[ale] Android security bug

Michael H. Warfield mhw at WittsEnd.com
Thu Jul 11 17:23:38 EDT 2013


Ok...  I guess I better chime in on this one before the rumors get too
out of hand...

On Sat, 2013-07-06 at 10:38 -0400, Charles Shapiro wrote: 
> Be careful out there.
> ( http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/ ).  This basically means that it's possible to grab an application from Google Play and undetectably modify it to do Evil.  It's more-or-less the equivalent of a privilege escalation exploit in Unix.  Nothing in the wild yet.

No.  It is NOT a "privilege escalation exploit".  Yes, a malware author
could take a signed, packaged, app and modify the app in a way that
includes the malware and appears to be properly signed.  But it still
runs as the permissions and ownership of the original app.  There's no
privilege escalation involved.  If the app happens to be one of the apps
from the handset manufacturer or carrier which carries elevated
privileges then, yes, you would get those elevated privileges of that
app.

Its a bug in the way Android checks the apks.  An apk is just a zip file
with a series of signed files.  The flaw occurs if the zip file contains
more than one entry with the same exact name (and, presumably, path).
In that case, Android loads the first file but only checks the signature
on that LAST file.  OOOPPPSSS...  Epic fail.

http://news.techworld.com/mobile-wireless/3456734/proof-of-concept-exploit-available-for-android-app-signature-check-vulnerability/
https://jira.cyanogenmod.org/browse/CYAN-1602

The exploit is to take a known good app and unpackit it using apktool.
then replace the files you want to trojan and rebuild the apk.  Then,
using a "zip" that will support it (the author of some PoC code used a
python routine), append the original files to the new zip after the
trojaned ones.  Voila.  Less that 3 dozen lines of shell code.

https://gist.github.com/poliva/36b0795ab79ad6f14fd8

Google has already implemented scanning of all the apps in the Play
store and no legitimate app should have multiple files of the same name
in the apk so it's pretty simple to scan for.  The fix for Android is to
prohibit any apps with duplicate file names in the apk.  Google has
deployed the patch to vendors and it's even already in all the branches
of CyanogenMod

Advise...  Don't sideload apps or enable untrusted sources unless you
really REALLY know what you're getting.

> 
> -- CHS
> 

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130711/a93a9b5b/attachment.sig>


More information about the Ale mailing list