Post Reply

[MOD][XPOSED][2.3.3+]FakeID vulnerability fix 1.1 [2014-08-10]

OP Tungstwenty

31st July 2014, 02:56 PM   |  #1  
Tungstwenty's Avatar
OP Recognized Contributor
Thanks Meter: 4,397
 
1,821 posts
Join Date:Joined: Nov 2011
Donate to Me
More
There is a new security vulnerability in town, this time labeled "Fake ID" (Google bug 13678484).

The bug allows malicious apps to pretend to be signed by trusted providers and be loaded as extensions in several contexts such as NFC access, browser plugins and others.
An excellent explanation can be found on this article by Jeff Forristal from Bluebox.


Checking if you're vulnerable
It appears to currently affect all devices, to a lesser or greater extent depending on which extensions each manufacturer included in their ROMs.
You can use Bluebox Security Scanner to detect if your system is vulnerable.


Installing the fix
Fetch the package from the Xposed repository: http://repo.xposed.info/module/tungs...osed.fakeidfix (it is also available on Google play)
Install as usual and make sure that you enable the module on the Xposed Installer and reboot.

There are no configuration options. There is a simple information screen which can be accessed by tapping the entry on the Installer's module list (you won't see an icon for this on your launcher).


Fix details
For the tech savvy, here's an explanation of what this patch does.
The JarTools class has an API for grabbing all signature certificatates present on an APK / jar. That API doesn't however check if *all* certificates form a valid chain, where each certificate is properly signed by the next one and so on, and not additional certificates are present that don't belong to that chain. It is therefore possible to insert additional certificates in that list, and *certain* callers of that API might be fooled if they assume that just because a certificate is on that list, the party to which it belongs did in fact sign or trust that code.
This behavior could not be blindly changed to enforce checking the chain validity, as apparently it would create compatibility issues on some legitimate callers of that API that rely on that behavior, and Google opted (see this AOSP commit) to include an option to both of the behaviors, keeping the old "insecure" one for code that doesn't bother specifying what it wants, i.e. all existing code.
I haven't spotted any other commits that rely on this new behavior, but from my analysis it seems that the identified vulnerability vectors all go through the getPackageInfo(..., GET_SIGNATURES) PM API.
Therefore, so as not to cause the compatibility issues that Google seems to be cautious about, I have chosen to modify the behavior of JarTools.createChain() only when it's being used by the PM service. This will stop the possibility of using malicious apps impersonating NFC extensions (e.g. Google Wallet), Adobe web plugins, etc.
Additionally, and since Bluebox Security Scanner does a more direct check (in order not to require installing a malicious / proof-of-concept APK in order to then ask the PM service about its signatures), I also included code specific to this scanner so that it reports the bug as not present.


Source code
Available on Github



If you appreciated this fix, consider donating with Paypal.


Thanks!
Last edited by Tungstwenty; 10th August 2014 at 01:34 PM. Reason: Version 1.1
The Following 105 Users Say Thank You to Tungstwenty For This Useful Post: [ View ]
31st July 2014, 02:57 PM   |  #2  
Tungstwenty's Avatar
OP Recognized Contributor
Thanks Meter: 4,397
 
1,821 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Version history

1.1 (2014-08-10)
  • Support for Xposed Framework 2.2 (bridge v30) and above
  • Support for Gingerbread 2.3.3 and above
  • Reduced potential for compatibility issues by patching only the system services but not other apps that might be using a private API

1.0 (2014-07-31)
  • Initial version
Last edited by Tungstwenty; 10th August 2014 at 01:34 PM.
The Following 11 Users Say Thank You to Tungstwenty For This Useful Post: [ View ]
31st July 2014, 02:57 PM   |  #3  
Tungstwenty's Avatar
OP Recognized Contributor
Thanks Meter: 4,397
 
1,821 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Reserved 2
The Following 8 Users Say Thank You to Tungstwenty For This Useful Post: [ View ]
31st July 2014, 03:34 PM   |  #4  
lion7718's Avatar
Senior Member
Thanks Meter: 73
 
224 posts
Join Date:Joined: Jun 2012
More
thanks for the quick fix.
31st July 2014, 03:35 PM   |  #5  
toxic-hero's Avatar
Senior Member
hовосиби́рск
Thanks Meter: 123
 
444 posts
Join Date:Joined: Dec 2009
THANK YOU!
31st July 2014, 06:41 PM   |  #6  
Senior Member
Flag Bensheim
Thanks Meter: 72
 
367 posts
Join Date:Joined: Dec 2006
More
Works on ICS, thank you very much.
31st July 2014, 07:20 PM   |  #7  
starbase64's Avatar
Senior Member
Flag Lennestadt
Thanks Meter: 566
 
3,022 posts
Join Date:Joined: Apr 2007
Donate to Me
More
Quote:
Originally Posted by Tungstwenty

The bug allows malicious apps to pretend to be signed by trusted providers and be loaded as extensions in several contexts such as NFC access, browser plugins and others.
An excellent explanation can be found on this article by Jeff Forristal from Bluebox.

Bug is fixed in android 4.4.3.
31st July 2014, 07:30 PM   |  #8  
debernardis's Avatar
Senior Member
Flag Acireale, Sicily
Thanks Meter: 117
 
449 posts
Join Date:Joined: Jun 2011
Wow, yesterday I asked for it in the xposed ask-for-module thread, and now here it is! Thanks, I am donating asap.

Sent from my GT-N7100 using XDA Premium 4 mobile app
The Following User Says Thank You to debernardis For This Useful Post: [ View ]
31st July 2014, 08:33 PM   |  #9  
defim's Avatar
Senior Member
Thanks Meter: 872
 
1,659 posts
Join Date:Joined: Feb 2012
@Tungstwenty
After a quick look I think it is better to not fake return args for Bluebox if the rom is fixed and this module does nothing to fix it


Code:
	boolean romAlreadyFixed;
try {
XposedHelpers.findMethodExact("org.apache.harmony.security.utils.JarUtils", null, "createChain",
X509Certificate.class, X509Certificate[].class, boolean.class);
romAlreadyFixed = true;
}

...

if (romAlreadyFixed)
hookSuccessful = true;

}

...

	public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable {
if (!hookSuccessful) {
// Hooks not installed, don't report success to the activity nor the Bluebox scanner
return;
}
..
	// Change the reported "createChain" method signature to Bluebox Security Scanner so it marks the bug as fixed
31st July 2014, 08:47 PM   |  #10  
Ja_som's Avatar
Senior Member
Flag Banská Bystrica, Slovakia
Thanks Meter: 286
 
800 posts
Join Date:Joined: Apr 2013
Donate to Me
More
Thank you...
Fake ID is fixed on my Moto G GPE with Android 4.4.4
But I installed this module to Nexus 7 2013 with Android 4.4.4

Sent from my tablet./Odoslané z môjho tabletu.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Xposed Framework Modules by ThreadRank