[ale] Android security bug
Charles Shapiro
hooterpincher at gmail.com
Thu Jul 11 23:24:38 EDT 2013
Thank you Michael for your excellent write-up. I probably
over-simplified by comparing it to privilege escalation.
-- CHS
On Thu, Jul 11, 2013 at 5:23 PM, Michael H. Warfield <mhw at wittsend.com>wrote:
> Ok... I guess I better chime in on this one before the rumors get too
> out of hand...
>
> On Sat, 2013-07-06 at 10:38 -0400, Charles Shapiro wrote:
> > Be careful out there.
> > ( http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/). This basically means that it's possible to grab an application from
> Google Play and undetectably modify it to do Evil. It's more-or-less the
> equivalent of a privilege escalation exploit in Unix. Nothing in the wild
> yet.
>
> No. It is NOT a "privilege escalation exploit". Yes, a malware author
> could take a signed, packaged, app and modify the app in a way that
> includes the malware and appears to be properly signed. But it still
> runs as the permissions and ownership of the original app. There's no
> privilege escalation involved. If the app happens to be one of the apps
> from the handset manufacturer or carrier which carries elevated
> privileges then, yes, you would get those elevated privileges of that
> app.
>
> Its a bug in the way Android checks the apks. An apk is just a zip file
> with a series of signed files. The flaw occurs if the zip file contains
> more than one entry with the same exact name (and, presumably, path).
> In that case, Android loads the first file but only checks the signature
> on that LAST file. OOOPPPSSS... Epic fail.
>
>
> http://news.techworld.com/mobile-wireless/3456734/proof-of-concept-exploit-available-for-android-app-signature-check-vulnerability/
> https://jira.cyanogenmod.org/browse/CYAN-1602
>
> The exploit is to take a known good app and unpackit it using apktool.
> then replace the files you want to trojan and rebuild the apk. Then,
> using a "zip" that will support it (the author of some PoC code used a
> python routine), append the original files to the new zip after the
> trojaned ones. Voila. Less that 3 dozen lines of shell code.
>
> https://gist.github.com/poliva/36b0795ab79ad6f14fd8
>
> Google has already implemented scanning of all the apps in the Play
> store and no legitimate app should have multiple files of the same name
> in the apk so it's pretty simple to scan for. The fix for Android is to
> prohibit any apps with duplicate file names in the apk. Google has
> deployed the patch to vendors and it's even already in all the branches
> of CyanogenMod
>
> Advise... Don't sideload apps or enable untrusted sources unless you
> really REALLY know what you're getting.
>
> >
> > -- CHS
> >
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130711/c189aa8c/attachment-0001.html>
More information about the Ale
mailing list