Severe Deserialization Vulnerabilities Found In Android, 3rd Party Android SDKs 105
An anonymous reader writes: Closely behind the discoveries of the Stagefright flaw, the hole in Android's mediaserver service that can put devices into a coma, and the Certifi-gate bug, comes that of an Android serialization vulnerability that affects Android versions 4.3 to 5.1 (i.e. over 55 percent of all Android phones). The bug (CVE-2015-3825), discovered by IBM's X-Force Application Security Research Team in the OpenSSLX509Certificate class in the Android platform, can be used to turn malicious apps with no privileges into "super" apps that will allow cyber attackers to thoroughly "own" the victim's device. In-depth technical details about the vulnerabilities are available in this paper the researchers are set to present at USENIX WOOT '15.
Already patched (Score:2)
Re: (Score:2)
In that case is there any way to patch the OS? Trusting every application vendor to update their application is risky. The major vendors will, but the smaller ones may never update their apps again, even though some people are still using them.
Re: (Score:1)
Re: (Score:2)
The article is a little bit ambiguous; it says Google's already patched OpenSSL, so I'm guessing if your device still receives updates from your carrier, then you're safe
So, IOW, RUN FOR THE HILLS!!!
Re: (Score:2)
There is no need for them to patch the OS to mitigate this vulnerability, in actual fact. They simply add it to one of the things to look for when they scan apps that are being installed on Android devices. This feature is enabled by default, even for apps installed from sources other than the Play store.
So really to fall victim to this you would have to go far out of your way to be dumb. Enable installing apps from other sources, disable scanning of new apps before installation and then install a malicious
Re: (Score:2)
So really to fall victim to this you would have to go far out of your way to be dumb. Enable installing apps from other sources
So, IOW, you have to submit to a "Walled Garden", right?
Haaaa Hahahahhahahahahahaha!!!!!
And tell me truthfully, if this Article was about iOS instead of Android, would you REALLY be downplaying the danger here?
Thought so.
Re: (Score:2)
So, IOW, you have to submit to a "Walled Garden", right?
Ummm, no? You have to actively turn off known app vulnerability scans when you sideload. Even if Joe Shmoe user finds out how to sideload, most will just tap on the big OK let google scan this app for vulnerabilities.
Plus this is about unrooted phones. Hows that sideloading going for non jail-broken iOS devices?
And tell me truthfully, if this Article was about iOS instead of Android, would you REALLY be downplaying the danger here?
Nope, since everything on iOS _has_ to go through the app store, and can't be sideloaded ( unless you jailbreak... meaning there was ALREADY a security vulnerability ) it wouldn't be downplayed since
Re: (Score:2)
Ummm, no? You have to actively turn off known app vulnerability scans when you sideload. Even if Joe Shmoe user finds out how to sideload, most will just tap on the big OK let google scan this app for vulnerabilities.
So, as I said, the ONLY way to be even semi-secure with Android is to only download "curated" Apps. Anything else relies on the User to not be too anxious to see the new Hello Kitty wallpaper.
Plus this is about unrooted phones. Hows that sideloading going for non jail-broken iOS devices?
Fortunately, most SANE iOS Users don't jailbreak. So, my question to you is "How's that sideloading going for Android Devices?"
Nope, since everything on iOS _has_ to go through the app store, and can't be sideloaded ( unless you jailbreak... meaning there was ALREADY a security vulnerability ) it wouldn't be downplayed since the app was ALREADY said to be safe from a security scan / audit. If iOS allowed sideloading, AND Apple scanned sideloaded apps like Google, then it would be no different.
LOL! That logic is SO circular that you made me dizzy! What the HELL are you trying to doublespeak?!?
Choose the curator (Score:2)
the ONLY way to be even semi-secure with Android is to only download "curated" Apps
True, but Android lets the user choose more than one curator. Other established curators include Amazon and F-Droid.
Re: (Score:2)
the ONLY way to be even semi-secure with Android is to only download "curated" Apps
True, but Android lets the user choose more than one curator. Other established curators include Amazon and F-Droid.
So, you really trust Amazon, let-alone F-Droid, to properly "vet" Apps?
Heck, even Google has let several (and I mean SEVERAL) malware-infested Apps exist on the Play Store. There have been a COUPLE (and I mean a COUPLE) of (now deleted) infected iOS Apps; but nothing compared to Android, even on the "Curated" sites.
Re: (Score:2)
F-Droid's Inclusion Policy [f-droid.org] states that it distributes only apps whose source code is in a publicly readable version control repository and distributed under a free software license. Its Inclusion How-To [f-droid.org] states that all executables come from its own build farm and that new apps are suggested by forum users. This would at least give other forum users a chance to review apps' source code for obvious "anti-features". Or are you arguing based on the same phenomenon that caused OpenSSL defects not to be detected
Re: (Score:2)
This is not really true. IOS developers can sideload any app they wish as long as they sign it with their developer key first. You don't have to have access to the source code either, the code signing tool will happily let you sign any binary you want.
A developer key currently costs $99/year which is certainly not free but it is low enough that most people could afford it if they really want to sideload apps legit
Re: (Score:2)
You don't need a paid account to sideload apps anymore:
http://9to5mac.com/2015/06/10/... [9to5mac.com]
Re: (Score:1)
The bug (CVE-2015-3825), discovered by IBMâ(TM)s X-Force Application Security Research Team in the OpenSSLX509Certificate
I wonder what sort of security analysis they used, I guess something like grep -r openssl * -lt 1 || echo "Security vuln found!" would do it.
Re: (Score:2)
it is oss as far as the os goes, but many of google's apps and their underlying service frameworks are closed source. so what you do is compile the os for your device and obtain an archive of the google apps/services exactly like cyanogenmod, et. al. do.
So, it is Open Source in the same way that OS X and iOS are. Darwin is Open Source. Many Frameworks are Open Source; but then...
So, in that regard Android and iOS/OS X are equivalent. But only one of them seems to be designed with security in mind. Guess which one...
ios is now getting the same security through obscurity pass that osx has gotten.
LOLOL! That meme has been disproven time and again; and in case you haven't noticed, iOS is no Windows Phone. It still has quite enough marketshare to be a target.
Face it. Android is broken by design.
Re: (Score:2)
it is oss as far as the os goes, but many of google's apps and their underlying service frameworks are closed source. so what you do is compile the os for your device and obtain an archive of the google apps/services exactly like cyanogenmod, et. al. do.
So, it is Open Source in the same way that OS X and iOS are. Darwin is Open Source. Many Frameworks are Open Source; but then...
Where can I download the iOS source code? Oh wait you can't. But you can download the Android source code [android.com]
The only broken part of Android is when other device manufactures get their hands on it. They are the ones that are updating their devices. I have a Nexus 6 which gets updates right from Google. This is no different the someone having an iPhone and getting updates right from Apple.
Re: (Score:2)
Where can I download the iOS source code? Oh wait you can't. But you can download the Android source code [android.com]
So, can you really expect to compile that and end up with something that you can load into your phone (and have it work?). No. No more than you can download Darwin and expect it to be a fully-functional iOS build.
But actually, you can [stackexchange.com] download some parts of iOS [apple.com], just like you can download some parts of Android.
Re: (Score:2)
So, can you really expect to compile that and end up with something that you can load into your phone (and have it work?). No.
Yes, actually. [android.com] The AOSP builds should work out of the box in the sense that you can load them onto an Android-compatible phone (with an unlocked bootloader) and run normal Android applications with the stock Android user interface. Some additional functionality may require the installation of closed-source drivers, most notably accelerated graphics and Wi-Fi. The closed-source drivers needed to run AOSP with full functionality on various Nexus devices are distributed for free by Google [google.com].
By contrast, while t
Re: (Score:1)
AOSP may lack the proprietary Google applications and open-source versions of some device drivers, but it otherwise comprises a complete operating system.
So, other than being incomplete, it's complete, right?
Re: (Score:2)
So, other than being incomplete, it's complete, right?
No, it's complete, period. It may not contain every bit of software in the world, like Google's proprietary apps, but AOSP builds are usable on actual hardware in their own right. This is quite unlike the open-source fragments of iOS, which are just that: fragments.
Sure, both Android and iOS as shipped on most consumer devices contain some open-source parts and some proprietary parts, but let's not make a false equivalency here. Android, even without Google's applications, is a fully usable operating system
Re: (Score:2)
So, can you really expect to compile that and end up with something that you can load into your phone (and have it work?).
yes, people do it all the time. you can start here:
https://source.android.com/sou... [android.com]
Re: (Score:2)
ios is now getting the same security through obscurity pass that osx has gotten.
LOLOL! That meme has been disproven time and again; and in case you haven't noticed, iOS is no Windows Phone. It still has quite enough marketshare to be a target.
The only thing "disproven" is any claim you might ever have made about understanding what "security through obscurity" means.
Protip: it's got fuckall to do with market share.
Re: (Score:2)
The only thing "disproven" is any claim you might ever have made about understanding what "security through obscurity" means.
Protip: it's got fuckall to do with market share.
Really? I've been around these parts since 2004, and that's what most, if not all, Slashdotters seem to claim again and again as to why OS X has no (or virtually no) Malware.
I understand that, technically, "security through obscurity" actually refers to intentionally (or unintentionally) obsfucated code allegedly being harder to reverse-engineer an exploit for; but you have to admit, the de facto meaning on Slashdot does often (if not always) refer to marketshare (or lack thereof) making a "smaller" (or a
Re: (Score:2)
So, it is Open Source in the same way that OS X and iOS are. Darwin is Open Source. Many Frameworks are Open Source; but then...
no, android the OS is open source. google apps are not open source.
Re:Already patched (Score:5, Informative)
Google has already patched the SDKs, but I think any apps made with them have to be updated as well.
(Android security team member here.)
There's a platform-level fix which involves both Google Play Services changes and core OS changes. The Google Play Services changes were pushed out in early June. The core OS changes were pushed to Nexus devices in last week's update, and other OEMs have had the fix (including backported versions of the fix for older Android versions) since June and should be delivering it with their own updates.
Re:Already patched (Score:5, Interesting)
With three major, ecosystem-wide exploits published just in the last week or so, why can I still not get root on my S6 Active? My (limited) understanding is that attackers could own me and a billion other people six ways from Sunday, but when it comes to just owning my own phone... ?
Wrong folks to ask (Score:4, Interesting)
If you whine and slow-play some BS about making sure it won't harm your precious networks, okay. But the fines will be imposed and continue to increase until the all the patches are truly pushed out.
Carriers, either push out the security updates to all affected phones, or release unlockers to allow your customers to defend themselves; there should be no other options given to you.
Re: (Score:2)
This is what I keep pushing for. Manufactures and carriers should have 30 days AFTER Google patches to push out the fixes for ALL security vulnerabilities. Those that fail get a fine for each day after 30 days they are late. Samsung is still working on Android 5.0.2 for my old Note 2 and my Note 10.1 tablet. Fucking 5.0 was released over 13 month ago.
I say as long as Google is still patching versions of Android then manufactures should be required to push out those versions to their devices.
Re: (Score:1)
Re: (Score:3)
Historically, there has been a reason for the way carriers are with respect to software updates. They aren't actually evil you know - they're staffed by engineers, just like most of us.
The issue is that before Android and iOS came along, the vast majority of all phones had firmware updates rarely or at all. Whats more, most ph
Re: (Score:2)
Then they need to take some of their massive profits (in dollar terms) and hire some more QA engineers so they can test updates in a timely manner. It shouldn't take 6+ months after a manufacturer has released an update for it to hit my device, it should be days or weeks at most.
Re: (Score:2)
And if you want your baby quicker, you just need more women.
I'm sure that in some cases staffing actually is an issue, but I know that in many cases it's really not the problem... and in some the problem is that stuff just takes time, and it's really not possible to go faster. For example, you do some testing, find a problem and then can't usefully test all of the other stuff around that problem until it's fixed. Then you find and fix another problem, which uncovers a subtle, previously-hidden flaw elsewh
Re: (Score:2)
Sorry, you don't get time. Your own companies security folks are only giving 3rd parties 90+- days from communications to public disclosure of vulnerabilities to produce, test, and release a patch to their users, if you think anyone is going to give you any more is deluded so you have to have your stuff together enough that you can turn a security bug into an end user distributed patch *available through the carriers* in ~90 days. That's the cold hard reality. If you can't do it then something has to change
Re: (Score:2)
Re: (Score:2)
I also said *after a manufacturer has released an update*, the process of doing the QA at the telecom level shouldn't take a significant percentage of the 90 days.
Re: (Score:2)
I also said *after a manufacturer has released an update*, the process of doing the QA at the telecom level shouldn't take a significant percentage of the 90 days.
Okay, I stand corrected. I agree with that... at least if the OEM did a decent job. A little while ago talked to the heads of QA of two major US MNOs, who both commented that they also thought that's how it should be, but experience has shown them that they can't trust the OEMs not to screw things up, so they have to do really thorough QA.
FWIW, a bunch of OEMs at the same meeting also agreed that things need to change, so I'm hopeful that over the next couple of years they will. Google is trying to push t
Re: (Score:1)
Re: (Score:2)
With three major, ecosystem-wide exploits published just in the last week or so, why can I still not get root on my S6 Active?
Honestly... at least part of it is because the exploits are not nearly as serious as described. Stagefright appears to be unexploitable on a device with proper ASLR, which your S6 has. This deserialization vuln isn't sufficient to get root (though perhaps it could be chained with another exploit). The pingpong vuln should be enough to get you persistent root... but by the time someone has packaged a nice tool to do it, Samsung will probably have pushed an update.
If you really want to root your device, yo
Re: (Score:2)
Re: (Score:2)
A very large portion of rooted Androids with SELinux do not "setenforce 0", and I've not seen it recommended for ages.
As for handicapping the Android security model, I am reminded of a quote about safety being a tyrant's tool...
Re: (Score:2)
Hence the GP's closing sentence. You've been informed; the rest is up to you.
Re: (Score:2)
I am reminded of a quote about safety being a tyrant's tool...
Where's the tyrant? I'm telling you go nuts if you want to do it, just don't come whining if it costs you.
Re: (Score:2)
I'm still getting familiar with the Android world, having recently stormed away from iOS (frustrating lack of control over the OS, even when jailbroken). I was headed for freedom, baby! So imagine my surprise when my new Android phone is locked down tighter than my old Apple phone. At least that I could jailbreak and it never had forced OTA updates (wtf?).
I've been keeping an eye out for a workable root solution. Tumbleweeds. (And pingpong has an expirat
Re: (Score:2)
Because that'd make the Android security model the same as the Windows security model. Which is, you know, a failure.
"Application 'Samsung Totally Official Important Update' wants root: approve/deny"
What could possibly go wrong?
Devices that allow firmware reflashing like the Nexus devices are sold on the understanding that only power users and OS enthusiasts will ever find the hidde
Re: (Score:1)
Re: (Score:2)
But you're right, it is just a matter of wanting my device to work exactly how I want it to, and fiddle with the guts. And not compromise on any other features (waterproofing notwithstanding... that has been less effective than advertised).
Re: (Score:2)
why can I still not get root on my S6 Active
i suggest you ask yourself why you purchased a samsung device? are you really asking a google employee why samsung doesn't allow (or make it obvious) for you to root your phone?
Re: (Score:2)
holy crap (Score:2, Interesting)
this is getting silly. I'm gonna go get an old ass nokia non-smart phone and just be happy.
Re: (Score:3, Funny)
I dropped the entire Windows platform last year. It's fantastic sitting back and watching the Windows fanboy's house of cards come crashing down.
Sent from my Potato.
Android or is it Java? (Score:2)
Perhaps someone with more Java/Android experience can elaborate but my quick read on serialization leads me to believe that this is a flaw in Java itself and that per the below, while steps can be taken to mitigate the risk, it can't be eliminated.
Re: (Score:2)
"Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer." https://www.usenix.org/confere... [usenix.org]
So it doesn't sound like Java.
Re: (Score:3)
Deserialization vulnerabilities are a general problem with any runtime platform that supports ser/deser of in-memory objects to and from disk (or the network, or anywhere else you can deserialize to, e.g. stdout).
There isn't a whole lot the runtime itself can do to protect your code from deser exploits, since it doesn't know about the internal structure of your object data. Built-in support for ser/deser is pretty barebones and generic; if not customized, it can often serialize things in a way that is gross
Re: (Score:1)
Re:Android or is it Java? (Score:4, Informative)
It's not exactly a flaw in Java. All their exploits rely on finding bits of Java that call into C/C++ code because that's the only way to break out of the memory-safe type system constraints. If Android had used a pure Java SSL implementation (like Java SE does) instead of wrapping OpenSSL, this issue would not have existed, as the only class in the entire framework that was vulnerable to this was one that wrapped a native C structure and the issue worked through manipulation of C/C++ memory management code.
So this boils down to "native code is dangerous". Which we already knew. Stagefright was just the same: the parts of Android written in Java rarely have security bugs, and the most serious issues invariably crop up in the C/C++ components.
However. One could argue that the Java serialization mechanism makes it a little bit too easy to accidentally de/serialise things that you didn't mean to. As the paper notes, it is an opt out system in which you tag fields which should not be loaded/unloaded, rather than the other way around. This makes it easy to serialise too much. If you then deserialise a native pointer which is freed inside a finaliser ..... bang. So we can imagine that Java could make it harder to commit this mistake if it had a better designed serialisation system. Nobody likes Java serialisation: it's one of the oldest parts of the platform and dates back to the early 90s, before anyone realised the subtle security implications of deserialising malicious object graphs. But of course it cannot be removed for backwards compatibility reasons. Perhaps the Android tools should warn about usage of it, though.
And the design of the Android APIs also comes under fire ..... they will happily deserialise objects that the developer did not expect. If they simply asked the developer "what is it you expect this bundle to contain" and then did some checks before actually deserialising the objects, the whole issue could have been avoided as well.
So there are multiple places where things can be tightened here.
Re: (Score:2)
thank you for the more detailed explanation (also a few responders above you).
Re: (Score:1)
"...so less apps..."
Stannis, you take this one [youtube.com]
Re serialization issue (Score:2)
Re:Re serialization issue (Score:5, Insightful)
The problem is that Android issues aren't 'routinely taken care of'. Most Android devices will never see a fix for this, because manufacturers have abandoned them and carriers want you to upgrade to a new phone.
I almost wonder whether Google are encouraging people to publicize Android vulnerabilities so they can say 'look, this isn't working, we need to be able to push updates to phones ourselves'. They have to do that if Android has any future.
Re: (Score:2)
I almost wonder whether Google are encouraging people to publicize Android vulnerabilities so they can say 'look, this isn't working, we need to be able to push updates to phones ourselves'.
If that was really what they wanted to do, they would've designed it that way in the first place. Windows manages to update itself across a wide variety of hardware without involvement from the manufacturers.
Re: (Score:1)
I almost wonder whether Google are encouraging people to publicize Android vulnerabilities so they can say 'look, this isn't working, we need to be able to push updates to phones ourselves'.
If that was really what they wanted to do, they would've designed it that way in the first place. Windows manages to update itself across a wide variety of hardware without involvement from the manufacturers.
Windows isn't open source and Dell doesn't take that source and heavily modify it before passing it on to Best Buy who adds their own changes before installing it on a machine and selling it to you. This is essentially how the Android ecosystem works: Google writes the base system, OEMs modify it, carriers modify it some more. The exception to this is Nexus devices, whose hardware (and some firmware) comes from OEMs, but the software is stock Android, and is updated by Google.
Re: (Score:1)
What now?
Haven't we been told for years that Open Source is superior to the closed source because everyone can find vulnerabilities and even if some problem is found the patch is found and distributed faster, unlike closed source? And now you claim that the problem with Android is that it can't be patched because it's Open Source?
Re: (Score:2)
Re: (Score:2)
They wanted hardware manufacturer adoption and carrier adoption without the dealmaking Apple did with AT&T to get them to allow a device they couldn't modify with carrier crapware.
I wonder if they know regret making that Faustian bargain given the noise level about carrier skins, lack of updates, etc.
Re: (Score:2)
I almost wonder whether Google are encouraging people to publicize Android vulnerabilities so they can say 'look, this isn't working, we need to be able to push updates to phones ourselves'.
If that was really what they wanted to do, they would've designed it that way in the first place. Windows manages to update itself across a wide variety of hardware without involvement from the manufacturers.
Windows is also highly limited on the hardware it can run on, and very restricted in what the manufacturers can do to improve the OS. One of the reasons Android is as widespread and good as it is is that there was alot of freedom in the early days for improvements to be made by manufacturers, which eventually got folded into the main stock builds.
Android seriously needs to focus on security updates now, but to lock down the manufacturers years ago would have seriously restricted its development.
Re: (Score:2)
I almost wonder whether Google are encouraging people to publicize Android vulnerabilities so they can say 'look, this isn't working, we need to be able to push updates to phones ourselves'. They have to do that if Android has any future.
Google doesn't have to resort to tactics like that. They can simply "update" their OEM agreements and pretty much everyone would just have to take it. I SUPPOSE they could Fork Android; but the truth is, not one of them (except maybe Slamdung) has the wherewithal to keep up with Android development internally.
Re: (Score:2)
Well, there's only one issue with that. All it will take is Google to push out a patch that breaks the custom UI on the phone making it unusable. Carriers/manufacturers don't allow you to disable skins/UI "improvements" so this could potentially be a problem.
Linux-gate (Score:2)
Any vulnerability in Debian, Fedora, or Android is Linux-gate [stackoverflow.com].
This is just the beginning. (Score:1)
With so much news and controversy generated by these stories, many many more security researchers and companies are going to start doing deeper dives into Android source code and the various forks individual companies use.
This at once great and scary. Great because it's better to get these vulnerabilities out in the open so they can be dealt with accordingly. Scary because of the market fragmentation, the vast majority of phones will never see security updates. A minority of Android users have the knowhow
Curious (Score:3)
Re: (Score:2)
Probably, someone at XDA should be able to turn this into a one-click root app. Until phones come with root access from the manufacturer I prefer an OS with holes above the closed systems Apple and Microsoft are selling.
Re: (Score:2)
The bug can be used to own Android devices .. (Score:2)
Except you forgot to mention that the malware (SerializePOC [youtube.com]) has to be already installed on the device. So to get 'hacked' a) download and install malicious app
Summary (Score:2)
Put an object that is of a class known to the system class loader into an Intent extra. Broadcast the intent it such at it will be received by the system (by possibly targeting an intent filter that's already handled by something in the system process). The system, as soon as it reference any of the Intent extras, will deserialize all of them, including the malicious object (that's how the Bundle object, which backs intent extras works). Eventually, even if that object was never used, it's finalize() method
Re: (Score:2, Insightful)
We always get a fanboi!
Psssst... this article is about Android.
Re: (Score:2)
Re: (Score:1)
The latest iOS version with all the security fixes slowed your iPhone 3 to an unusable crawl? I'm sorry, buy a new iPhone instead.
Seriously, of all the stones you guys may have to throw, that's really not one of them.
Re: (Score:2)
I still wouldn't change back to a device that you don't truly own even after paying $500+ for the device.
Re:Back to iOS, then? (Score:4, Insightful)
iOS and MacOSX have had tons of bugs to do with deserialization of messages passed inter-process, usually XPC type confusion issues.
This is a very neat sort of attack, but it requires quite a few rarely used features to appear in conjunction to pull off, which is why they only found one exploitable class in the entire Android SDK. Their mitigation suggestions are good and can be implemented with some fairly minor API upgrades. I don't think this bug in particular is going to tip the security balance between iOS and Android much.