[INFO] Everything about Android "Master Key" Vulnerability

Search This thread
By:
Advanced…
Adam77Root

Adam77Root

Inactive Recognized Developer
Jul 3, 2012
2,521
11,117
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
 

Attachments

  • fix_ZipFile.patch
    14.4 KB · Views: 1,638
  • Like
Reactions: viewer2008, krishna fattepurkar, paco9432 and 18 others
biopsin

biopsin

Senior Member
Nov 2, 2010
469
111
oslo
regarding cm10

Hi, I´m trying to port this patch to cm10 and I have adapted all except where there was difference in patch vs cm10

Patch
- if-ge v10, v13, :cond_6
+ if-ge v11, v14, :cond_7

I have
- if-ge v10, v13, :cond_118
+ if-ge v11, v14, :cond_119 ??
How do I interpret the :cond_value, do I up it to the next nr.? thats what I did but this bootloops on me with..
Code: 
W/dalvikvm( 4219): VFY: copy1 v0<-v24 type=22 cat=3
W/dalvikvm( 4219): VFY:  rejecting opcode 0x08 at 0x0021
W/dalvikvm( 4219): VFY:  rejected Ljava/util/zip/ZipFile;.readCentralDir ()V
W/dalvikvm( 4219): Verifier rejected class Ljava/util/zip/ZipFile;
D/AndroidRuntime( 4219): Shutting down VM
W/dalvikvm( 4219): threadid=1: thread exiting with uncaught exception (group=0x4119d300)
I will go over my editing incase of human error..

EDIT: seems I figured it out..booting now - OK there was another tiny difference between cm10 and cm10.1.1 where cm10 has
.method private readCentralDir()V
.registers 25 -> instead of .locals 24
Click to expand...
Click to collapse

Tested with Bluebox Secury Scanner and it reports Patched! Exellent Thanks for the diff..
 
Last edited:
  • Like
Reactions: wargear
edwin270

edwin270

Senior Member
May 2, 2010
244
142
Tema
www.edsysinc.webs.com
Adam77Root said:
It works on any rom. AFAIK oy Sense has changes in core.jar, but those are also just additions and not deep changes.

Sent from my LG-P880
Click to expand...
Click to collapse

And MIUI based Rom? Going through it's app permission it seems to have a very strict rules when it comes to apps even installed from the market.

Guess will have to try. Right?

Sent from my SGH-T959 using xda premium
 
Last edited:
Adam77Root

Adam77Root

Inactive Recognized Developer
Jul 3, 2012
2,521
11,117
You have to ask the developer to include it in his/her rom.

Sent from my LG-P880
 
  • Like
Reactions: takota6
md2020

md2020

Member
Dec 6, 2004
10
0
Better solution

Here the fast fix attempts to simply close the duplicate file exploit (what this essential is during the zip/unzip process), a better solution would be to modify the OS to use a TDE (Transparent Data Encryption) method, which would be simple enough to insure very low overhead, example would be a simple rotating, key, subkey column method.

What will happen now and is, would be the generations of common or desiable applications that have been compromised, where the target assumes it is a "Real Deal" and it simply looks and feels like the Real Deal but would essential work on that exploited victim's system like some notorious rootkit.
md2020

Or maybe not, thanks for the thread (brought up memories of MD5 tunneling and other fast indirect means of circumvention)
 
Ricky Divjakovski

Ricky Divjakovski

Recognized Developer / Inactive RC
Feb 4, 2013
5,288
7,687
28
Sydney
Adam77Root said:
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
Click to expand...
Click to collapse

hes right, vulnurabilty is black ad white the way @saurik explains it.
didnt suprise me he found it either, guys a master of java as we all know about his iOS exploits and Cydia package
 
Vagelis1608

Vagelis1608

Senior Member
Sep 16, 2012
2,247
872
Athens
LG G2 Mini
Xiaomi Redmi Note 4
Adam77Root said:
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
Click to expand...
Click to collapse

Here is a fix:
http://xdaforums.com/showthread.php?t=2365294

Sent from my GT-I5500 [Newly flashed CM10.1]
 
paco9432

paco9432

Member
Dec 15, 2013
22
5
How to apply the fix

I appreciate this...

But how can I apply this fix, by the way I don't have any special ROM

Could you point me in the right direction please... ;)
 
Vagelis1608

Vagelis1608

Senior Member
Sep 16, 2012
2,247
872
Athens
LG G2 Mini
Xiaomi Redmi Note 4
Vagelis1608 said:
Here is a fix:
http://xdaforums.com/showthread.php?t=2365294

Sent from my GT-I5500 [Newly flashed CM10.1]
Click to expand...
Click to collapse

paco9432 said:
I appreciate this...

But how can I apply this fix, by the way I don't have any special ROM

Could you point me in the right direction please... ;)
Click to expand...
Click to collapse

Just follow the installation steps at the #1 post of the topic I provided ([URL="http://xdaforums.com/showthread.php?t=2365294" ]this[/URL])

If you need any more help just sent me a pm.

Sent from my GT-I5500 [CM11]
 
Last edited:
You must log in or register to reply here.

Similar threads

Chainfire
[ROOT EXPLOIT+PATCH][2012.12.19] ExynosAbuse APK v1.40
Replies
1K
Views
2M
D
djanielle
Snoop05
[OFFICIAL][TOOL][WINDOWS] ADB, Fastboot and Drivers - 15 seconds ADB Installer v1.4.3
Replies
2K
Views
7M
abdulkareem786
abdulkareem786
B
[UTIL][WIN][MT65xx] MTK Droid Root & Tools | MediaTek Android Smartphone
Replies
2K
Views
3M
A
allyalla
BSDgeek_Jake
  • Poll
MoaAB: Mother of All AD-BLOCKING > BLOCKS ADware Malware Spyware Bloatware Ransomware
Replies
5K
Views
2M
J
jonatansuarez
piraterex
  • Poll
[Android][Guide]Hacking And Bypassing Android Password/Pattern/Face/PI
Replies
202
Views
1M
M
Masaketsu

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    Adam77Root
    Adam77Root
    Hello everybody!

    You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/.

    CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/android_libcore/commit/fe70e697810a7a8b9ce47325f53d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

    I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

    List of invulnerable (patched) roms:
    • Stock roms that received the patch in a software update
    • CM 10.1.1 stable
    • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
    • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
    • Custom roms that are patched

    Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner.
    View
    2
    takota6
    takota6
    Here is the "Apparent" fix, from the fella who found the exploit
    http://www.saurik.com/id/17
    And sure as sh*t mine came from a cake decorating game,. I discovered this thread because I had 12 international texts last month at .25¢a pop.thanks for bringing it up
    Æaa..\~/
    View
    1
    biopsin
    biopsin
    regarding cm10

    Hi, I´m trying to port this patch to cm10 and I have adapted all except where there was difference in patch vs cm10

    Patch
    - if-ge v10, v13, :cond_6
    + if-ge v11, v14, :cond_7

    I have
    - if-ge v10, v13, :cond_118
    + if-ge v11, v14, :cond_119 ??
    How do I interpret the :cond_value, do I up it to the next nr.? thats what I did but this bootloops on me with..
    Code: 
    W/dalvikvm( 4219): VFY: copy1 v0<-v24 type=22 cat=3
W/dalvikvm( 4219): VFY:  rejecting opcode 0x08 at 0x0021
W/dalvikvm( 4219): VFY:  rejected Ljava/util/zip/ZipFile;.readCentralDir ()V
W/dalvikvm( 4219): Verifier rejected class Ljava/util/zip/ZipFile;
D/AndroidRuntime( 4219): Shutting down VM
W/dalvikvm( 4219): threadid=1: thread exiting with uncaught exception (group=0x4119d300)
    I will go over my editing incase of human error..

    EDIT: seems I figured it out..booting now - OK there was another tiny difference between cm10 and cm10.1.1 where cm10 has
    .method private readCentralDir()V
    .registers 25 -> instead of .locals 24
    Click to expand...
    Click to collapse

    Tested with Bluebox Secury Scanner and it reports Patched! Exellent Thanks for the diff..
    View
    1
    Adam77Root
    Adam77Root
    You have to ask the developer to include it in his/her rom.

    Sent from my LG-P880
    View

New posts