lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Apr 2020 15:28:38 -0500
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] KL-001-2020-001 : Cellebrite Hardcoded ADB Authentication Keys

KL-001-2020-001 : Cellebrite Hardcoded ADB Authentication Keys

Title: Cellebrite Hardcoded ADB Authentication Keys
Advisory ID: KL-001-2020-001
Publication Date: 2020.04.13
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2020-001.txt


1. Vulnerability Details

     Affected Vendor: Cellebrite
     Affected Product: UFED
     Affected Version: 5.0 - 7.29
     Platform: Embedded Windows
     CWE Classification: CWE-321: Use of hardcoded cryptographic keys
     CVE ID: CVE-2020-11723


2. Vulnerability Description

     Cellebrite UFED uses four hardcoded RSA private keys to
     authenticate to the ADB daemon on target devices. Extracted
     keys can be used to place evidence onto target devices when
     performing a forensic extraction.


3. Technical Description

     The AndroidLib.dll file will be found in the Program Files
     directory at the following path: C:\Program Files\Cellebrite
     Mobile Synchronization\UFED Touch\AndroidLib.dll

     This file contains the code used to authenticate to the ADB
     daemon on devices to be forensically imaged. This library
     relies on the CryptImportKey function to import a private key
     for use during this operation. The bytes used to repsent the
     key are hardcoded into the AndroidLib.dll file. This file may be
     protected by Themida but can be recovered through deobfuscation
     techniques.

     The CryptImportKey function uses a private key structure called:
     MS PRIVATEKEYBLOB. Keys that are following this format can be
     found by searching for "RSA2" as US-ASCII values inside of the
     AndroidLib.dll file. There are three keys available between
     the versions 5.0 and 7.1.

       0x6c598  952  ?PrivateKey1@...Auth@@0QBEB
       Ordinal_952                                     XREF[2]:     Entry Point(*), 100867b4(*)
       ?PrivateKey1@...Auth@@0QBEB
       1006c598 07              ??         07h
       1006c599 02              ??         02h
       1006c59a 00              ??         00h
       1006c59b 00              ??         00h
       1006c59c 00              ??         00h
       1006c59d a4              ??         A4h
       1006c59e 00              ??         00h
       1006c59f 00              ??         00h
       1006c5a0 52              ??         52h    R
       1006c5a1 53              ??         53h    S
       1006c5a2 41              ??         41h    A
       1006c5a3 32              ??         32h    2
       ...


       0x6ca30  953  ?PrivateKey2@...Auth@@0QBEB
       Ordinal_953                                     XREF[2]:     Entry Point(*), 100867b8(*)
       ?PrivateKey2@...Auth@@0QBEB
       1006ca30 07              ??         07h
       1006ca31 02              ??         02h
       1006ca32 00              ??         00h
       1006ca33 00              ??         00h
       1006ca34 00              ??         00h
       1006ca35 a4              ??         A4h
       1006ca36 00              ??         00h
       1006ca37 00              ??         00h
       1006ca38 52              ??         52h    R
       1006ca39 53              ??         53h    S
       1006ca3a 41              ??         41h    A
       1006ca3b 32              ??         32h    2
       ...


       0x6cec8  954  ?PrivateKey3@...Auth@@0QBEB
       Ordinal_954                                     XREF[2]:     Entry Point(*), 100867bc(*)
       ?PrivateKey3@...Auth@@0QBEB
       1006cec8 07              ??         07h
       1006cec9 02              ??         02h
       1006ceca 00              ??         00h
       1006cecb 00              ??         00h
       1006cecc 00              ??         00h
       1006cecd a4              ??         A4h
       1006cece 00              ??         00h
       1006cecf 00              ??         00h
       1006ced0 52              ??         52h    R
       1006ced1 53              ??         53h    S
       1006ced2 41              ??         41h    A
       1006ced3 32              ??         32h    2
       ...


     A fourth key can be found within the KnockoutNG EPR file but
     exists in the normally used PEM format:

       00000000  2d 2d 2d 2d 2d 42 45 47  49 4e 20 52 53 41 20 50  |-----BEGIN RSA P|
       00000010  52 49 56 41 54 45 20 4b  45 59 2d 2d 2d 2d 2d 0a  |RIVATE KEY-----.|
       00000020  4d 49 49 45 70 51 49 42  41 41 4b 43 41 51 45 41  |MIIEpQIBAAKCAQEA|
       00000030  75 74 72 41 62 39 37 43  74 4e 6e 6d 2b 57 53 5a  |utrAb97CtNnm+WSZ|
       00000040  7a 52 6b 2b 53 61 6c 50  32 6c 68 47 48 62 37 35  |zRk+SalP2lhGHb75|
       ...

     Once extracted, the keys can be converted into PEM using the
     openssl binary and are then available for use by the stock
     android adb client.

       $ ls -la
       total 36
       drwxr-xr-x 1 level level  346 Oct 19 07:04 .
       drwxr-xr-x 1 level level 2842 Oct 13 09:32 ..
       -rw------- 1 level level 1671 Sep 10 06:56 cellebrite_adb_key1
       -rw-r--r-- 1 level level  717 Sep 10 06:56 cellebrite_adb_key1.pub
       -rw------- 1 level level 1679 Sep 10 06:55 cellebrite_adb_key2
       -rw-r--r-- 1 level level  717 Sep 10 06:56 cellebrite_adb_key2.pub
       -r--r--r-- 1 level level 1736 Oct 13 09:26 cellebrite_adb_key3
       -r--r--r-- 1 level level  717 Oct 13 09:26 cellebrite_adb_key3.pub
       -rw------- 1 level level 1679 Oct 18 15:44 cellebrite_adb_key4
       -rw-r--r-- 1 level level  451 Oct 18 15:46 cellebrite_adb_key4.pub


4. Mitigation and Remediation Recommendation

     The vendor has addressed this vulnerability in UFED v7.30 update
     released March 3, 2020. Licensed users should update via the
     MyCellebrite Portal. Release notes can be found at:


https://www.cellebrite.com/en/productupdates/ufed-and-ufed-infield-7-30-provides-new-support-for-smartphones-with-huawei-kirin-processor/


5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.


6. Disclosure Timeline

     2019.12.12 - KoreLogic submits vulnerability details to Cellebrite.
     2019.12.12 - Cellebrite acknowledges receipt.
     2020.01.29 - Cellebrite informs KoreLogic that a remediation will
                  be implemented in the next scheduled release and asks
                  for coordinated disclosure following subsequent
                  customer updates. KoreLogic agrees.
     2020.03.03 - Cellebrite releases UFED v7.30.
     2020.03.04 - Cellebrite asks for disclosure to remain embargoed
                  for 2-4 weeks for existing customers to upgrade.
                  KoreLogic agrees.
     2020.04.08 - CVE requested from MITRE.
     2020.04.12 - MITRE assigns CVE-2020-11723.
     2020.04.13 - KoreLogic public disclosure.


7. Proof of Concept

    See section 3. Technical Description.


The contents of this advisory are copyright(c) 2020
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists