FORUMS

[INFO] Everything about Android "Master Key" Vulnerability

2,529 posts
Thanks Meter: 11,166
 
By Adam77Root, Recognized Developer on 11th July 2013, 06:55 PM
Post Reply Subscribe to Thread Email Thread
Hello everybody!

You might have heard of the notorious "Master Key" Vulnerabilty that affects 99% of Android devices. It basically allows a knowledged attacker to access all private and application data. For more information visit: http://bluebox.com/corporate-blog/bl...id-master-key/.

CM team has recently (on 7th July) committed the fix for the patch. Here it is: https://github.com/CyanogenMod/andro...3d16fdbc19f1f8. Gerrit link: http://review.cyanogenmod.org/#/c/45251/

I've created a patch from the differences of an older and a newer, patched core.jar from CM 10.1. I attach it in the attachment. It may happen that you have to modify it a bit to fit your rom's needs.

List of invulnerable (patched) roms:
  • Stock roms that received the patch in a software update
  • CM 10.1.1 stable
  • CM nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CM/AOSP-based roms which include the patch. Most of them directly inherit CM's libcore and if the build was created after 7th July, it's patched.
  • Custom roms that are patched

Any other roms that are not in the list are vulnerable! If you bump into this thread, test the rom you are using to be sure and ask your rom cook to include it. Perform the test with this app: https://play.google.com/store/apps/d...onerootscanner.
Attached Files
File Type: patch fix_ZipFile.patch - [Click for QR Code] (14.4 KB, 1054 views)
The Following 21 Users Say Thank You to Adam77Root For This Useful Post: [ View ]
 
 
19th July 2013, 03:19 AM |#2  
Skunk Ape1's Avatar
Recognized Contributor / Recognized Themer
Flag Killeen
Thanks Meter: 5,002
 
Donate to Me
More
I'm guessing this won't work on a touchwiz rom??????
19th July 2013, 08:25 AM |#3  
Adam77Root's Avatar
OP Recognized Developer
Flag My coordinates
Thanks Meter: 11,166
 
Donate to Me
More
Quote:
Originally Posted by Skunk Ape1

I'm guessing this won't work on a touchwiz rom??????

It works on any rom. AFAIK oy Sense has changes in core.jar, but those are also just additions and not deep changes.

Sent from my LG-P880
19th July 2013, 11:38 AM |#4  
biopsin's Avatar
Senior Member
Flag oslo
Thanks Meter: 90
 
More
regarding cm10
Hi, Im trying to port this patch to cm10 and I have adapted all except where there was difference in patch vs cm10

Patch
- if-ge v10, v13, :cond_6
+ if-ge v11, v14, :cond_7

I have
- if-ge v10, v13, :cond_118
+ if-ge v11, v14, :cond_119 ??
How do I interpret the :cond_value, do I up it to the next nr.? thats what I did but this bootloops on me with..
Code:
W/dalvikvm( 4219): VFY: copy1 v0<-v24 type=22 cat=3
W/dalvikvm( 4219): VFY:  rejecting opcode 0x08 at 0x0021
W/dalvikvm( 4219): VFY:  rejected Ljava/util/zip/ZipFile;.readCentralDir ()V
W/dalvikvm( 4219): Verifier rejected class Ljava/util/zip/ZipFile;
D/AndroidRuntime( 4219): Shutting down VM
W/dalvikvm( 4219): threadid=1: thread exiting with uncaught exception (group=0x4119d300)
I will go over my editing incase of human error..

Quote:

EDIT: seems I figured it out..booting now - OK there was another tiny difference between cm10 and cm10.1.1 where cm10 has
.method private readCentralDir()V
.registers 25 -> instead of .locals 24

Tested with Bluebox Secury Scanner and it reports Patched! Exellent Thanks for the diff..
Last edited by biopsin; 19th July 2013 at 12:02 PM.
The Following User Says Thank You to biopsin For This Useful Post: [ View ]
21st July 2013, 01:35 AM |#5  
Senior Member
Flag Tema
Thanks Meter: 103
 
More
Quote:
Originally Posted by Adam77Root

It works on any rom. AFAIK oy Sense has changes in core.jar, but those are also just additions and not deep changes.

Sent from my LG-P880

And MIUI based Rom? Going through it's app permission it seems to have a very strict rules when it comes to apps even installed from the market.

Guess will have to try. Right?

Sent from my SGH-T959 using xda premium
Last edited by edwin270; 21st July 2013 at 01:40 AM.
24th July 2013, 08:52 AM |#6  
kimerika's Avatar
Senior Member
Flag PEARL OF THE ORIENT
Thanks Meter: 53
 
Donate to Me
More
is this harmful?
what are the effects?
how can it be effect?
waht might be happen if my phone (our phone) is affected?
24th July 2013, 02:31 PM |#7  
Member
Thanks Meter: 39
 
More
How can I patch my custom gingerbread rom? 2.3.4?
26th July 2013, 12:13 AM |#8  
takota6's Avatar
Senior Member
Thanks Meter: 131
 
More
Ignorance here,. but how do I install this (I'm infected)? HTC Sense

aa..\~/
26th July 2013, 07:40 AM |#9  
Adam77Root's Avatar
OP Recognized Developer
Flag My coordinates
Thanks Meter: 11,166
 
Donate to Me
More
You have to ask the developer to include it in his/her rom.

Sent from my LG-P880
The Following User Says Thank You to Adam77Root For This Useful Post: [ View ]
26th July 2013, 02:07 PM |#10  
takota6's Avatar
Senior Member
Thanks Meter: 131
 
More
Here is the "Apparent" fix, from the fella who found the exploit
http://www.saurik.com/id/17
And sure as sh*t mine came from a cake decorating game,. I discovered this thread because I had 12 international texts last month at .25a pop.thanks for bringing it up
aa..\~/
The Following User Says Thank You to takota6 For This Useful Post: [ View ]
26th July 2013, 03:24 PM |#11  
md2020's Avatar
Junior Member
Thanks Meter: 0
 
More
Better solution
Here the fast fix attempts to simply close the duplicate file exploit (what this essential is during the zip/unzip process), a better solution would be to modify the OS to use a TDE (Transparent Data Encryption) method, which would be simple enough to insure very low overhead, example would be a simple rotating, key, subkey column method.

What will happen now and is, would be the generations of common or desiable applications that have been compromised, where the target assumes it is a "Real Deal" and it simply looks and feels like the Real Deal but would essential work on that exploited victim's system like some notorious rootkit.
md2020

Or maybe not, thanks for the thread (brought up memories of MD5 tunneling and other fast indirect means of circumvention)

Read More
Post Reply Subscribe to Thread

Tags
bluebox, exploit, fix, patch, vulnerability
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes