Most probably if you not using a top flagship Android smart phone or tablet for a top company like Google Motorola, Samsung, HTC or LG then you are using a smart phone with Android 4.3 Jelly Bean version running aboard. And if you are using the Android 4.3 Jelly Bean or earlier version run smart phone or tablet, you, or rather your smart phone/tablet is vulnerable to a serious code-execution vulnerability. This vulnerability was discovered by the Application Security Team of IBM, nine months ago. This vulnerability has been patched in the latest Android version from Google, the 4.4 KitKat version but Android 4.3 and older Android versions remain highly vulnerable.
As per the latest data available, only 13.6 % of total Android users have Kitkat on their smart phone or tablet. The total distribution of of Android community is divided as follows according to Android Developers site is as follows
| Version | Codename | API | Distribution |
|---|---|---|---|
| 2.2 | Froyo | 8 | 0.8% |
| 2.3.3 - 2.3.7 | Gingerbread | 10 | 14.9% |
| 4.0.3 - 4.0.4 | Ice Cream Sandwich | 15 | 12.3% |
| 4.1.x | Jelly Bean | 16 | 29.0% |
| 4.2.x | 17 | 19.1% | |
| 4.3 | 18 | 10.3% | |
| 4.4 | KitKat | 19 | 13.6% |
From this data it can be inferred that 86.4 percent of the total Android smart phones and tablets users are at risk from this vulnerability. The vulnerability discovered by Application Security team at IBM confirmed the presence of a critical code-execution vulnerability that affects all devices using the versions 4.3 and earlier and lets an attacker/potential hacker exploit it to steal sensitive data from the vulnerable devices.
The IBM security researchers discovered that the stack buffer overflow vulnerability resides in the Android’s KeyStore storage service, which is responsible for storing and securing device’s cryptographic keys.
“A stack buffer is created by the ‘KeyStore::getKeyForName’ method” “This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application,” Hay said. “The ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.” explained the experts
Anybody with knowledge of Android API programming can successfully exploit this vulnerability. Once exploited the hacker can execute a malicious code under the keystore process. Once executed, such code can lead to serious leaking of the device’s lock credentials. Since the master key is derived by the lock credentials, whenever the device is unlocked, ‘Android::KeyStoreProxy::password’ is called with the credentials.
It can also leak decrypted master keys, data and hardware-backed key identifiers from the memory and encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack. The hackers can also remotely interact with the hardware-backed storage and perform crypto operations (e.g., arbitrary data signing) on behalf of the user.
An potential wannabe hacker can theoretically exploit the above vulnerability that exists in all the Android devices prior to the Android 4.4 Kitkat but experts believe that exploit is pretty hard to execute due to the presence of numerous difficulties likes the need to to bypass memory-based protections native to the operating system, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). The Data Execution Prevention is an exploit mitigation that is used to prevent execution of malicious code, but the attackers have had success to bypass it using the Return Oriented Programming (ROP) attacks. The ASLR is used to mitigate buffer overflow attacks randomizing the memory locations used by system files and other programs, implementing this technique it is hard to guess the location of a given process.
“However, the Android KeyStore is respawned every time it terminates. This behaviour enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding” states the post.
The experts confirmed that they haven’t seen the flaw being exploited in the wild yet. The Google is currently upgrading the Android devices to the Android KitKat 4.4.4 with build number KTU84P (branch kitkat.-mr21-release), the new update was mainly issued to fix the CCS Injection Vulnerability (CVE-2014-0224). You can read about it here. Sadly only Nexus range of devices and Motorola devices would be giving out upgrades as of now. Other manufacturers have been pretty slow with the upgrades with Samsung releasing 4.4 upgrade for its flagships only last week across US and Indian subcontinent.
Resource : security affairs blog
0 comments