Tuesday, July 30, 2013

Android Extra Field Vulnerability Spotted in the Wild

It has been 20 days since the Extra Field vulnerability (also known as Chinese Master Keys) was first reported (translated link) by the Android Security Squad. It has now been spotted in the wild. The linked sample (MD5: C9F4C62521C04B8ADD796A1D5CEE08B0), which will be referred to as Arctic.apk, contains another APK named DoubleRainbow.apk (MD5: 1B14AD438375E6C25F645A855828D78F). DoubleRainbow.apk contains the Extra Field vulnerability. This APK is not malware. It is designed to root the Kobo Arc tablet.

A Brief Overview

The Extra Field vulnerability exists because of a signed / unsigned error when verifying the cryptographic signature of an APK's files. In a Zip file (APKs are Zip files) there is an entry Extra Field in each file's local header (see header structure here). When checking the signature of the file, the Extra Field Length is treated as a signed short. The verifier attempts to jump over the Extra Field to the file's bytes. When set to 0xFFFD (-3) the verifier will jump 3 bytes backward into the file name (classes.dex) which shares three bytes (dex) with the start of the Dex file. The loader treats the Extra Field length correctly, as an unsigned short. So the loader will jump forward, over the Extra Field, to load the file. If you place the original Dex file, overlapping the file name, into the Extra Field it will be verified. You may then place a different Dex file in  the original file's place. This injected Dex file (likely malicious) will be loaded and run without breaking the APK's signature.

The Sample

Checking the files inside of Arctic.apk, it is fairly obvious that it is up to something. Inside the /assets/ folder we see the following files:
The presence of Superuser.apk indicates that Arctic will likely be rooting the device. Artic is fairly simple, it installs and runs DoubleRainbow.apk, which was originally a system package for the Kobo Status Bar. Since it is a system package, it is granted elevated privileges on the device. The Extra Field exploit allowed the author to inject custom code to be run by this package. In order to match the size of the replaced classes.dex, the injected Dex file was padded out with a 2599 byte string, "LOLOLOL...". Once executed, the custom classes.dex executes wifiScript.sh, the contents of which can be seen here:
mount -o rw,remount /system
cat /data/data/com.android.innocomm.EngineerMode/su >/system/xbin/su
chmod 6755 /system/xbin/su
cat /data/data/com.android.innocomm.EngineerMode/Superuser.apk >/system/app/Superuser.apk
chmod 644 /system/app/Superuser.apk
pm uninstall com.kobo.statusbar
Since DoubleRainbow.apk is running in a privileged mode, all it needs to do is copy over su and Superuser.apk.


The APK was authored by @zhuowei and can be found on their Github. None of the source code was being returned by Google since it was posted so recently. The repository was found through the author's name on Arctic.apk's certificate. As we can see from the following, the Kobo Status Bar APK (DoubleRainbow.apk) still contains the certificate issued by Jason Gamblen from Kobo Inc.
Issuer: C=CA, ST=British Columbia, L=Vancouver, O=Unknown, OU=Unknown, CN=Zhuowei Zhang
Issuer: C=CA, ST=Ontario, L=Toronto, O=Kobo, OU=Android Team, CN=Android/emailAddress=jgamblen@kobobooks.com
While this APK is not malicious, it demonstrates how easy it is to gain root access using the Extra Field vulnerability. It is expected that this vulnerability and the Master Keys vulnerability will become common occurrences in Android malware.

Tuesday, July 16, 2013

Androrat - Android Remote Access Tool


Androrat is an appropriately named remote access tool (or RAT) for Android. In case you're unfamiliar, RATs provide backdoor functionality to an operator, giving access to your system and private data. Androrat recently fell into the spotlight thanks to this Webroot blog post that highlights a user-friendly Android trojan maker. According to the post, Androrat is the default malicious package provided with this software.

Androrat was the project of four university students from France. According to their README, it was completed in one month. It has since been removed from the Github account on which it was hosted, and for privacy reasons these students will not be named here.

A law enforcement agency provided us with a zip file that appears to be a dump of the Github repository. It contained two compiled debug versions of the Androrat APK, the source code for these, and some class files. Additionally, it contained all of the source code for the server as well as its dependencies.


To get the server running, I was able to simply drop all of the source files into an Eclipse project, add the dependencies, and fix up one import that didn't agree with my system. I was pleasantly surprised at how easy this was to get working.


To test that everything was working I ran the server from Eclipse and simply loaded up the debug APK. The debug APK conveniently allows the user to set the server's IP and port. Here we can see the debug apk and the server program:


Androrat covers the breadth of Android malware features. From the README:

    ### All the available functionalities are
    * Get contacts (and all theirs informations)
    * Get call logs
    * Get all messages
    * Location by GPS/Network
    * Monitoring received messages in live
    * Monitoring phone state in live (call received, call sent, call missed..)
    * Take a picture from the camera
    * Stream sound from microphone (or other sources..)
    * Streaming video (for activity based client only)
    * Do a toast
    * Send a text message
    * Give call
    * Open an URL in the default browser
    * Do vibrate the phone

After setting up a contact list, a few fake conversations, and a call log I went to test these out. A few of the functions gave errors, but most worked. As well, a few were not compatible with the Android emulator (for example, vibrate).


In the file inout/Protocol.java the request and response codes are listed. For requests the base number is 100, then a value ranging from 0 to 23 is added to it for the code. This is wrapped with the target channel (multiplexed) and arguments in CommandPacket. Then it is wrapped with other meta info in TransportPacket. The resulting packet data size for requests hovers around 21 bytes.

The APK gives an acknowledgment to requests received. The response message is packed into a custom packet via the following function call sequence (format: ClassName.function):
-> Client.sendInformation 
-> Connection.sendData 
-> Mux.send 
-> TransportPacket.build

This packet includes the acknowledgement data, total length, data length, the channel (multiplexed), as well as a short and bool for following the packet sequence.

The response codes have a base of 200 and add a value ranging from 0 to 15 to that base. Data being sent is generally built into an array or hash table, then the response is written using ObjectOutputStream.writeObject() and placed into a custom packet. The packet includes the type that was packed. For example, when dumping an SMS to the server, the object type java.util.ArrayList will be included in the packet to indicate what has been written. The fields used in these structures prior to packing are very verbose. As an example, PhoneNumber, SimOperator, and IMEI are used when dumping device information to the server.

The information is sent over TCP with this custom protocol. The default server port is 9999, however, this is configurable.


Since the source code was public, this project provides a significant starting point for new Android malware authors. However, it does not contain any root exploits, it does not attempt to obfuscate the code or communication, and it has not been refined to a point that I would call reliable.

Tuesday, July 9, 2013

Microsoft Update Tuesday: July 2013: an issue of TrueType fonts

This month's Update Tuesday looks pretty interesting. As usual, there's quite a few CVEs covered and most of them are once again in IE: there's a total of 7 bulletins, covering 34 CVE issues. However, one CVE is shared between 3 bulletins.

MS13-052 covers the .NET framework and Silverlight. There's a total of 7 CVEs fixed by the update associated with this bulletin. The bulletin is marked critical and could result in remote code execution or escalation of privileges if one of these vulnerabilities is exploited.

There's a total of 8 CVE isusues this month that pertain to the Windows Kernel, described in MS13-053. This bulletin is considered critical and can result in remote code execution, specifically due to vulnerability  related to TrueType fonts, which we discuss as part of MS13-054. Other vulnerabilities include a use-after-free and an overflow that can result in a potential escalation of privileges for an attacker.

One particularly interesting bug is described in MS13-054. While that bulletin specifically covers GDI+, the single CVE (CVE-2013-3129) associated with this bulletin is also shared by bulletins MS13-052 and MS13-053. This vulnerability is the result of a bug when handling maliciously crafted TrueType fonts.  The interesting part here is that a previous TrueType font issue was a 0-day exploited by the Duqu malware. Because TrueType fonts can exploited via a malicious Word document (or anything that can embed TrueType fonts - like Silverlight), this means that the issue can result in remote code execution.

MS13-055 is the bulletin that deals with IE. This one covers all supported versions of Internet Explorer (i.e., IE6-IE10) and covers 17 CVE issues. The bulletin is rated critical and covers a number of issues, mostly resulting in memory corruption which could allow an attacker to execute arbitrary code. As with previous IE vulnerabilities, the memory corruption issues are mostly the result of use after free issues, where an attacker can potentially access an object after the memory for it has freed. This type of vulnerability can result in a kind of type confusion, where in one part of the program the memory is still considered to be a particular object, while in another part it may have been reallocated and used as a different object. It can then potentially corrupt sensitive information (like a pointer) in the new object, which could allow attackers to overwrite arbitrary memory locations.

Windows DirectShow is updated through bulletin MS13-056. It patches a vulnerability that can result in memory corruption and that is potentially exploitable on all supported Windows versions except RTE and Server Core.

There's also a bulletin covering Windows Media Format (WMF): MS13-057, this bulletin handles a single CVE issue related to a potential underflow vulnerability in a DLL when opening a malicious WMF file, potentiall resulting in remote code execution. The patch for this vulnerability modies the way in which Windows Media Player opens media files.

Finally, the last bulletin released this month covers Windows Defender (MS13-058). This is the only bulletin marked as important: all the rest were considered critical. The bulletin is made up of a single CVE issue, that can result in a local vulnerability, potentially allowing an attacker to gain increased privileges.

We have detection for many of these vulnerabilities through SIDs: 27126-27139, 27147-27154, 27156-27157.