[FIX][XPOSED][4.0+] Universal fix for the several "Master Key" vulnerabilities

Search This thread

Tungstwenty

Senior Member
Nov 1, 2011
1,827
4,511
[FIX][XPOSED][4.0+] Universal fix for the several "Master Key" vulnerabilities

You may be aware of recent news about several different security vulnerabilities that allow replacing code on a signed APK without invalidating the signature:

Master Key (Bug 8219321)
An issue related with duplicate entries on the ZIP / APK files.
It was patched by Google back in February 2013 and shared with OEMs, and some of the newer devices might have already received the fix in a recent stock update. At least both Xperia Z 4.2.2 and Galaxy S2 4.1.2 contain the fix; CM has also recently patched it, on this commit.
More info can be found on @Adam77Root's thread here: http://forum.xda-developers.com/showthread.php?t=2359943

Bug 9695860
This also originates in the ZIP file parsing routines, and was disclosed just a few days ago immediately after the previous one was made public. The correction has already been applied by Google to the code (this commit), but it's very likely that its rollout on stock ROMs will take a long time especially on non-Nexus devices.
You can read more about it here.
To know if you're vulnerable, use SRT AppScanner mentioned above.
Unless you're running CM 10.1.2, there's a fairly big chance that you have this issue, at least as of this moment.

Bug 9950697
It's yet another inconsistency in ZIP parsing that could be abused in very a similar way to the previous one.
This one is a bit special to me, since I was fortunate enough to be the first one to report it on Google's bugtracker :)
It was discovered around the time that the previous bug was acknowledged and Android 4.3 was a few days from being released, but despite the prompt report it was unfortunately too late to include the fix in time for the release; Therefore it wasn't disclosed till Android 4.4 sources came out and I had also decided not including a fix for in on this module, since it would be an easy way to learn about the extra attack vector.
Kudos to Jeff Forristal at Bluebox Security, who I learned was also working on that exact problem and helped me report it properly to Google, and also to Saurik who already released a Substrate-based fix and has written a very interesting article about it here.


Checking if you're vulnerable
You can use some 3rd party apps to test your system, such as:
- SRT AppScanner
- Bluebox Security Scanner
On Android 4.4 all these bugs should be fixed, and therefore this mod is not needed. But you can run one of these scanners to make sure you're not vulnerable.

While technically different, these vulnerabilities permit that legitimate APKs can be manipulated to replace the original code with arbitrary one without breaking the signature. This allows someone to take an update from a well known publisher (e.g. Google Maps), change the APK, and a device receiving it will happily apply the update as if it was indeed from that publisher. Depending on the apps being updated in this way, priviledge escalation can be achieved.
Google has already mentioned that all apps published on the Play Store are checked for this kind of manipulation, but those of us installing APKs from other sources aren't safe.



The universal fix

Since decompiling, fixing and recompiling the code for every possible ROM version is way beyond anyone's capability, the awesome Xposed framework by @rovo89 proves itself once again as an invaluable tool.
By creating hooks around the vulnerable methods and replacing the buggy implementation with a safe one, it's possible to patch the 2 issues on the fly without ever changing the original files. Applying the fix is as easy as installing and enabling an Xposed module.


Installation steps

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key multi-fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key multi-fix

4. Reboot

You should now see an image similar to the attached one when opening the app. The green text shows that the module is active and the vulnerabilities have been patched in memory.


Download
Grab it from Google Play (recommended, as you'll get updates) or use the attached APK. The files are the same.


Version history
2.0 - Fix bug 9950697; additional corrections taken from Android 4.4 (also supports GB, provided you have a working version of Xposed Framework for your ROM)
1.3 - Fixed problems with parsing some zips depending on the rom original code
1.2 - Added 2 additional zip entry integrity checks that were missing
1.1 - Support for additional devices with modified core libraries (e.g. MTK6589)
1.0 - Initial version


Sources
Available on GitHub


If you appreciated this fix, consider donating with Paypal.

Thanks!
 

Attachments

  • Screenshot_2013-07-15-22-07-34.jpg
    Screenshot_2013-07-15-22-07-34.jpg
    42.4 KB · Views: 21,312
  • MasterKeyDualFix-1.0.apk
    24.3 KB · Views: 3,234
  • MasterKeyDualFix-1.jpg
    MasterKeyDualFix-1.jpg
    21.7 KB · Views: 16,071
  • MasterKeyDualFix-1.1.apk
    24.4 KB · Views: 1,641
  • MasterKeyDualFix-1.2.apk
    25.6 KB · Views: 1,844
  • MasterKeyDualFix-1.3.apk
    25.7 KB · Views: 4,086
  • MasterKeyMultiFix-2.0.apk
    29.3 KB · Views: 8,632
Last edited:

Tungstwenty

Senior Member
Nov 1, 2011
1,827
4,511
FAQ

Fequently asked questions

[ 1 ]
Q: Bluebox Security Scanner still says my phone is unpatched after installing this... Any ideas why?
A: Make sure to click the Refresh entry on the app's menu and it should change to green once the mod is active.

[ 2 ]
Q: Bluebox Security Scanner says that the 2nd bug is not patched even after refreshing but SRT AppScanner says it's patched. Which one is right?
A: The scanner was mis-detecting the 2nd bug and it got fixed in version 1.5. Make sure you update Bluebox from the Play store.

[ 3 ]
Q: Does the module permanently patch the vulnerability or is it only when the module is active? If for example, I activate the module and reboot, then after verifying that the exploit is patched, deactivate the module. Would I still be patched? I guess what I'm asking is if I need to have this module active at all times to be patched? Permanent fix, or Just while the module is installed?
A: The fix is not permanent. It's applied only whenever the module is installed and active. If you remove it, after the next boot you're back with the original code from your ROM (which might have the bug or not).
 
Last edited:

ttabbal

Senior Member
Jul 1, 2009
2,076
723
Thanks! I was just googling to see if someone had already done this before writing it myself! :D

XPosed is amazing sauce for Android.
 

Shredz98

Senior Member
Jun 5, 2012
88
9
No idea why it doesn't refresh automatically each time you execute the app, but access the Refresh option from the menu and it should change to green once the mod is active.

Yeah you're correct mate, says patched when I rescanned so all good the patch does exactly what it says, brilliant work! Was beginning to think I would have to live with this security hole active on my device!

Sent from my HTC Sensation Z710e using xda app-developers app
 

Tungstwenty

Senior Member
Nov 1, 2011
1,827
4,511
Thanks for great patch.

I've tested with SRT AppScanner and found I'm still vulnerable to bug 9695860.

How do I make sure bug 9695860 was fixed?

Screenshot_2013-07-17-21-47-50.png
When I initially installed SRT it was always giving me 2 greens even with the mod disabled, even though I checked the code for my ROM and the 2nd bug is there.
Now, after a very recent update, it always gives me a red on the second bug even with the mod active. I'll need to double check how they are doing the detection because it doesn't seem to be correct.

Bluebox Security, on the other hand, does reflect the change although it only detects the first bug. Running it on an emulator with a vulnerable ROM correctly said so, and after applying the mod and forcing a rescan it will change to no longer vulnerable.
 
  • Like
Reactions: It_ler

Tungstwenty

Senior Member
Nov 1, 2011
1,827
4,511
SRT AppScanner has just received an additional update from Play and now appears to correctly detect the status of bug 9695860 depending on whether the mod is active or not and if your base ROM is vulnerable.
 
  • Like
Reactions: It_ler

mnirun

Member
May 26, 2012
36
17
SRT AppScanner has just received an additional update from Play and now appears to correctly detect the status of bug 9695860 depending on whether the mod is active or not and if your base ROM is vulnerable.

Confirmed, you patch is now detected by SRT AppScanner.

Thank you.
 

nhariamine

Senior Member
Mar 5, 2012
496
615
Oran, Algeria
You may be aware of recent news about 2 different security vulnerabilities that allow replacing code on a signed APK without invalidating the signature:

Master Key (Bug 8219321)
An issue related with duplicate entries on the ZIP / APK files.
It was patched by Google back in February 2013 and shared with OEMs, and some of the newer devices might have already received the fix in a recent stock update. At least both Xperia Z 4.2.2 and Galaxy S2 4.1.2 contain the fix; CM has also recently patched it, on this commit.
An easy way to know if you're vulnerable is installing this app by Bluebox Security. Update: An ever better one is SRT AppScanner, which can detect both bugs.
More info can be found on @Adam77Root's thread here: http://forum.xda-developers.com/showthread.php?t=2359943

Bug 9695860
This also originates in the ZIP file parsing routines, and was disclosed just a few days ago immediately after the previous one was made public. The correction has already been applied by Google to the code (this commit), but it's very likely that its rollout on stock ROMs will take a long time especially on non-Nexus devices.
You can read more about it here.
To know if you're vulnerable, use SRT AppScanner mentioned above.
Unless you're running CM 10.1.2, there's a fairly big chance that you have this issue, at least as of this moment.

While technically different, both of these vulnerabilities permit that legitimate APKs can be manipulated to replace the original code with arbitrary one without breaking the signature. This allows someone to take an update from a well known publisher (e.g. Google Maps), change the APK, and a device receiving it will happily apply the update as if it was indeed from that publisher. Depending on the apps being updated in this way, priviledge escalation can be achieved.
Google has already mentioned that all apps published on the Play Store are checked for this kind of manipulation, but those of us installing APKs from other sources aren't safe.



The universal patch

Since decompiling, fixing and recompiling the code for every possible ROM version is way beyond anyone's capability, the awesome Xposed framework by @rovo89 proves itself once again as an invaluable tool.
By creating hooks around the vulnerable methods and replacing the buggy implementation with a safe one, it's possible to patch the 2 issues on the fly without ever changing the original files. Applying the fix is as easy as installing and enabling an Xposed module.


Installation steps

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key dual fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key dual fix

4. Reboot the device (a Soft reboot is sufficient)

You should now see an image similar to the attached one. The green text shows that the module is active and the 2 vulnerabilities have been patched.


Download
Grab it from Google Play or use the attached APK.


Sources
Available on GitHub


If you appreciated this fix, consider donating with Paypal.

Thanks!
Thank you for this patch, but can we install this mod over "REKEY" patch or remove rekey and enable this patch instead ??
 

Top Liked Posts

  • There are no posts matching your filters.
  • 197
    [FIX][XPOSED][4.0+] Universal fix for the several "Master Key" vulnerabilities

    You may be aware of recent news about several different security vulnerabilities that allow replacing code on a signed APK without invalidating the signature:

    Master Key (Bug 8219321)
    An issue related with duplicate entries on the ZIP / APK files.
    It was patched by Google back in February 2013 and shared with OEMs, and some of the newer devices might have already received the fix in a recent stock update. At least both Xperia Z 4.2.2 and Galaxy S2 4.1.2 contain the fix; CM has also recently patched it, on this commit.
    More info can be found on @Adam77Root's thread here: http://forum.xda-developers.com/showthread.php?t=2359943

    Bug 9695860
    This also originates in the ZIP file parsing routines, and was disclosed just a few days ago immediately after the previous one was made public. The correction has already been applied by Google to the code (this commit), but it's very likely that its rollout on stock ROMs will take a long time especially on non-Nexus devices.
    You can read more about it here.
    To know if you're vulnerable, use SRT AppScanner mentioned above.
    Unless you're running CM 10.1.2, there's a fairly big chance that you have this issue, at least as of this moment.

    Bug 9950697
    It's yet another inconsistency in ZIP parsing that could be abused in very a similar way to the previous one.
    This one is a bit special to me, since I was fortunate enough to be the first one to report it on Google's bugtracker :)
    It was discovered around the time that the previous bug was acknowledged and Android 4.3 was a few days from being released, but despite the prompt report it was unfortunately too late to include the fix in time for the release; Therefore it wasn't disclosed till Android 4.4 sources came out and I had also decided not including a fix for in on this module, since it would be an easy way to learn about the extra attack vector.
    Kudos to Jeff Forristal at Bluebox Security, who I learned was also working on that exact problem and helped me report it properly to Google, and also to Saurik who already released a Substrate-based fix and has written a very interesting article about it here.


    Checking if you're vulnerable
    You can use some 3rd party apps to test your system, such as:
    - SRT AppScanner
    - Bluebox Security Scanner
    On Android 4.4 all these bugs should be fixed, and therefore this mod is not needed. But you can run one of these scanners to make sure you're not vulnerable.

    While technically different, these vulnerabilities permit that legitimate APKs can be manipulated to replace the original code with arbitrary one without breaking the signature. This allows someone to take an update from a well known publisher (e.g. Google Maps), change the APK, and a device receiving it will happily apply the update as if it was indeed from that publisher. Depending on the apps being updated in this way, priviledge escalation can be achieved.
    Google has already mentioned that all apps published on the Play Store are checked for this kind of manipulation, but those of us installing APKs from other sources aren't safe.



    The universal fix

    Since decompiling, fixing and recompiling the code for every possible ROM version is way beyond anyone's capability, the awesome Xposed framework by @rovo89 proves itself once again as an invaluable tool.
    By creating hooks around the vulnerable methods and replacing the buggy implementation with a safe one, it's possible to patch the 2 issues on the fly without ever changing the original files. Applying the fix is as easy as installing and enabling an Xposed module.


    Installation steps

    1. Make sure the Xposed Framework is installed.
    Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

    2. Install the Master Key multi-fix module.

    3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key multi-fix

    4. Reboot

    You should now see an image similar to the attached one when opening the app. The green text shows that the module is active and the vulnerabilities have been patched in memory.


    Download
    Grab it from Google Play (recommended, as you'll get updates) or use the attached APK. The files are the same.


    Version history
    2.0 - Fix bug 9950697; additional corrections taken from Android 4.4 (also supports GB, provided you have a working version of Xposed Framework for your ROM)
    1.3 - Fixed problems with parsing some zips depending on the rom original code
    1.2 - Added 2 additional zip entry integrity checks that were missing
    1.1 - Support for additional devices with modified core libraries (e.g. MTK6589)
    1.0 - Initial version


    Sources
    Available on GitHub


    If you appreciated this fix, consider donating with Paypal.

    Thanks!
    21
    FAQ

    Fequently asked questions

    [ 1 ]
    Q: Bluebox Security Scanner still says my phone is unpatched after installing this... Any ideas why?
    A: Make sure to click the Refresh entry on the app's menu and it should change to green once the mod is active.

    [ 2 ]
    Q: Bluebox Security Scanner says that the 2nd bug is not patched even after refreshing but SRT AppScanner says it's patched. Which one is right?
    A: The scanner was mis-detecting the 2nd bug and it got fixed in version 1.5. Make sure you update Bluebox from the Play store.

    [ 3 ]
    Q: Does the module permanently patch the vulnerability or is it only when the module is active? If for example, I activate the module and reboot, then after verifying that the exploit is patched, deactivate the module. Would I still be patched? I guess what I'm asking is if I need to have this module active at all times to be patched? Permanent fix, or Just while the module is installed?
    A: The fix is not permanent. It's applied only whenever the module is installed and active. If you remove it, after the next boot you're back with the original code from your ROM (which might have the bug or not).
    12
    Version 1.2 is up, which includes 2 additional integrity checks that I somehow left out in the previous versions :mad:
    I don't know the security implications of those checks but now you'll be up-to-date with CM 10.1.2 or Google's correction.

    Even so, Bluebox Security Scanner keeps stating that the 2nd bug isn't patched.
    I have contacted the authors to check what might be wrong and am waiting for an answer.
    7
    New version

    Version 1.3 it up on the OP and also rolling out through Play in a couple of hours.

    The issue with Fruit Ninja (and potentially other apks) is now fixed.

    For the techies, I now directly invoke the original RAFStream and ZipInflaterInputStream classes through reflection instead of having them cloned on the patch sources. These classes do not need fixes but were previously cloned because they can't be accessed directly, only through reflection.
    This prevents issues with slight variations on the libcore of different roms.
    6
    Bluebox have updated to v1.4. Now I get this:...

    Can you please tell me which of these two apps is more accurate. I'm using this module on LGP990 CM 10.1 based ROM from June. I tried to refresh both the apps several times but same result comes everytime.
    I have the same results on my device.
    If you have my mod active, you have the fix that Google applied for this bug. I'll try to have a look at BlueboxSecurityScanner to see what might be the problem.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone