Android pre-installed plug-in "Certificate door" vulnerability analysis and Restoration

Android pre-installed plug-in "Certificate door" vulnerability analysis and Restoration

0 × 00 Preface

At the 2015 Blackhat Conference, in addition to the Stagefright vulnerability of the Android mobile phone hacked by MMS, many other android vulnerabilities were also exposed, one of which was the "certifi gate" vulnerability, looking at the topic, this is another vulnerability that can control the vast majority of android mobile phones around the world.

The entire vulnerability is translated into Chinese like this: Some OEMs use some Remote Support Tool (mRST) plug-ins, such as TeamViewer's QS Add-On: samsung packages/system/priv-app/, so that these plug-ins have system-level permissions and these plug-ins export services for external use, however, the identity of the caller is not properly verified (or bypassed) during the connection, so that users can quietly use these remote control functions. In fact, the entire process is due to third-party software vulnerabilities + incorrect use by OEMs, So google has also pushed this responsibility to a third party. After all, it is not because of its own source code problems.

0 × 01 how does the detection tool detect

Vulnerability discoverer company check point provides a mobile phone to detect the existence of this vulnerability in the app, https://play.google.com/store/apps/details? Id = com. checkpoint. capsule.pdf.

Load the apk in JEB and scan the Code directly. A fingerprint list of the OEM manufacturer is defined first:

 

We can see that some manufacturers in China, such as Huawei, Lenovo, Mingji, OPPO, and TCL, and some foreign manufacturers such as Samsung and LG.

 

 

The verification fingerprint uses the sha1 calculation result of the apk signature byte. The detection plug-in uses the sha256 value of the first 8192 bytes of the apk content, check whether exploit uses the hashcode of the apk signature. The tool provides a series of sha256 values with the vulnerability plugin, such

 

I posted a TeamViewer Quick Support Addon Samsung 8.0 online and finally found a vulnerable version. google play 10.0 has fixed the verification vulnerability.

0 × 02 TeamViewer Plugin Vulnerability cause and repair Analysis

The foreign topic has already been explained. Here I will try again.

 

First, we can see that only one service is exported for the entire apk. When we use this service on the bind, a binder instance is returned.

 

Next we need to find a way to bind this remote service and then call the method provided by it. Here we encounter a pitfall, that is, we have to create our own aidl file without the aidl file. A complete aidl file is obtained only after the source code is decompiled Based on JEB:

 

The subsequent serial numbers are marked by the user in the order corresponding to the original interface, which can be ignored. This is also a pain point. View code

 

The result returned by method a provided by this server service will be able to know whether the app of the current connection plug-in has passed verification, and then assign the value to Method B, and then call other methods each time (such as screenshots, sending buttons) will judge this. B value. Let's take a look at the verification code:

 

What is TVAddonService. a? Check the Code:

 

The vulnerability is formed when the caller verifies only part of the signature, that is, seialNumber, Which is hardcoded into the app. Why is the entire signature not verified for Mao? This vulnerability has been fixed in the latest version. The solution is to compare the entire signature.

0 × 03 about exploit

Here, I use an unsigned apk and an exploit app for testing. The result is as follows:

 

For how to generate an exploit apk, first generate the pem and pk8 files required for the signature. commands in the document provided by foreigners Generate Keys and cer, it is actually the corresponding pk8 and pem files.

The command to generate pem and pk8 is as follows:

Generate the pem and key Files: openssl req-x509-nodes-newkey rsa: 1024-keyout edevil. key-out edevil. pem-set_serial 1287658381 convert key to pk8 format: openssl pkcs8-in edevil. key-topk8-outform DER-out edevil. pk8-nocrypt: D: \ Apkdb \ sign> java-jar signapk. jar edevil. pem edevil. pk8 testtvaddon.apk exp.apk

Test again: