<div dir="ltr"><div>Thank you Michael for your excellent write-up. I probably over-simplified by comparing it to privilege escalation. <br><br></div>-- CHS<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Jul 11, 2013 at 5:23 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ok... I guess I better chime in on this one before the rumors get too<br>
out of hand...<br>
<div class="im"><br>
On Sat, 2013-07-06 at 10:38 -0400, Charles Shapiro wrote:<br>
> Be careful out there.<br>
> ( <a href="http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/" target="_blank">http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/</a> ). This basically means that it's possible to grab an application from Google Play and undetectably modify it to do Evil. It's more-or-less the equivalent of a privilege escalation exploit in Unix. Nothing in the wild yet.<br>
<br>
</div>No. It is NOT a "privilege escalation exploit". Yes, a malware author<br>
could take a signed, packaged, app and modify the app in a way that<br>
includes the malware and appears to be properly signed. But it still<br>
runs as the permissions and ownership of the original app. There's no<br>
privilege escalation involved. If the app happens to be one of the apps<br>
from the handset manufacturer or carrier which carries elevated<br>
privileges then, yes, you would get those elevated privileges of that<br>
app.<br>
<br>
Its a bug in the way Android checks the apks. An apk is just a zip file<br>
with a series of signed files. The flaw occurs if the zip file contains<br>
more than one entry with the same exact name (and, presumably, path).<br>
In that case, Android loads the first file but only checks the signature<br>
on that LAST file. OOOPPPSSS... Epic fail.<br>
<br>
<a href="http://news.techworld.com/mobile-wireless/3456734/proof-of-concept-exploit-available-for-android-app-signature-check-vulnerability/" target="_blank">http://news.techworld.com/mobile-wireless/3456734/proof-of-concept-exploit-available-for-android-app-signature-check-vulnerability/</a><br>
<a href="https://jira.cyanogenmod.org/browse/CYAN-1602" target="_blank">https://jira.cyanogenmod.org/browse/CYAN-1602</a><br>
<br>
The exploit is to take a known good app and unpackit it using apktool.<br>
then replace the files you want to trojan and rebuild the apk. Then,<br>
using a "zip" that will support it (the author of some PoC code used a<br>
python routine), append the original files to the new zip after the<br>
trojaned ones. Voila. Less that 3 dozen lines of shell code.<br>
<br>
<a href="https://gist.github.com/poliva/36b0795ab79ad6f14fd8" target="_blank">https://gist.github.com/poliva/36b0795ab79ad6f14fd8</a><br>
<br>
Google has already implemented scanning of all the apps in the Play<br>
store and no legitimate app should have multiple files of the same name<br>
in the apk so it's pretty simple to scan for. The fix for Android is to<br>
prohibit any apps with duplicate file names in the apk. Google has<br>
deployed the patch to vendors and it's even already in all the branches<br>
of CyanogenMod<br>
<br>
Advise... Don't sideload apps or enable untrusted sources unless you<br>
really REALLY know what you're getting.<br>
<br>
><br>
> -- CHS<br>
><br>
<br>
Regards,<br>
Mike<br>
<span class="HOEnZb"><font color="#888888">--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
</font></span><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div>