Android <= 4.0.4 DNS poisoning (youtube tutorial)

2012.07.24
Risk: High
Local: No
Remote: Yes
CWE: CWE-247


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

1 Introduction =========== Recently we discovered a very interesting vulnerability in Android's DNS resolver, a weakness in its pseudo-random number generator (PRNG), which makes DNS poisoning attacks feasible. The full advisory can be found at http://bit.ly/MkteBx A blog post can be found at http://bit.ly/MkoU5j Demo of our PoC can be found at http://youtu.be/ffnF7Jej7l0 2 Vulnerability ============ The PRNG that the DNS resolver uses is random_id = 0xffff & (time_usec ^ time_sec ^ pid) where time_sec is the current time in seconds, time_usec is the microseconds fraction and pid is the process identifier. Both the TXID and source port are generated by this PRNG. Since both calls occur subsequently, the values are very much correlated to each other. This yields a feasible attack expected time as we show that the number of random bits is brought down from 32 (ideally) to less than 21. Check our advisory for full details. 3 Vulnerable versions ================ Android 4.0.4 and below. 4 Vendor Response =============== Android 4.1.1 has been released, and patches are available on AOSP. The random sample is now pulled from /dev/urandom, which should have adequate entropy by the time network activity occurs. 5 Identifier ======== CVE-2012-2808 6 Discovered by ============ Roee Hay & Roi Saltzman IBM Application Security Research Group 7 Disclosure timeline ================ 07/24/2012 Public disclosure 06/05/2012 Issue confirmed by Android Security Team and patch provided to partners. 05/21/2012 Disclosed to Android Security Team.

References:

http://www.youtube.com/watch?v=ffnF7Jej7l0
http://bit.ly/MkteBx
http://bit.ly/MkoU5j


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top