Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate from VIP Access QR code? #72

Open
beaugunderson opened this issue Oct 17, 2024 · 4 comments
Open

Migrate from VIP Access QR code? #72

beaugunderson opened this issue Oct 17, 2024 · 4 comments

Comments

@beaugunderson
Copy link

VIP Access can now generate a QR code to migrate tokens.

It's in this format:

{
  "vip": [
    "...",
    "...",
    "SYMC..."
  ]
}

Is it possible to import these into vipaccess?
@dlenski
Copy link
Owner

dlenski commented Oct 18, 2024

VIP Access can now generate a QR code to migrate tokens.

It's in this format:

I can't tell from what you've provided.

What do those first two fields look like?

Base32… base64… hexadecimal… ASCII?

Length?

Can you figure out how to map them into a format similar to what vipaccess provision -p outputs?

@mxr
Copy link

mxr commented Dec 2, 2024

Confirming it's a 3 element list.

  • The first element is a string. It's 8 uppercase alphanumeric characters (^[A-Z0-9]{8}$). It's not hex and doesn't appear to be base32/64 or either. Perhaps it's a secret used for the migration?
  • The second element is also a string. It appears to be an epoch timestamp in seconds, pointing to one hour after the time the migration QR code was generated. Perhaps it's an expiration time.
  • The third element starts with SYMC and appears to be a VIP Access Mobile** (no TrustZone) Credential as defined here.

Maybe the first argument could be mapped into a secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA query-string parameter but I'm not sure how...

@dlenski
Copy link
Owner

dlenski commented Dec 2, 2024

Maybe the first argument could be mapped into a secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA query-string parameter but I'm not sure how...

This first element can't contain more than ~41 bits of randomness (8 × log₂36). So there's no way it can directly map to the 160-bit secret of the SYMC token type.

There's probably an extra level of indirection to obscure the secret. These QR code parameters are likely fed into another web service (e.g. http://vip.symantec.com/get.secret.from.server?cred_password=X&cred_timestamp=Y&cred_id=Z) which then returns the secret, perhaps in a further-obfuscated format like the known provisioning endpoint.

If you can get a MITM capture of the app reading the QR code to migrate the token, that should do the trick.

@mxr
Copy link

mxr commented Dec 28, 2024

I tried MITMing using the Android emulator but didn't get very far :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@beaugunderson @dlenski @mxr