Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31438
HistoryDec 01, 2014 - 12:00 a.m.

Prey Anti-Theft for Android missing SSL certificate validation [STIC-2014-0731]

2014-12-0100:00:00
vulners.com
18
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fundacion Dr. Manuel Sadosky - Programa STIC Advisory
	www.fundacionsadosky.org.ar

Prey Anti-Theft for Android missing SSL certificate validation

  1. Advisory Information

Title: Prey Anti-Theft for Android missing SSL certificate validation
Advisory ID: STIC-2014-0731
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-11
Vendors contacted: Fork Ltd. (developer of Prey Anti-theft)
Release mode: Coordinated release

  1. Vulnerability Information

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Denial of service, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-PENDING

  1. Vulnerability Description

    Prey Anti-theft for Android is a free application that lets
    smartphone owners track and locate lost or stolen devices. It provides
    accurate geolocation of a missing device and allows users to remotely
    lock it, take pictures, play alarm sounds or display onscreen
    messages. The application features can be controlled from the Prey
    project's website or via SMS. As of November, 2014 the application had
    between 1 to 5 million installations worldwide according to Google
    Play statistics[1].

    Although communication between the Prey application running on an
    Android device and the controlling web server is performed over HTTPS,
    the former does not validate the SSL certificate presented by the
    latter. As a result it is possible to completely subvert the
    anti-theft protection of Prey. To do so, an attacker simply needs to
    perform a Man-in-the-Middle attack on the communications between the
    Prey app running in the device (presumably stolen and locked with a
    user-provided password) and the web server, present a fake server SSL
    certificate and send a 'lock command' with a password of the
    attacker's choosing to the device. The attacker can then unlock the
    device manually with her provided password. Other types of attacks are
    possible since all communications between the device and the website
    can be inspected and modified by an attacker.

  2. Vulnerable packages

    . Prey Anti-theft for Android version 1.1.3 and below.

  3. Vendor Information, Solutions and Workarounds

    The vendor acknowledged the problem and committed to publish a
    new version of the application fixing the issue by November 11th, 2014.

    In the meantime, users can uninstall the Prey Anti-theft
    application by opening the "Settings" panel on their devices,
    selecting the "Application Manager", clicking on "Prey" and
    "Uninstall". These step by step instructions may vary depending on
    which version of the Android OS is running on the device.

  4. Credits

This vulnerability was discovered and researched by Joaquin Manuel
Rinaudo. The publication of this advisory was coordinated by Programa
de Seguridad en TIC.

  1. Technical Description

    The vulnerability is found in the 'com.prey.net.HttpUtils' class
    which instantiates an HttpClient to connect to Prey's server. The
    HttpClient uses a custom SSLSocketFactory named EasySSLSocketFactory
    to obtain socket objects used to communicate with the server. This
    class also calls the method
    'setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)' to
    accept as valid any hostname presented in the server certificate[2].
    Furthermore, since the EasySSLCocketFactory implements a
    'X509TrustManager' with empty verifier methods [3], any SSL
    certificate presented by the server is considered valid by the
    application. This allows an attacker to mount a MITM attack to
    impersonate the Prey panel server with a self-made X509 certificate.

    To unlock a stolen device, the attacker needs to spoof the lock
    command specifying a new password to gain control of the device. This
    could be done by modifying the server's response to the device request
    for commands at
    'https://solid.preyproject.com/api/v2/devices/[DEVICE_ID].json' to:

/-----
[
{
"command": "start",
"options": {
"unlock_pass": "easy"
},
"target": "lock"
}
]

  • -----/

    The application tries to obtain new commands from the server by
    registering to listen multiple Android events such as changes in
    connectivity, battery level, accessing the airplane mode and even
    turning on and off the device.

  1. Report Timeline

. 2014-09-17:
Request for security contact info filed in support page on
the Prey project's website.

. 2014-09-23:
The vendor team asks Programa de Seguridad en TIC to send
the vulnerability report via unencrypted email to
[email protected].

. 2014-10-01:
Technical details sent to the vendor.

. 2014-10-25:
Programa de Seguridad en TIC requested an status update about the
issue and communicated an estimated release date of the advisory by
the 27th of October, 2014. Vendor requested to push back the release
due to an internal re-organization of the teams.

. 2014-10-27:
Programa de Seguridad en TIC accepted to delay the advisory but only
on the basis in receiving details about the status of the issue and a
date commitment to release an updated version which fixes the problem.

. 2014-10-28:
Vendor informed that a patch was already developed and
requested for advise as to how to avoid exposing clients running
versions the app that lacked an automatic update capability to
exploitation of the vulnerability.

. 2014-10-29:
Programa de Seguridad en TIC asked the vendor to send a copy of the
patch so it could then confirm the security issue was addressed. The
vendor was advised to inform the users about the vulnerability and the
risk involved so clients would be encouraged to update the application
so as to minimize the vulnerability impact.

. 2014-10-30:
Vendor sent the patched version of the application to the
researcher and notified that the modification consisted in changing
the HostNameVerifier from 'ALLOW_ALL_HOSTNAME_VERIFIER' to
'STRICT_HOSTNAME_VERIFIER'.

. 2014-11-3:
Programa de Seguridad en TIC informed the vendor that the patch did
not fix the problem since the application was still not verifying the
certificate chain and that the root CA was a valid one from the
Android CA store because they were using an empty TrustManager. Vendor
was also notified that the advisory would be published on November, 10th.

. 2014-11-10:
Vendor acknowledged the problem and informed that an update
would be available in Google Play store by November 10th.

  1. References

[1] https://play.google.com/store/apps/details?id=com.prey
[2]
https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/HttpUtils.java
[3]
https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/EasySSLSocketFactory.java

  1. About Fundacion Dr. Manuel Sadosky

The Dr. Manuel Sadosky Foundation is a mixed (public / private)
institution whose goal is to promote stronger and closer interaction
between industry and the scientific-technological system in all
aspects related to Information and Communications Technology (ICT).
The Foundation was formally created by a Presidential Decree in 2009.
Its Chairman is the Minister of Science, Technology, and Productive
Innovation of Argentina; and the Vice-chairmen are the chairmen of the
countryโ€™s most important ICT chambers: The Software and Computer
Services Chamber (CESSI) and the Argentine Computing and
Telecommunications Chamber (CICOMRA). For more information visit:
http://www.fundacionsadosky.org.ar

  1. Copyright Notice

The contents of this advisory are copyright (c) 2014 Fundacion Sadosky
and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUY99KAAoJEOAj8IJkRx2rRMIP/RQXplzZFnLFVNQ6I40vfYK2
svRkCqzVt/qLGT6VBnDo5emW1oe84iz7vcoyPEkzxA6eQzFIC0Dk5dTfUD8rv7GJ
gvqu3ZeKd8VwADMwotOzydWjla0nJu9cEWuaT/EUdQ+5t+f7SIEeVa2N+38/Zjyo
pRCMvtEHnuoRlFMS0NI5njfPmVJa4NIGlFi8+I1eO4Z9dDZRRdAozmPFjSLogUa8
1gzDiEOLhETc1ugi5WXk1BySHbj6i15x87ne5n22KWkJd/bdveydVlcGXqkHQdEs
fBwZPAh94ktOCXjkdo0rkcPKVmxQVuV7XxqAlxjZcIpE0g8foJ0BfHaA+wszlhPb
B5ab7umcjCLD99r35YQqJ49wM5VAf+KxwxkBO6nb3rHTrTbtCpV7shZ2DoK9dy86
3MOQSJ7gXZR/6klrXnMICak/BAR4nRxMgen+Yqe6sLYUSsgePkxL9zku00D6gi12
wRW3z0JIEZPofI4nld1lJ/sPeiOEbanW0HaMcaKkaeJHNWvxa7m+hgfOfkRPcdam
g37ocuWDIMfE1THHrTO1OdH0OvwaKzT/zR+tUXISItQev7ea8F0RXmjIV44fMfTv
4zMVsMZwoC5C/NI3awOO+My+KAsnzIaRJdmAvi0B/K1kxWfsJ2622EcqVIan0LOC
ZetspgvcF+fNm5v1ah9b
=k6H1
-----END PGP SIGNATURE-----

JSON