Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,809,019 Members 55,302 Now Online
XDA Developers Android and Mobile Development Forum

[MOD][XPOSED][2.3.3+]FakeID vulnerability fix 1.1 [2014-08-10]

Tip us?
 
Tungstwenty
Old
(Last edited by Tungstwenty; 10th August 2014 at 01:34 PM.) Reason: Version 1.1
#1  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4,381
Posts: 1,813
Join Date: Nov 2011

 
DONATE TO ME
Default [MOD][XPOSED][2.3.3+]FakeID vulnerability fix 1.1 [2014-08-10]

There is a new security vulnerability in town, this time labeled "Fake ID" (Google bug 13678484).

The bug allows malicious apps to pretend to be signed by trusted providers and be loaded as extensions in several contexts such as NFC access, browser plugins and others.
An excellent explanation can be found on this article by Jeff Forristal from Bluebox.


Checking if you're vulnerable
It appears to currently affect all devices, to a lesser or greater extent depending on which extensions each manufacturer included in their ROMs.
You can use Bluebox Security Scanner to detect if your system is vulnerable.


Installing the fix
Fetch the package from the Xposed repository: http://repo.xposed.info/module/tungs...osed.fakeidfix (it is also available on Google play)
Install as usual and make sure that you enable the module on the Xposed Installer and reboot.

There are no configuration options. There is a simple information screen which can be accessed by tapping the entry on the Installer's module list (you won't see an icon for this on your launcher).


Fix details
For the tech savvy, here's an explanation of what this patch does.
The JarTools class has an API for grabbing all signature certificatates present on an APK / jar. That API doesn't however check if *all* certificates form a valid chain, where each certificate is properly signed by the next one and so on, and not additional certificates are present that don't belong to that chain. It is therefore possible to insert additional certificates in that list, and *certain* callers of that API might be fooled if they assume that just because a certificate is on that list, the party to which it belongs did in fact sign or trust that code.
This behavior could not be blindly changed to enforce checking the chain validity, as apparently it would create compatibility issues on some legitimate callers of that API that rely on that behavior, and Google opted (see this AOSP commit) to include an option to both of the behaviors, keeping the old "insecure" one for code that doesn't bother specifying what it wants, i.e. all existing code.
I haven't spotted any other commits that rely on this new behavior, but from my analysis it seems that the identified vulnerability vectors all go through the getPackageInfo(..., GET_SIGNATURES) PM API.
Therefore, so as not to cause the compatibility issues that Google seems to be cautious about, I have chosen to modify the behavior of JarTools.createChain() only when it's being used by the PM service. This will stop the possibility of using malicious apps impersonating NFC extensions (e.g. Google Wallet), Adobe web plugins, etc.
Additionally, and since Bluebox Security Scanner does a more direct check (in order not to require installing a malicious / proof-of-concept APK in order to then ask the PM service about its signatures), I also included code specific to this scanner so that it reports the bug as not present.


Source code
Available on Github



If you appreciated this fix, consider donating with Paypal.


Thanks!

Device: Xperia Z (C6603)
ROM: Stock 4.4.2 10.5.A.0.230
Locked bootloader, rooted, XZDualRecovery
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
The Following 104 Users Say Thank You to Tungstwenty For This Useful Post: [ Click to Expand ]
 
Tungstwenty
Old
(Last edited by Tungstwenty; 10th August 2014 at 01:34 PM.)
#2  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4,381
Posts: 1,813
Join Date: Nov 2011

 
DONATE TO ME
Version history

1.1 (2014-08-10)
  • Support for Xposed Framework 2.2 (bridge v30) and above
  • Support for Gingerbread 2.3.3 and above
  • Reduced potential for compatibility issues by patching only the system services but not other apps that might be using a private API

1.0 (2014-07-31)
  • Initial version

Device: Xperia Z (C6603)
ROM: Stock 4.4.2 10.5.A.0.230
Locked bootloader, rooted, XZDualRecovery
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
The Following 11 Users Say Thank You to Tungstwenty For This Useful Post: [ Click to Expand ]
 
Tungstwenty
Old
#3  
Tungstwenty's Avatar
Recognized Contributor - OP
Thanks Meter 4,381
Posts: 1,813
Join Date: Nov 2011

 
DONATE TO ME
Reserved 2

Device: Xperia Z (C6603)
ROM: Stock 4.4.2 10.5.A.0.230
Locked bootloader, rooted, XZDualRecovery
Retired device: Samsung Galaxy S2 (GT-I9100)

My threads that you might find useful:

SUPERCOMPUTER: what it sounded like before you bought it
The Following 8 Users Say Thank You to Tungstwenty For This Useful Post: [ Click to Expand ]
 
lion7718
Old
#4  
lion7718's Avatar
Senior Member
Thanks Meter 72
Posts: 221
Join Date: Jun 2012
thanks for the quick fix.
 
toxic-hero
Old
#5  
toxic-hero's Avatar
Senior Member
Thanks Meter 123
Posts: 444
Join Date: Dec 2009
Location: hовосиби́рск
THANK YOU!
--
 
chw9999
Old
#6  
Senior Member
Thanks Meter 70
Posts: 359
Join Date: Dec 2006
Location: Bensheim
Works on ICS, thank you very much.
 
starbase64
Old
#7  
starbase64's Avatar
Senior Member
Thanks Meter 528
Posts: 2,954
Join Date: Apr 2007
Location: Lennestadt

 
DONATE TO ME
Quote:
Originally Posted by Tungstwenty View Post
The bug allows malicious apps to pretend to be signed by trusted providers and be loaded as extensions in several contexts such as NFC access, browser plugins and others.
An excellent explanation can be found on this article by Jeff Forristal from Bluebox.
Bug is fixed in android 4.4.3.
Starbase64 YouTube Channel | Stabase64 Blog | Starbase64 Flickr Stream


Device: HTC One m8ul
ROM: InsertCoin
Kernel: Stock is the best
S-OFF: Yes
SuperCID: Yes
MID: 0P6B10000
PVS: 1

Device: Samsung Galaxy Tab 2 7''
ROM: CM 10.2
Kernel: stock
Recovery: TWRP
Baseband: stock
 
debernardis
Old
#8  
debernardis's Avatar
Senior Member
Thanks Meter 117
Posts: 447
Join Date: Jun 2011
Location: Acireale, Sicily
Wow, yesterday I asked for it in the xposed ask-for-module thread, and now here it is! Thanks, I am donating asap.

Sent from my GT-N7100 using XDA Premium 4 mobile app
Ernesto de Bernardis
[Galaxy Note]
The Following User Says Thank You to debernardis For This Useful Post: [ Click to Expand ]
 
defim
Old
#9  
Senior Member
Thanks Meter 801
Posts: 1,557
Join Date: Feb 2012
@Tungstwenty
After a quick look I think it is better to not fake return args for Bluebox if the rom is fixed and this module does nothing to fix it


Code:
	boolean romAlreadyFixed;
try {
XposedHelpers.findMethodExact("org.apache.harmony.security.utils.JarUtils", null, "createChain",
X509Certificate.class, X509Certificate[].class, boolean.class);
romAlreadyFixed = true;
}

...

if (romAlreadyFixed)
hookSuccessful = true;

}

...

	public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable {
if (!hookSuccessful) {
// Hooks not installed, don't report success to the activity nor the Bluebox scanner
return;
}
..
	// Change the reported "createChain" method signature to Bluebox Security Scanner so it marks the bug as fixed
Motorola Defy+ aka MB526 Android 4.4.4 Cyanogen Mod
Samsung S4a aka GT-i9295 Android 4.2.2 Google Edition
My Android apps / Xposed modules: show Threads
 
Ja_som
Old
#10  
Ja_som's Avatar
Senior Member
Thanks Meter 258
Posts: 737
Join Date: Apr 2013
Location: Banská Bystrica, Slovakia

 
DONATE TO ME
Thank you...
Fake ID is fixed on my Moto G GPE with Android 4.4.4
But I installed this module to Nexus 7 2013 with Android 4.4.4

Sent from my tablet./Odoslané z môjho tabletu.
Google Nexus 7 (2nd gen.) 16GB rooted KitKat 4.4.4 + GravityBox / Android L preview on MultiRom

&

Motorola Moto G rooted KitKat 4.4.4 (XT1032 - 210.12.40_EURetail.en.EU) + GravityBox


Slovenčina pre Moto G/Slovak language for Moto G TU/HERE

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes