Most probably if you not using a top
flagship Android smart phone or tablet for a top company like Google
Motorola, Samsung, HTC or LG then you are using a smart phone with
Android 4.3 Jelly Bean version running aboard. And if you are using the
Android 4.3 Jelly Bean or earlier version run smart phone or tablet,
you, or rather your smart phone/tablet is vulnerable to a serious
code-execution vulnerability. This vulnerability was discovered by the
Application Security Team of IBM, nine months ago. This vulnerability
has been patched in the latest Android version from Google, the 4.4
KitKat version but Android 4.3 and older Android versions remain highly
vulnerable.
| Version | Codename | API | Distribution |
|---|---|---|---|
| 2.2 | Froyo | 8 | 0.8% |
| 2.3.3 - 2.3.7 | Gingerbread | 10 | 14.9% |
| 4.0.3 - 4.0.4 | Ice Cream Sandwich | 15 | 12.3% |
| 4.1.x | Jelly Bean | 16 | 29.0% |
| 4.2.x | 17 | 19.1% | |
| 4.3 | 18 | 10.3% | |
| 4.4 | KitKat | 19 | 13.6% |
From this data it can be inferred that
86.4 percent of the total Android smart phones and tablets users are at
risk from this vulnerability. The vulnerability discovered by Application
Security team at IBM confirmed the presence of a critical
code-execution vulnerability that affects all devices using the versions
4.3 and earlier and lets an attacker/potential hacker exploit it to
steal sensitive data from the vulnerable devices.
The IBM security researchers discovered
that the stack buffer overflow vulnerability resides in the Android’s
KeyStore storage service, which is responsible for storing and securing
device’s cryptographic keys.
“A stack buffer is created by the ‘KeyStore::getKeyForName’ method” “This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application,” Hay said. “The ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.” explained the experts
Anybody with knowledge of Android API programming can successfully
exploit this vulnerability. Once exploited the hacker can execute
a malicious code under the keystore process. Once executed, such code
can lead to serious leaking of the
device’s lock credentials. Since the master key is derived by the lock
credentials, whenever the device is unlocked,
‘Android::KeyStoreProxy::password’ is called with the credentials.
It can also leak decrypted master keys, data and hardware-backed key identifiers from the memory and encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack. The
hackers can also remotely interact with the hardware-backed storage and
perform crypto operations (e.g., arbitrary data signing) on behalf of
the user.
An potential wannabe hacker can
theoretically exploit the above vulnerability that exists in all the
Android devices prior to the Android 4.4 Kitkat but experts believe that
exploit is pretty hard to execute due to the presence of numerous
difficulties likes the need to to bypass memory-based protections native
to the operating system, including Data Execution Prevention (DEP) and
Address Space Layout Randomization (ASLR). The
Data Execution Prevention is an exploit mitigation that is used to
prevent execution of malicious code, but the attackers have had success
to bypass it using the Return Oriented Programming (ROP) attacks. The
ASLR is used to mitigate buffer overflow attacks randomizing the memory
locations used by system files and other programs, implementing this
technique it is hard to guess the location of a given process.
“However, the Android KeyStore is respawned every time it terminates. This behaviour enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding” states the post.
The experts confirmed that they haven’t
seen the flaw being exploited in the wild yet. The Google is currently
upgrading the Android devices to the
Android KitKat 4.4.4 with build number KTU84P (branch
kitkat.-mr21-release), the new update was mainly issued to fix the CCS
Injection Vulnerability (CVE-2014-0224). You can read about it here.
Sadly only Nexus range of devices and Motorola devices would be giving
out upgrades as of now. Other manufacturers have been pretty slow with
the upgrades with Samsung releasing 4.4 upgrade for its flagships only
last week across US and Indian subcontinent.
0 comments:
Post a Comment