[ale] Android security bug

Charles Shapiro hooterpincher at gmail.com
Thu Jul 11 23:24:38 EDT 2013 

Thank you Michael for your excellent write-up.    I probably
over-simplified by comparing it to privilege escalation.

-- CHS


On Thu, Jul 11, 2013 at 5:23 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

> Ok...  I guess I better chime in on this one before the rumors get too
> out of hand...
>
> On Sat, 2013-07-06 at 10:38 -0400, Charles Shapiro wrote:
> > Be careful out there.
> > ( http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/).  This basically means that it's possible to grab an application from
> Google Play and undetectably modify it to do Evil.  It's more-or-less the
> equivalent of a privilege escalation exploit in Unix.  Nothing in the wild
> yet.
>
> No.  It is NOT a "privilege escalation exploit".  Yes, a malware author
> could take a signed, packaged, app and modify the app in a way that
> includes the malware and appears to be properly signed.  But it still
> runs as the permissions and ownership of the original app.  There's no
> privilege escalation involved.  If the app happens to be one of the apps
> from the handset manufacturer or carrier which carries elevated
> privileges then, yes, you would get those elevated privileges of that
> app.
>
> Its a bug in the way Android checks the apks.  An apk is just a zip file
> with a series of signed files.  The flaw occurs if the zip file contains
> more than one entry with the same exact name (and, presumably, path).
> In that case, Android loads the first file but only checks the signature
> on that LAST file.  OOOPPPSSS...  Epic fail.
>
>
> http://news.techworld.com/mobile-wireless/3456734/proof-of-concept-exploit-available-for-android-app-signature-check-vulnerability/
> https://jira.cyanogenmod.org/browse/CYAN-1602
>
> The exploit is to take a known good app and unpackit it using apktool.
> then replace the files you want to trojan and rebuild the apk.  Then,
> using a "zip" that will support it (the author of some PoC code used a
> python routine), append the original files to the new zip after the
> trojaned ones.  Voila.  Less that 3 dozen lines of shell code.
>
> https://gist.github.com/poliva/36b0795ab79ad6f14fd8
>
> Google has already implemented scanning of all the apps in the Play
> store and no legitimate app should have multiple files of the same name
> in the apk so it's pretty simple to scan for.  The fix for Android is to
> prohibit any apps with duplicate file names in the apk.  Google has
> deployed the patch to vendors and it's even already in all the branches
> of CyanogenMod
>
> Advise...  Don't sideload apps or enable untrusted sources unless you
> really REALLY know what you're getting.
>
> >
> > -- CHS
> >
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130711/c189aa8c/attachment-0001.html>

More information about the Ale mailing list