5,593,293 Members 33,605 Now Online
XDA Developers Android and Mobile Development Forum

[FIX][XPOSED][4.0+] Universal fix for the several "Master Key" vulnerabilities

Tip us?
 
Tungstwenty
Old
(Last edited by Tungstwenty; 6th November 2013 at 10:19 PM.) Reason: Version 2.0 (new bug)
#1  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4013
Posts: 1,597
Join Date: Nov 2011

 
DONATE TO ME
Exclamation [FIX][XPOSED][4.0+] Universal fix for the several "Master Key" vulnerabilities

You may be aware of recent news about several different security vulnerabilities that allow replacing code on a signed APK without invalidating the signature:

Master Key (Bug 8219321)
An issue related with duplicate entries on the ZIP / APK files.
It was patched by Google back in February 2013 and shared with OEMs, and some of the newer devices might have already received the fix in a recent stock update. At least both Xperia Z 4.2.2 and Galaxy S2 4.1.2 contain the fix; CM has also recently patched it, on this commit.
More info can be found on @Adam77Root's thread here: http://forum.xda-developers.com/show....php?t=2359943

Bug 9695860
This also originates in the ZIP file parsing routines, and was disclosed just a few days ago immediately after the previous one was made public. The correction has already been applied by Google to the code (this commit), but it's very likely that its rollout on stock ROMs will take a long time especially on non-Nexus devices.
You can read more about it here.
To know if you're vulnerable, use SRT AppScanner mentioned above.
Unless you're running CM 10.1.2, there's a fairly big chance that you have this issue, at least as of this moment.

Bug 9950697
It's yet another inconsistency in ZIP parsing that could be abused in very a similar way to the previous one.
This one is a bit special to me, since I was fortunate enough to be the first one to report it on Google's bugtracker
It was discovered around the time that the previous bug was acknowledged and Android 4.3 was a few days from being released, but despite the prompt report it was unfortunately too late to include the fix in time for the release; Therefore it wasn't disclosed till Android 4.4 sources came out and I had also decided not including a fix for in on this module, since it would be an easy way to learn about the extra attack vector.
Kudos to Jeff Forristal at Bluebox Security, who I learned was also working on that exact problem and helped me report it properly to Google, and also to Saurik who already released a Substrate-based fix and has written a very interesting article about it here.


Checking if you're vulnerable
You can use some 3rd party apps to test your system, such as:
- SRT AppScanner
- Bluebox Security Scanner
On Android 4.4 all these bugs should be fixed, and therefore this mod is not needed. But you can run one of these scanners to make sure you're not vulnerable.

While technically different, these vulnerabilities permit that legitimate APKs can be manipulated to replace the original code with arbitrary one without breaking the signature. This allows someone to take an update from a well known publisher (e.g. Google Maps), change the APK, and a device receiving it will happily apply the update as if it was indeed from that publisher. Depending on the apps being updated in this way, priviledge escalation can be achieved.
Google has already mentioned that all apps published on the Play Store are checked for this kind of manipulation, but those of us installing APKs from other sources aren't safe.



The universal fix

Since decompiling, fixing and recompiling the code for every possible ROM version is way beyond anyone's capability, the awesome Xposed framework by @rovo89 proves itself once again as an invaluable tool.
By creating hooks around the vulnerable methods and replacing the buggy implementation with a safe one, it's possible to patch the 2 issues on the fly without ever changing the original files. Applying the fix is as easy as installing and enabling an Xposed module.


Installation steps

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key multi-fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key multi-fix

4. Reboot

You should now see an image similar to the attached one when opening the app. The green text shows that the module is active and the vulnerabilities have been patched in memory.


Download
Grab it from Google Play (recommended, as you'll get updates) or use the attached APK. The files are the same.


Version history
2.0 - Fix bug 9950697; additional corrections taken from Android 4.4 (also supports GB, provided you have a working version of Xposed Framework for your ROM)
1.3 - Fixed problems with parsing some zips depending on the rom original code
1.2 - Added 2 additional zip entry integrity checks that were missing
1.1 - Support for additional devices with modified core libraries (e.g. MTK6589)
1.0 - Initial version


Sources
Available on GitHub


If you appreciated this fix, consider donating with Paypal.

Thanks!
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2013-07-15-22-07-34.jpg
Views:	15669
Size:	42.4 KB
ID:	2119024   Click image for larger version

Name:	MasterKeyDualFix-1.jpg
Views:	10758
Size:	21.7 KB
ID:	2120631  
Attached Files
File Type: apk MasterKeyDualFix-1.0.apk - [Click for QR Code] (24.3 KB, 967 views)
File Type: apk MasterKeyDualFix-1.1.apk - [Click for QR Code] (24.4 KB, 977 views)
File Type: apk MasterKeyDualFix-1.2.apk - [Click for QR Code] (25.6 KB, 1283 views)
File Type: apk MasterKeyDualFix-1.3.apk - [Click for QR Code] (25.7 KB, 3191 views)
File Type: apk MasterKeyMultiFix-2.0.apk - [Click for QR Code] (29.3 KB, 1683 views)

Device: Xperia Z (C6603)
ROM: Stock 4.3 10.4.B.0.569
Locked bootloader, rooted, XZDualRecovery
Mods (Xposed): App Settings, Advanced reboot menu
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
The Following 190 Users Say Thank You to Tungstwenty For This Useful Post: [ Click to Expand ]
 
Tungstwenty
Old
(Last edited by Tungstwenty; 7th August 2013 at 10:17 AM.)
#2  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4013
Posts: 1,597
Join Date: Nov 2011

 
DONATE TO ME
Default FAQ

Fequently asked questions

[ 1 ]
Q: Bluebox Security Scanner still says my phone is unpatched after installing this... Any ideas why?
A: Make sure to click the Refresh entry on the app's menu and it should change to green once the mod is active.

[ 2 ]
Q: Bluebox Security Scanner says that the 2nd bug is not patched even after refreshing but SRT AppScanner says it's patched. Which one is right?
A: The scanner was mis-detecting the 2nd bug and it got fixed in version 1.5. Make sure you update Bluebox from the Play store.

[ 3 ]
Q: Does the module permanently patch the vulnerability or is it only when the module is active? If for example, I activate the module and reboot, then after verifying that the exploit is patched, deactivate the module. Would I still be patched? I guess what I'm asking is if I need to have this module active at all times to be patched? Permanent fix, or Just while the module is installed?
A: The fix is not permanent. It's applied only whenever the module is installed and active. If you remove it, after the next boot you're back with the original code from your ROM (which might have the bug or not).

Device: Xperia Z (C6603)
ROM: Stock 4.3 10.4.B.0.569
Locked bootloader, rooted, XZDualRecovery
Mods (Xposed): App Settings, Advanced reboot menu
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
The Following 20 Users Say Thank You to Tungstwenty For This Useful Post: [ Click to Expand ]
 
Nasty_z
Old
#3  
Nasty_z's Avatar
Senior Member
Thanks Meter 438
Posts: 1,117
Join Date: Feb 2012
Location: Manama, Bahrain
Thank you, this would help a lot

Sent from my GT-I9500 using Tapatalk 4 Beta
 
Marsou77
Old
#4  
Marsou77's Avatar
Senior Member
Thanks Meter 275
Posts: 997
Join Date: Feb 2011
Location: Earth

 
DONATE TO ME
Thank you but I don't see any link to the xposed patch app

Envoyé depuis mon LT28h en utilisant Tapatalk 4 Beta
LG Nexus 4 - Hello you !
Sony Xperia Ion - SOLD
LG Optimus 2X - SOLD
HTC Hero - SOLD

ROM - Xperia NeXuS - For Xperia ION Lt28

Theme - Stock [V20O Deodexed] - For P990
Theme - LG PRADA 3.0 [V20Q/V20S] - For P990
Theme - Stock [V20Q/V20R/V20S] - For P990

Don't forget to thank me if I've helped in anyway.
 
Tungstwenty
Old
(Last edited by Tungstwenty; 15th July 2013 at 11:51 PM.)
#5  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4013
Posts: 1,597
Join Date: Nov 2011

 
DONATE TO ME
Quote:
Originally Posted by Marsou77 View Post
Thank you but I don't see any link to the xposed patch app
Have a look now
I needed to create the thread first in order to include the link on the app itself.

Device: Xperia Z (C6603)
ROM: Stock 4.3 10.4.B.0.569
Locked bootloader, rooted, XZDualRecovery
Mods (Xposed): App Settings, Advanced reboot menu
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
The Following 2 Users Say Thank You to Tungstwenty For This Useful Post: [ Click to Expand ]
 
ttabbal
Old
#6  
Senior Member
Thanks Meter 421
Posts: 1,662
Join Date: Jul 2009
Thanks! I was just googling to see if someone had already done this before writing it myself!

XPosed is amazing sauce for Android.
 
Maxamillion
Old
#7  
Senior Member
Thanks Meter 157
Posts: 825
Join Date: Feb 2011
The 4.1.2 update for the T-Mobile galaxy s3 is already patched.
Thanks for the info OP.
Phone: White T-Mobile Samsung Galaxy S3 running Touchwiz 4.3
 
Tungstwenty
Old
#8  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4013
Posts: 1,597
Join Date: Nov 2011

 
DONATE TO ME
Quote:
Originally Posted by Maxamillion View Post
The 4.1.2 update for the T-Mobile galaxy s3 is already patched.
Thanks for the info OP.
The second bug as well? Check java.util.zip.ZipEntry on /system/framework/core.jar and see if the readShort() values are properly converted to unsigned.

Device: Xperia Z (C6603)
ROM: Stock 4.3 10.4.B.0.569
Locked bootloader, rooted, XZDualRecovery
Mods (Xposed): App Settings, Advanced reboot menu
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
 
"D"
Old
(Last edited by "D"; 16th July 2013 at 05:03 PM.)
#9  
"D"'s Avatar
Senior Member
Thanks Meter 91
Posts: 144
Join Date: Jun 2012
.....
 
Shredz98
Old
#10  
Member
Thanks Meter 7
Posts: 52
Join Date: Jun 2012
Bluebox security still says my phone is unpatched after installing this... Any ideas why?

Sent from my HTC Sensation Z710e using xda app-developers app

The Following User Says Thank You to Shredz98 For This Useful Post: [ Click to Expand ]
Tags
exploit, fix, master key vulnerability, patch, security, xposed
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes