Google Android 4.3.1 Package Signature Verification ZipFile.java getInputStream improper authentication
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.7 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Google Android 4.3.1 and classified as critical. The affected element is the function getInputStream of the file main/java/java/util/zip/ZipFile.java of the component Package Signature Verification Handler. The manipulation leads to improper authentication.
Furthermore, an exploit is available.
The affected component should be upgraded.
Details
A vulnerability was found in Google Android 4.3.1 (Smartphone Operating System). It has been rated as critical. This issue affects the function getInputStream of the file main/java/java/util/zip/ZipFile.java of the component Package Signature Verification Handler. The manipulation with an unknown input leads to a improper authentication vulnerability. Using CWE to declare the problem leads to CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Impacted is confidentiality, integrity, and availability.
The weakness was published 07/23/2013 by Saurik as Yet Another Android Master Key Bug as confirmed blog post (Website). The advisory is shared at saurik.com. The public release has been coordinated with Google. The blog post contains:
What makes this bug exceptionally hilarious is the large comment sitting above it carefully pointing out that the length of the extra data might differ from the value stored in the central directory.The attack may be initiated remotely. A simple authentication is necessary for exploitation. Technical details as well as a public exploit are known. The advisory points out:
The bug that underlies this exploit is very similar to the one I analyzed in my previous article, bug #9695860. Specifically, this will look very similar to the original technique for that bug by Android Security Squad, with a few aspects of the first improvement I descibed in the section "Extreme Offset".
A public exploit has been developed by Saurik in Python and been published immediately after the advisory. The exploit is available at saurik.com. It is declared as proof-of-concept. We expect the 0-day to have been worth approximately $25k-$100k. The advisory illustrates:
As some people have been describing these local file header exploits as complex to pull off (Android Police had said in an article that bug #9695860 "is more precise and relies on a fairly complete knowledge about the structure of the files"), I am going to provide a proof of concept for this exploit in Python.
Upgrading to version 4.4 eliminates this vulnerability. The upgrade is hosted for download at android.googlesource.com. A possible mitigation has been published immediately after the disclosure of the vulnerability. The blog post contains the following remark:
Clearly, it would be ideal to also disclose bugs earlier, but frankly: Google has known about this bug since July… (…) The fix for this issue is very similar to the fix I published for bug #9695860, so the code for this extension will look very similar; the only new code is a few lines that check that the name length from the local header matches the one from the central directory. You can see the patch to Backport for reference. (…) For users hoping for an end-to-end implementation to this bug, I have released an updated build of Cydia Impactor that will autodetect its usability and use it as a system exploit when available (it actually checks this bug first, as it is more likely to be present than either of the other two bugs).
The vulnerability is also documented in the databases at SecurityFocus (BID 63547†) and OSVDB (99493†). androidcommunity.com is providing further details. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.google.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 5.7
VulDB Base Score: 6.3
VulDB Temp Score: 5.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Saurik
Reliability: 🔍
Programming Language: 🔍
Download: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: Android 4.4
Timeline
07/23/2013 🔍07/23/2013 🔍
07/23/2013 🔍
11/04/2013 🔍
11/13/2013 🔍
03/23/2019 🔍
Sources
Vendor: google.comAdvisory: Yet Another Android Master Key Bug
Researcher: Saurik
Status: Confirmed
Coordinated: 🔍
GCVE (VulDB): GCVE-100-11105
SecurityFocus: 63547 - Google Android Signature Verification Security Bypass Vulnerability
OSVDB: 99493
scip Labs: https://www.scip.ch/en/?labs.20150917
Misc.: 🔍
Entry
Created: 11/13/2013 12:26Updated: 03/23/2019 08:55
Changes: 11/13/2013 12:26 (64), 03/23/2019 08:55 (6)
Complete: 🔍
Cache ID: 216:4D6:103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.