FORUMS
Remove All Ads from XDA

[FIX][XPOSED][4.0+] Universal fix for the several "Master Key" vulnerabilities

1,827 posts
Thanks Meter: 4,540
 
Post Reply Email Thread
You may be aware of recent news about several different security vulnerabilities that allow replacing code on a signed APK without invalidating the signature:

Master Key (Bug 8219321)
An issue related with duplicate entries on the ZIP / APK files.
It was patched by Google back in February 2013 and shared with OEMs, and some of the newer devices might have already received the fix in a recent stock update. At least both Xperia Z 4.2.2 and Galaxy S2 4.1.2 contain the fix; CM has also recently patched it, on this commit.
More info can be found on @Adam77Root's thread here: http://forum.xda-developers.com/show....php?t=2359943

Bug 9695860
This also originates in the ZIP file parsing routines, and was disclosed just a few days ago immediately after the previous one was made public. The correction has already been applied by Google to the code (this commit), but it's very likely that its rollout on stock ROMs will take a long time especially on non-Nexus devices.
You can read more about it here.
To know if you're vulnerable, use SRT AppScanner mentioned above.
Unless you're running CM 10.1.2, there's a fairly big chance that you have this issue, at least as of this moment.

Bug 9950697
It's yet another inconsistency in ZIP parsing that could be abused in very a similar way to the previous one.
This one is a bit special to me, since I was fortunate enough to be the first one to report it on Google's bugtracker
It was discovered around the time that the previous bug was acknowledged and Android 4.3 was a few days from being released, but despite the prompt report it was unfortunately too late to include the fix in time for the release; Therefore it wasn't disclosed till Android 4.4 sources came out and I had also decided not including a fix for in on this module, since it would be an easy way to learn about the extra attack vector.
Kudos to Jeff Forristal at Bluebox Security, who I learned was also working on that exact problem and helped me report it properly to Google, and also to Saurik who already released a Substrate-based fix and has written a very interesting article about it here.


Checking if you're vulnerable
You can use some 3rd party apps to test your system, such as:
- SRT AppScanner
- Bluebox Security Scanner
On Android 4.4 all these bugs should be fixed, and therefore this mod is not needed. But you can run one of these scanners to make sure you're not vulnerable.

While technically different, these vulnerabilities permit that legitimate APKs can be manipulated to replace the original code with arbitrary one without breaking the signature. This allows someone to take an update from a well known publisher (e.g. Google Maps), change the APK, and a device receiving it will happily apply the update as if it was indeed from that publisher. Depending on the apps being updated in this way, priviledge escalation can be achieved.
Google has already mentioned that all apps published on the Play Store are checked for this kind of manipulation, but those of us installing APKs from other sources aren't safe.



The universal fix

Since decompiling, fixing and recompiling the code for every possible ROM version is way beyond anyone's capability, the awesome Xposed framework by @rovo89 proves itself once again as an invaluable tool.
By creating hooks around the vulnerable methods and replacing the buggy implementation with a safe one, it's possible to patch the 2 issues on the fly without ever changing the original files. Applying the fix is as easy as installing and enabling an Xposed module.


Installation steps

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key multi-fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key multi-fix

4. Reboot

You should now see an image similar to the attached one when opening the app. The green text shows that the module is active and the vulnerabilities have been patched in memory.


Download
Grab it from Google Play (recommended, as you'll get updates) or use the attached APK. The files are the same.


Version history
2.0 - Fix bug 9950697; additional corrections taken from Android 4.4 (also supports GB, provided you have a working version of Xposed Framework for your ROM)
1.3 - Fixed problems with parsing some zips depending on the rom original code
1.2 - Added 2 additional zip entry integrity checks that were missing
1.1 - Support for additional devices with modified core libraries (e.g. MTK6589)
1.0 - Initial version


Sources
Available on GitHub


If you appreciated this fix, consider donating with Paypal.

Thanks!
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2013-07-15-22-07-34.jpg
Views:	20526
Size:	42.4 KB
ID:	2119024   Click image for larger version

Name:	MasterKeyDualFix-1.jpg
Views:	15282
Size:	21.7 KB
ID:	2120631  
Attached Files
File Type: apk MasterKeyDualFix-1.0.apk - [Click for QR Code] (24.3 KB, 2763 views)
File Type: apk MasterKeyDualFix-1.1.apk - [Click for QR Code] (24.4 KB, 1528 views)
File Type: apk MasterKeyDualFix-1.2.apk - [Click for QR Code] (25.6 KB, 1760 views)
File Type: apk MasterKeyDualFix-1.3.apk - [Click for QR Code] (25.7 KB, 3957 views)
File Type: apk MasterKeyMultiFix-2.0.apk - [Click for QR Code] (29.3 KB, 7263 views)
The Following 198 Users Say Thank You to Tungstwenty For This Useful Post: [ View ] Gift Tungstwenty Ad-Free
 
 
16th July 2013, 12:44 AM |#2  
Tungstwenty's Avatar
OP Senior Member
Thanks Meter: 4,540
 
Donate to Me
More
FAQ
Fequently asked questions

[ 1 ]
Q: Bluebox Security Scanner still says my phone is unpatched after installing this... Any ideas why?
A: Make sure to click the Refresh entry on the app's menu and it should change to green once the mod is active.

[ 2 ]
Q: Bluebox Security Scanner says that the 2nd bug is not patched even after refreshing but SRT AppScanner says it's patched. Which one is right?
A: The scanner was mis-detecting the 2nd bug and it got fixed in version 1.5. Make sure you update Bluebox from the Play store.

[ 3 ]
Q: Does the module permanently patch the vulnerability or is it only when the module is active? If for example, I activate the module and reboot, then after verifying that the exploit is patched, deactivate the module. Would I still be patched? I guess what I'm asking is if I need to have this module active at all times to be patched? Permanent fix, or Just while the module is installed?
A: The fix is not permanent. It's applied only whenever the module is installed and active. If you remove it, after the next boot you're back with the original code from your ROM (which might have the bug or not).
The Following 21 Users Say Thank You to Tungstwenty For This Useful Post: [ View ] Gift Tungstwenty Ad-Free
16th July 2013, 12:45 AM |#3  
Nasty_z's Avatar
Senior Member
Flag Manama, Bahrain
Thanks Meter: 481
 
More
Thank you, this would help a lot

Sent from my GT-I9500 using Tapatalk 4 Beta
16th July 2013, 12:45 AM |#4  
Marsou77's Avatar
Senior Member
Flag Earth
Thanks Meter: 342
 
Donate to Me
More
Thank you but I don't see any link to the xposed patch app

Envoyé depuis mon LT28h en utilisant Tapatalk 4 Beta
16th July 2013, 12:46 AM |#5  
Tungstwenty's Avatar
OP Senior Member
Thanks Meter: 4,540
 
Donate to Me
More
Quote:
Originally Posted by Marsou77

Thank you but I don't see any link to the xposed patch app

Have a look now
I needed to create the thread first in order to include the link on the app itself.
The Following 2 Users Say Thank You to Tungstwenty For This Useful Post: [ View ] Gift Tungstwenty Ad-Free
16th July 2013, 05:33 AM |#6  
Senior Member
Thanks Meter: 706
 
More
Thanks! I was just googling to see if someone had already done this before writing it myself!

XPosed is amazing sauce for Android.
16th July 2013, 08:25 AM |#7  
Senior Member
Thanks Meter: 169
 
More
The 4.1.2 update for the T-Mobile galaxy s3 is already patched.
Thanks for the info OP.
16th July 2013, 08:48 AM |#8  
Tungstwenty's Avatar
OP Senior Member
Thanks Meter: 4,540
 
Donate to Me
More
Quote:
Originally Posted by Maxamillion

The 4.1.2 update for the T-Mobile galaxy s3 is already patched.
Thanks for the info OP.

The second bug as well? Check java.util.zip.ZipEntry on /system/framework/core.jar and see if the readShort() values are properly converted to unsigned.
16th July 2013, 05:43 PM |#9  
"D"'s Avatar
Senior Member
Flag L.E.
Thanks Meter: 92
 
More
.....
17th July 2013, 10:58 AM |#10  
Member
Thanks Meter: 7
 
More
Bluebox security still says my phone is unpatched after installing this... Any ideas why?

Sent from my HTC Sensation Z710e using xda app-developers app
The Following User Says Thank You to Shredz98 For This Useful Post: [ View ] Gift Shredz98 Ad-Free
17th July 2013, 12:12 PM |#11  
Tungstwenty's Avatar
OP Senior Member
Thanks Meter: 4,540
 
Donate to Me
More
Quote:
Originally Posted by Shredz98

Bluebox security still says my phone is unpatched after installing this... Any ideas why?

No idea why it doesn't refresh automatically each time you execute the app, but access the Refresh option from the menu and it should change to green once the mod is active.
The Following 2 Users Say Thank You to Tungstwenty For This Useful Post: [ View ] Gift Tungstwenty Ad-Free
Post Reply Subscribe to Thread

Tags
exploit, fix, master key vulnerability, patch, security, xposed

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes