out another one... This one exploits the security in Windows 8 to view a Folders contents and technically edit/open the contents without ever modifying ANY security settings.
You can read a bit more on my Blog (also has a How to video on the TechMeShow on YouTube) or just watch the Video.
Question is, why do I bother with these specific bypasses or point out what may not be useful to some? As a developer, I.T. Prof., and security expert and someone who gets paid to work in Enterprise, this is alarming and is NOT good for the future of Windows 8. They don't take my calls or emails and this information should be open until it gets fixed, plus they don't pay me but I do have other and worse hacks for Windows 8 but I hope I won't have to publicly release them cause I will have to uninstall Windows 8.
Thanks,
Lance
Click to expand...
Click to collapse
Dude, you started MMC as Administrator (1:52-1:53)... you didn't bypass anything. :silly:
Since you allowed the program to run as Administrator it can access anything, for example: it also works when you start cmd as admin.
Yeah and in the video the kid gives his other account admin rights. To be secure you don't run as local admin... same in server / client environment. This isn't a hack.
Maybe you should watch from 1:50... No admin command prompt is loaded but say it was for argument sake. You couldn't view or edit the contents via Explorer but Security Template under the same account, it was accessible (couldn't view folder contents or perform any tasks in explorer).
So, if it was an admin account or in the admin user group, it shouldn't have been permitted either way as that's not how folder security is supposed to work or security in general. You have to provide explicit permission to the folder to let a specific user account (even with an account being in the Admin user group) have viewable access or any access, in this examples it plainly shows the flaw in that.
Donny1987 said:
Dude, you started MMC as Administrator (1:52-1:53)... you didn't bypass anything. :silly:
Since you allowed the program to run as Administrator it can access anything, for example: it also works when you start cmd as admin.
Click to expand...
Click to collapse
What part of the video was this done? Also they're not strictly local, they're associated with LIVE Accounts and logged in via remote desktop (not that that matters at all). This means, I use my LIVE password and email to login to the machine.
ROCOAFZ said:
Yeah and in the video the kid gives his other account admin rights. To be secure you don't run as local admin... same in server / client environment. This isn't a hack.
Click to expand...
Click to collapse
that was painful to watch
I see what your saying about folder access, if it doesn't work as admin in explorer then why should it on via the MMC.
but the simple fact remains, unless you have access to admin, you cant access MMC.
if you have access to admin then there is literally nothing I couldn't do to gain access to the correct folders anyway, that is very simple and ive yet to come across any folder I haven't been able to get in to AS ADMIN
Its not a major fail, a slight glitch at best, but only a fail if you the user allows access to your computer with admin rights.
as to accessing app isolated storage data, yes you could manipulate the app via the XMLs, we've been able to do that for years, theres no difference in that respect then analysing a process, and changing settings, memory calls or even injecting DLLs. So im not sure what the story is here, sorry.
lseidman said:
Maybe you should watch from 1:50... No admin command prompt is loaded but say it was for argument sake. You couldn't view or edit the contents via Explorer but Security Template under the same account, it was accessible (couldn't view folder contents or perform any tasks in explorer).
So, if it was an admin account or in the admin user group, it shouldn't have been permitted either way as that's not how folder security is supposed to work or security in general. You have to provide explicit permission to the folder to let a specific user account (even with an account being in the Admin user group) have viewable access or any access, in this examples it plainly shows the flaw in that.
Click to expand...
Click to collapse
I've watched the complete clip... you're just not getting it.
You logged on with an admin account, you allowed MMC to make changes to the computer by clicking on Yes.
Therefore you can expand the WindowsApps folder and browse.
When you start Windows Explorer, even when you are logged on with an admin account, it still requires your permission before you can change anything (Just like you clicked on Yes for MMC).
I have just created a new local user on my virtual Windows 8 machine without admin rights and opened MMC, it did not ask me to allow the program to make changes.
I then went to the Security Templates stuff like you did, and voila... I can't expand the folder.
It's not a 'hack' or 'flaw', this behavior is completely normal when you start a program as admin.
I've attached some screen shots so you hopefully understand.
Do me a favor then...
Load up a command prompt, but first you'll need to enable the Administrator account which is disabled on the system. To re-enable obviously go in to MMC and add the snap-in for user account management. Once the admin account is active (remember need to set a password).
Now, in the prompt please type:
%windir%\system32\runas.exe /noprofile /user:administrator "explorer.exe C:\"\Program Files"\WindowsApps"
Once you hit enter, the Windows Explorer will be loaded as "Administrator". Are you able to now view the folder contents logged in and under the authenticated Administrative account? No, unfortunately you can't, it requires you to go through the process with the security tab to provide full control. With MMC it bypassed that whole process, even as Admin (literally).
Maybe my point is a little more clear now, I hope? It doesn't matter if you're authenticated as Administrator or given Administrator privilege in MMC. Explorer still prevents you from viewing the folder contents or edit the folder contents.
Donny1987 said:
I've watched the complete clip... you're just not getting it.
You logged on with an admin account, you allowed MMC to make changes to the computer by clicking on Yes.
Therefore you can expand the WindowsApps folder and browse.
When you start Windows Explorer, even when you are logged on with an admin account, it still requires your permission before you can change anything (Just like you clicked on Yes for MMC).
I have just created a new local user on my virtual Windows 8 machine without admin rights and opened MMC, it did not ask me to allow the program to make changes.
I then went to the Security Templates stuff like you did, and voila... I can't expand the folder.
It's not a 'hack' or 'flaw', this behavior is completely normal when you start a program as admin.
I've attached some screen shots so you hopefully understand.
Click to expand...
Click to collapse
ok, let me put this another way
get access to that folder without giving yourself any admin rights.
If you do that then its a security risk, if you cant then your just highlighting one of the biggest USER fails of all time, a fail that's so epic that it single handily helps turn 10,000s of computers in to bots and that is running their default desktop account as an admin.
lseidman said:
Do me a favor then...
Load up a command prompt, but first you'll need to enable the Administrator account which is disabled on the system. To re-enable obviously go in to MMC and add the snap-in for user account management. Once the admin account is active (remember need to set a password).
Now, in the prompt please type:
%windir%\system32\runas.exe /noprofile /user:administrator "explorer.exe C:\"\Program Files"\WindowsApps"
Once you hit enter, the Windows Explorer will be loaded as "Administrator". Are you able to now view the folder contents logged in and under the authenticated Administrative account? No, unfortunately you can't, it requires you to go through the process with the security tab to provide full control. With MMC it bypassed that whole process, even as Admin (literally).
Maybe my point is a little more clear now, I hope? It doesn't matter if you're authenticated as Administrator or given Administrator privilege in MMC. Explorer still prevents you from viewing the folder contents or edit the folder contents.
Click to expand...
Click to collapse
As far as I know you cannot start Explorer anymore as administrator, since Windows 7 (maybe even Vista, but I never used it).
In Windows XP when you started a command prompt as admin and then 'explorer.exe /separate' then the explorer was really started as admin, this is no longer working... gotta be new security that Microsoft is using since Vista/7
As dazza9075 said, do the same without being an admin on your machine and then we'll start to use the words 'LePorte hack'
Forgive my noobness if this sounds stupid but was looking at the company apps setting on my Lumia 928 and was wondering if it could be exploited in anyway as far as sideloading homebrew? Out of curiosity, not that I expected it to work, I emailed myself a .xap file and got an error saying there was something wrong with my company app and to contact the company's support person. So went to company app settings and it asks for email,password, username,domain, and server but does it actually check the authenticity of the domain and/or server for a legitimate company or could someone simply set up a server hosting .xap files to be downloaded simply by registering and logging in with these settings? Even wondered if I simply used this info from the email server if it would install through email but seems too simple and haven't messed with it.
tonbonz said:
Forgive my noobness if this sounds stupid but was looking at the company apps setting on my Lumia 928 and was wondering if it could be exploited in anyway as far as sideloading homebrew? Out of curiosity, not that I expected it to work, I emailed myself a .xap file and got an error saying there was something wrong with my company app and to contact the company's support person. So went to company app settings and it asks for email,password, username,domain, and server but does it actually check the authenticity of the domain and/or server for a legitimate company or could someone simply set up a server hosting .xap files to be downloaded simply by registering and logging in with these settings? Even wondered if I simply used this info from the email server if it would install through email but seems too simple and haven't messed with it.
Click to expand...
Click to collapse
this would work, but theres a lot you have to do to set it up:
There are some general steps that companies must follow to establish a company account, enroll devices, and distribute apps to their enrolled devices. The following sections provide an overview of this process:
1. The company registers a company account on Windows Phone Dev Center and acquires an enterprise certificate from Symantec.
2.The company creates an application enrollment token (AET).
3.The company develops a Company Hub app.
4.The company prepares their apps for distribution.
5. Employees (or other users) enroll for company app distribution on their phones and install the company apps by using the Company Hub app.
you have to use intune director. Companys have to register with windows phone dev and aquire an enterprise cert. This *could* be a way to install homebrew apps, but it'd be easier if there was some kind of workaround.
more info here..
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943(v=vs.105).aspx
Thanks aclegg2011 and my apologies to the Forum Administrator as I just saw a similar post in a different section.
While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?