lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5463DF67.1090308@fundacionsadosky.org.ar> Date: Wed, 12 Nov 2014 19:29:59 -0300 From: Programa STIC <stic@...dacionsadosky.org.ar> To: fulldisclosure@...lists.org Subject: [FD] Prey Anti-Theft for Android missing SSL certificate validation [STIC-2014-0731] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fundación Dr. Manuel Sadosky - Programa STIC Advisory www.fundacionsadosky.org.ar Prey Anti-Theft for Android missing SSL certificate validation 1. *Advisory Information* Title: Prey Anti-Theft for Android missing SSL certificate validation Advisory ID: STIC-2014-0731 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2014-11-11 Date of last update: 2014-11-11 Vendors contacted: Fork Ltd. (developer of Prey Anti-theft)) Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Following of a Certificate's Chain of Trust [CWE-296] Impact: Denial of service, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Identifier: CVE-PENDING 3. *Vulnerability Description* Prey Anti-theft for Android is a free application that lets smartphone owners track and locate lost or stolen devices. It provides accurate geolocation of a missing device and allows users to remotely lock it, take pictures, play alarm sounds or display onscreen messages. The application features can be controlled from the Prey project's website or via SMS. As of November, 2014 the application had between 1 to 5 million installations worldwide according to Google Play statistics[1]. Although communication between the Prey application running on an Android device and the controlling web server is performed over HTTPS, the former does not validate the SSL certificate presented by the latter. As a result it is possible to completely subvert the anti-theft protection of Prey. To do so, an attacker simply needs to perform a Man-in-the-Middle attack on the communications between the Prey app running in the device (presumably stolen and locked with a user-provided password) and the web server, present a fake server SSL certificate and send a 'lock command' with a password of the attacker's choosing to the device. The attacker can then unlock the device manually with her provided password. Other types of attacks are possible since all communications between the device and the website can be inspected and modified by an attacker. 4. *Vulnerable packages* . Prey Anti-theft for Android version 1.1.3 and below. 5. *Vendor Information, Solutions and Workarounds* The vendor acknowledged the problem and committed to publish a new version of the application fixing the issue by November 11th, 2014. In the meantime, users can uninstall the Prey Anti-theft application by opening the "Settings" panel on their devices, selecting the "Application Manager", clicking on "Prey" and "Uninstall". These step by step instructions may vary depending on which version of the Android OS is running on the device. 6. *Credits* This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC. 7. *Technical Description* The vulnerability is found in the 'com.prey.net.HttpUtils' class which instantiates an HttpClient to connect to Prey's server. The HttpClient uses a custom SSLSocketFactory named EasySSLSocketFactory to obtain socket objects used to communicate with the server. This class also calls the method 'setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)' to accept as valid any hostname presented in the server certificate[2]. Furthermore, since the EasySSLCocketFactory implements a 'X509TrustManager' with empty verifier methods [3], any SSL certificate presented by the server is considered valid by the application. This allows an attacker to mount a MITM attack to impersonate the Prey panel server with a self-made X509 certificate. To unlock a stolen device, the attacker needs to spoof the lock command specifying a new password to gain control of the device. This could be done by modifying the server's response to the device request for commands at 'https://solid.preyproject.com/api/v2/devices/[DEVICE_ID].json' to: /----- [ { "command": "start", "options": { "unlock_pass": "easy" }, "target": "lock" } ] - -----/ The application tries to obtain new commands from the server by registering to listen multiple Android events such as changes in connectivity, battery level, accessing the airplane mode and even turning on and off the device. 8. *Report Timeline* . 2014-09-17: Request for security contact info filed in support page on the Prey project's website. . 2014-09-23: The vendor team asks Programa de Seguridad en TIC to send the vulnerability report via unencrypted email to security@...yproject.com. . 2014-10-01: Technical details sent to the vendor. . 2014-10-25: Programa de Seguridad en TIC requested an status update about the issue and communicated an estimated release date of the advisory by the 27th of October, 2014. Vendor requested to push back the release due to an internal re-organization of the teams. . 2014-10-27: Programa de Seguridad en TIC accepted to delay the advisory but only on the basis in receiving details about the status of the issue and a date commitment to release an updated version which fixes the problem. . 2014-10-28: Vendor informed that a patch was already developed and requested for advise as to how to avoid exposing clients running versions the app that lacked an automatic update capability to exploitation of the vulnerability. . 2014-10-29: Programa de Seguridad en TIC asked the vendor to send a copy of the patch so it could then confirm the security issue was addressed. The vendor was advised to inform the users about the vulnerability and the risk involved so clients would be encouraged to update the application so as to minimize the vulnerability impact. . 2014-10-30: Vendor sent the patched version of the application to the researcher and notified that the modification consisted in changing the HostNameVerifier from 'ALLOW_ALL_HOSTNAME_VERIFIER' to 'STRICT_HOSTNAME_VERIFIER'. . 2014-11-3: Programa de Seguridad en TIC informed the vendor that the patch did not fix the problem since the application was still not verifying the certificate chain and that the root CA was a valid one from the Android CA store because they were using an empty TrustManager. Vendor was also notified that the advisory would be published on November, 10th. . 2014-11-10: Vendor acknowledged the problem and informed that an update would be available in Google Play store by November 10th. 9. *References* [1] https://play.google.com/store/apps/details?id=com.prey [2] https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/HttpUtils.java [3] https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/EasySSLSocketFactory.java 10. *About Fundación Dr. Manuel Sadosky* The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar 11. *Copyright Notice* The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUY99nAAoJEOAj8IJkRx2rXNcP/j5tGagskruilZP095QbXB5I Ws1Ak9hBUmeFiZhWGsNgvh9fPHLxJpujZp8gULI715ylOchp4Xjgem+HJCMoHtt2 S6gasiagSivT0uTCA8imPIf6VmxgdU9GddPgaH0Z1Pj/ZCMk543nzWkpn2VKPA2y n+atxyvdnQfDqJSjLyKkSskGbgCZDooET0Vf7RxZ0ECmNOERlyYunbrE9QHQeTJ0 XpSNcT/A9kp63/YpYc9bO5lGG5xIPJFUsCwlrR51/b75TDEXjfFzYq523FCAqT88 hbIpYV/sCjmChRoGRmPMFPtUEOzRqXOp+ukojep0Ee6UK8EjE8oE/H17G9nd4AmZ q9NAe3rwGOTIJY0fg6dYk7NiWHL8W2UQJt7lL4yksDfiuZOLXIXARoVLIhJ/8JKu 73Y7sKA9w2GPSWemGYj/hB2q+9cs4i70AkOtaLy4BHB0HjXkvqfoedRYtCekzJ4H VERTP6yZWKaqZjvWT4yunwO1z1IlwDbIXRdL2RbJCzijw74GhD1g72SEgQ//limU Lsc36tW5KGJrW3CYhtmTgt2vQxGy73zlIWRPZ10G9Ln/8CKT+PC2mgHKZXTplhKi VydNPBNztdK5R/8eP8gJmIIxbmka9CufaI8zQciy7JXLehWIW8n4e9LJe4XpwLqZ oZs4PDYFSl8XcSWGZoA8 =1+5m -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists