tanprathan/CVE-2018-12445.txt

## CVE-2018-12445.txt
> [Description]
> ** DISPUTED ** An issue was discovered in the com.dropbox.android
> application 98.2.2 for Android. The FingerprintManager class for
> Biometric validation allows authentication bypass through the callback
> method from onAuthenticationFailed to onAuthenticationSucceeded with
> null, because the fingerprint API in conjunction with the Android
> keyGenerator class is not implemented. In other words, an attacker
> could authenticate with an arbitrary fingerprint. NOTE: the vendor
> indicates that this is not an attack of interest within the context of
> their threat model, which excludes Android devices on which rooting
> has occurred.
>
> ------------------------------------------
>
> [Additional Information]
>
> Exploitation Narrative for bypass local authentication on Fingerprint
>
> 1. De-compiling process was used to determine application logic
> through source code. Even the application was minified (Seem to be
> using Proguard), We still can analyse the logic of Fingerprint
> authentication on "com.dropbox.android.activity.lock.c" class.
>
> 2. We notice that the fingerprint method is implemented through
> FingerprintManager class.
>
> 3. Frida script was created to hook into "b" method in order to set
> the onAuthenticationSucceeded to "null".
>
> Recommendation
> Using fingerprint API in conjunction with the Android keyGenerator class.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
>
> ------------------------------------------
>
> [Vendor of Product]
> Dropbox
>
> ------------------------------------------
>
> [Affected Product Code Base]
> com.dropbox.android (Android: Google Play Store) - 98.2.2
>
> ------------------------------------------
>
> [Affected Component]
> Bio-metric(Fingerprint) authentication
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication Bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker who is able to access on rooted Android device, could
> perform runtime manipulation on Bio-metric authentication
> which allow attacker to force the return value to be "true".
> A malicious application which may evade Google Play Store
> detection, could attack the Dropbox application on rooted device by
> hooking into Bio-metric mechanism in order to bypass authentication
> process.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Prathan Phongthiproek, Boonpoj Thongakaraniroj
	> [Description]
	> DISPUTED An issue was discovered in the com.dropbox.android
	> application 98.2.2 for Android. The FingerprintManager class for
	> Biometric validation allows authentication bypass through the callback
	> method from onAuthenticationFailed to onAuthenticationSucceeded with
	> null, because the fingerprint API in conjunction with the Android
	> keyGenerator class is not implemented. In other words, an attacker
	> could authenticate with an arbitrary fingerprint. NOTE: the vendor
	> indicates that this is not an attack of interest within the context of
	> their threat model, which excludes Android devices on which rooting
	> has occurred.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	>
	> Exploitation Narrative for bypass local authentication on Fingerprint
	>
	> 1. De-compiling process was used to determine application logic
	> through source code. Even the application was minified (Seem to be
	> using Proguard), We still can analyse the logic of Fingerprint
	> authentication on "com.dropbox.android.activity.lock.c" class.
	>
	> 2. We notice that the fingerprint method is implemented through
	> FingerprintManager class.
	>
	> 3. Frida script was created to hook into "b" method in order to set
	> the onAuthenticationSucceeded to "null".
	>
	> Recommendation
	> Using fingerprint API in conjunction with the Android keyGenerator class.
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Dropbox
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> com.dropbox.android (Android: Google Play Store) - 98.2.2
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Bio-metric(Fingerprint) authentication
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Context-dependent
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Authentication Bypass
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> An attacker who is able to access on rooted Android device, could
	> perform runtime manipulation on Bio-metric authentication
	> which allow attacker to force the return value to be "true".
	> A malicious application which may evade Google Play Store
	> detection, could attack the Dropbox application on rooted device by
	> hooking into Bio-metric mechanism in order to bypass authentication
	> process.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?]
	> true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Prathan Phongthiproek, Boonpoj Thongakaraniroj