Skip to content

Instantly share code, notes, and snippets.

@tanprathan

tanprathan/CVE-2018-12446.txt

Last active June 20, 2018 13:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tanprathan/97b4c04ec6af4da62929e73214fddd1b to your computer and use it in GitHub Desktop.
Save tanprathan/97b4c04ec6af4da62929e73214fddd1b to your computer and use it in GitHub Desktop.
Download ZIP
Dropbox CVE-2018-12446 Information
Raw
CVE-2018-12446.txt
> [Description]
> ** DISPUTED ** An issue was discovered in the com.dropbox.android
> application 98.2.2 for Android. The Passcode feature allows
> authentication bypass via runtime manipulation that forces a certain
> method's return value to true. In other words, an attacker could
> authenticate with an arbitrary passcode. NOTE: the vendor indicates
> that this is not an attack of interest within the context of their
> threat model, which excludes Android devices on which rooting has
> occurred.
>
> ------------------------------------------
>
> [Additional Information]
> Exploitation Narrative for bypass local authentication on Passcode
>
> 1. We noticed that information regarding the passcode authentication
> is disclosed through Android system log which could be identified
> using "adb logcat" command while the application was running.
>
> 2. Once the Passcode authentication method was called (By entering
> invalid Passcode), the application class would be shown through system
> log which is "com.dropbox.android.activity.lock.LockCodeActivity".
>
> 3. De-compiling process was used to determine application logic
> through source code. Even the application was minified (Seems to be
> using Proguard), We still can analyse the logic of Passcode
> authentication on the "b" method and found that the return type is Boolean
> type.
>
> 4. Frida script was created to hook into "b" method in order to force
> the return value to be "true".
>
> Recommendation
>
> * Remove logging on Passcode authentication method from
> com.dropbox.android.activity.lock.LockCodeActivity
>
> * Consider code obfuscation not only using Proguard due to it is just
> minify not obfuscating
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
>
> ------------------------------------------
>
> [Vendor of Product]
> Dropbox
>
> ------------------------------------------
>
> [Affected Product Code Base]
> com.dropbox.android (Android: Google Play Store) - 98.2.2
>
> ------------------------------------------
>
> [Affected Component]
> Passcode authentication
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication Bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker who is able to access on rooted Android device, could
> perform runtime manipulation on Passcode authentication which
> allow attacker to force the return value to be "true".
> A malicious application which may evade Google Play Store
> detection, could attack the Dropbox application on rooted device by
> hooking into Passcode verification mechanism in order to bypass
> authentication process.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Boonpoj Thongakaraniroj, Prathan Phongthiproek
Use CVE-2018-12446.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment