10. 歴史の振り返り
• Exec Code Master Key
– Android 1.6 through 4.2 does not properly check cryptographic signatures for applicajons, which allows a]ackers to execute arbitrary code via an applicajon package file (APK) that is modified in a way
that does not violate the cryptographic signature, probably involving muljple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security
bug 8219321 and the "Master Key" vulnerability.
• Exec Code Overflow
– Andoroid 2.2.2までおよび2.3.6までのlibsysujlsにスタックベースのバッファオーバーフローにより、アプリケーションがFrameworkListener::dispatchCommandメソッドを間違った数の引数で呼び出すこと
で、use-a+er-freeを引き起こすzegRushのデモのように、ユーザーが補助したリモートの攻撃者がリモートでのコード実行が可能になる
• Privacy
– Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmirng the authToken obtained from ClientLogin, which allows remote a]ackers to gain privileges and access
private pictures and web albums by sniffing the token from connecjons with picasaweb.google.com.
• DoS WebView
– Disney Mobiole、eAccess、KDDI、NTT DoCoMo、So+BankなどのAndroid 3.0から4.1.xまでのデバイスでは、WebViewクラスが正しく実装されていないため、CVE-2012-6636に関連した問題のように
WebView.addJavascriptInterfaceの使用で実証されたように、細工されたページを通じてリモートの攻撃者がJavaオブジェクトの任意のメソッド呼び出しやDoS(再起動)などを行える
• DoS Zygote
– Zygote in Android 4.0.3 and earlier accepts fork requests from processes with arbitrary UIDs, which allows remote a]ackers to cause a denial of service (reboot loop) via a cra+ed applicajon.
• Bypass
– Android 4.0 through 4.3 allows a]ackers to bypass intended access restricjons and remove device locks via a cra+ed applicajon that invokes the updateUnlockMethodAndFinish method in the
com.android.serngs.ChooseLockGeneric class with the PASSWORD_QUALITY_UNSPECIFIED opjon.
• Exec Code JS API
– java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjuncjon with creajng an object of the SearchBoxImpl class, which allows a]ackers to execute
arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.
• SSL PRNG
– 4.4より前のAndroidでは、OpenSSL PRNGのシードを適切に整理しておらず、攻撃者が複数のアプリケーション内でPRNGの使用を利用して暗号化保護メカニズムを無効にすることを助ける
• Exec Code Sql
– Muljple SQL injecjon vulnerabilijes in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before
5.0.0 allow remote a]ackers to execute arbitrary SQL commands, and consequently launch an acjvity or service, via the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush
message, aka Bug 17969135.
• addAccount Method Vulnerability
– The addAccount method in src/com/android/serngs/accounts/AddAccountSerngs.java in the Serngs applicajon in Android before 5.0.0 does not properly create a PendingIntent, which allows
a]ackers to use the SYSTEM uid for broadcasjng an intent with arbitrary component, acjon, or category informajon via a third-party authenjcator in a cra+ed applicajon, aka Bug 17356824.</item>
• Graphic buffer DoS and Memory corrupjon
– Android 5.0 までのpla{orm/frameworks/najve/libs/ui/GraphicBuffer.cpp内のGraphicBuffer:unfla]ern関数に複数の整数オーバーフローがあり、多数の(1)ファイル記述子 または (2)整数値をトリガー
とするベクトルを介してDoS(メモリ破壊)や権限昇格を引き起こす可能性がある
Grandma's old handbag / M Schoenefeld 10
11. 歴史の振り返り
• Exec Code Master Key
– Android 1.6 through 4.2 does not properly check cryptographic signatures for applicajons, which allows a]ackers to execute arbitrary code via an applicajon package file (APK) that is modified in a way
that does not violate the cryptographic signature, probably involving muljple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security
bug 8219321 and the "Master Key" vulnerability.
• Exec Code Overflow
– Andoroid 2.2.2までおよび2.3.6までのlibsysujlsにスタックベースのバッファオーバーフローにより、アプリケーションがFrameworkListener::dispatchCommandメソッドを間違った数の引数で呼び出すこと
で、use-a+er-freeを引き起こすzegRushのデモのように、ユーザーが補助したリモートの攻撃者がリモートでのコード実行が可能になる
• Privacy
– Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmirng the authToken obtained from ClientLogin, which allows remote a]ackers to gain privileges and access
private pictures and web albums by sniffing the token from connecjons with picasaweb.google.com.
• DoS WebView
– Disney Mobiole、eAccess、KDDI、NTT DoCoMo、So+BankなどのAndroid 3.0から4.1.xまでのデバイスでは、WebViewクラスが正しく実装されていないため、CVE-2012-6636に関連した問題のように
WebView.addJavascriptInterfaceの使用で実証されたように、細工されたページを通じてリモートの攻撃者がJavaオブジェクトの任意のメソッド呼び出しやDoS(再起動)などを行える
• DoS Zygote
– Zygote in Android 4.0.3 and earlier accepts fork requests from processes with arbitrary UIDs, which allows remote a]ackers to cause a denial of service (reboot loop) via a cra+ed applicajon.
• Bypass
– Android 4.0 through 4.3 allows a]ackers to bypass intended access restricjons and remove device locks via a cra+ed applicajon that invokes the updateUnlockMethodAndFinish method in the
com.android.serngs.ChooseLockGeneric class with the PASSWORD_QUALITY_UNSPECIFIED opjon.
• Exec Code JS API
– java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjuncjon with creajng an object of the SearchBoxImpl class, which allows a]ackers to execute
arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.
• SSL PRNG
– 4.4より前のAndroidでは、OpenSSL PRNGのシードを適切に整理しておらず、攻撃者が複数のアプリケーション内でPRNGの使用を利用して暗号化保護メカニズムを無効にすることを助ける
• Exec Code Sql
– Muljple SQL injecjon vulnerabilijes in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before
5.0.0 allow remote a]ackers to execute arbitrary SQL commands, and consequently launch an acjvity or service, via the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush
message, aka Bug 17969135.
• addAccount Method Vulnerability
– The addAccount method in src/com/android/serngs/accounts/AddAccountSerngs.java in the Serngs applicajon in Android before 5.0.0 does not properly create a PendingIntent, which allows
a]ackers to use the SYSTEM uid for broadcasjng an intent with arbitrary component, acjon, or category informajon via a third-party authenjcator in a cra+ed applicajon, aka Bug 17356824.
• Graphic buffer DoS and Memory corrupjon
– Android 5.0 までのpla{orm/frameworks/najve/libs/ui/GraphicBuffer.cpp内のGraphicBuffer:unfla]ern関数に複数の整数オーバーフローがあり、多数の(1)ファイル記述子 または (2)整数値をトリガー
とするベクトルを介してDoS(メモリ破壊)や権限昇格を引き起こす可能性がある
Grandma's old handbag / M Schoenefeld 11
62. 更新パッケージには
ネイティブライブラリが含まれる unzip -t avbases.zip
Archive: avbases.zip
testing: avbases/ OK
testing: avbases/android.kdc OK
testing: avbases/index OK
testing: avbases/kavheur.kdl OK
testing: avbases/kms90.avc OK
testing: avbases/libkavheur.kdl.so OK
testing: avbases/libkavsdk.so OK
testing: avbases/list.ksl OK
testing: avbases/mmh001.kdc OK
testing: avbases/mmh002.kdc OK
testing: avbases/mmheur.mft OK
testing: avbases/mmheur01.kdc OK
testing: avbases/mmhlnk01.kdc OK
testing: avbases/version.txt OK
No errors detected in compressed data of avbases.zip.
Grandma's old handbag / M Schoenefeld 62
63. 更新パッケージには
ネイティブライブラリが含まれる unzip -t avbases.zip
Archive: avbases.zip
testing: avbases/ OK
testing: avbases/android.kdc OK
testing: avbases/index OK
testing: avbases/kavheur.kdl OK
testing: avbases/kms90.avc OK
testing: avbases/libkavheur.kdl.so OK
testing: avbases/libkavsdk.so OK
testing: avbases/list.ksl OK
testing: avbases/mmh001.kdc OK
testing: avbases/mmh002.kdc OK
testing: avbases/mmheur.mft OK
testing: avbases/mmheur01.kdc OK
testing: avbases/mmhlnk01.kdc OK
testing: avbases/version.txt OK
No errors detected in compressed data of avbases.zip.
Grandma's old handbag / M Schoenefeld 63
64. 更新パッケージには
ネイティブライブラリが含まれる
unzip -p avbases.zip avbases/libkavsdk.so > x.so ; readelf -a x.so
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: ARM
Version: 0x1
Entry point address: 0x8d48
Start of program headers: 52 (bytes into file)
Start of section headers: 185432 (bytes into file)
Grandma's old handbag / M Schoenefeld 64
77. h]p経由でのDBバージョンの問い合わせ
public class GetServerVirusDefsService extends IntentService {
private void a() {
URL u = null;
try {
u = new URL("http://redacted.com/antivirus/virusdb/version.html");
} catch (MalformedURLException nue) {}
Grandma's old handbag / M Schoenefeld 77
78. h]p経由でのDBバージョンの問い合わせ
public class GetServerVirusDefsService extends IntentService {
private void a() {
URL u = null;
try {
u = new URL("http://redacted.com/antivirus/virusdb/version.html");
} catch (MalformedURLException nue) {}
Grandma's old handbag / M Schoenefeld 78