Prey Anti-Theft SSL Certification Validation

2014.11.14
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-296

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fundacion Dr. Manuel Sadosky - Programa STIC Advisory www.fundacionsadosky.org.ar Prey Anti-Theft for Android missing SSL certificate validation 1. *Advisory Information* Title: Prey Anti-Theft for Android missing SSL certificate validation Advisory ID: STIC-2014-0731 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2014-11-11 Date of last update: 2014-11-11 Vendors contacted: Fork Ltd. (developer of Prey Anti-theft) Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Following of a Certificate's Chain of Trust [CWE-296] Impact: Denial of service, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Identifier: CVE-PENDING 3. *Vulnerability Description* Prey Anti-theft for Android is a free application that lets smartphone owners track and locate lost or stolen devices. It provides accurate geolocation of a missing device and allows users to remotely lock it, take pictures, play alarm sounds or display onscreen messages. The application features can be controlled from the Prey project's website or via SMS. As of November, 2014 the application had between 1 to 5 million installations worldwide according to Google Play statistics[1]. Although communication between the Prey application running on an Android device and the controlling web server is performed over HTTPS, the former does not validate the SSL certificate presented by the latter. As a result it is possible to completely subvert the anti-theft protection of Prey. To do so, an attacker simply needs to perform a Man-in-the-Middle attack on the communications between the Prey app running in the device (presumably stolen and locked with a user-provided password) and the web server, present a fake server SSL certificate and send a 'lock command' with a password of the attacker's choosing to the device. The attacker can then unlock the device manually with her provided password. Other types of attacks are possible since all communications between the device and the website can be inspected and modified by an attacker. 4. *Vulnerable packages* . Prey Anti-theft for Android version 1.1.3 and below. 5. *Vendor Information, Solutions and Workarounds* The vendor acknowledged the problem and committed to publish a new version of the application fixing the issue by November 11th, 2014. In the meantime, users can uninstall the Prey Anti-theft application by opening the "Settings" panel on their devices, selecting the "Application Manager", clicking on "Prey" and "Uninstall". These step by step instructions may vary depending on which version of the Android OS is running on the device. 6. *Credits* This vulnerability was discovered and researched by Joaqun Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC. 7. *Technical Description* The vulnerability is found in the 'com.prey.net.HttpUtils' class which instantiates an HttpClient to connect to Prey's server. The HttpClient uses a custom SSLSocketFactory named EasySSLSocketFactory to obtain socket objects used to communicate with the server. This class also calls the method 'setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)' to accept as valid any hostname presented in the server certificate[2]. Furthermore, since the EasySSLCocketFactory implements a 'X509TrustManager' with empty verifier methods [3], any SSL certificate presented by the server is considered valid by the application. This allows an attacker to mount a MITM attack to impersonate the Prey panel server with a self-made X509 certificate. To unlock a stolen device, the attacker needs to spoof the lock command specifying a new password to gain control of the device. This could be done by modifying the server's response to the device request for commands at 'https://solid.preyproject.com/api/v2/devices/[DEVICE_ID].json' to: /----- [ { "command": "start", "options": { "unlock_pass": "easy" }, "target": "lock" } ] - -----/ The application tries to obtain new commands from the server by registering to listen multiple Android events such as changes in connectivity, battery level, accessing the airplane mode and even turning on and off the device. 8. *Report Timeline* . 2014-09-17: Request for security contact info filed in support page on the Prey project's website. . 2014-09-23: The vendor team asks Programa de Seguridad en TIC to send the vulnerability report via unencrypted email to security@preyproject.com. . 2014-10-01: Technical details sent to the vendor. . 2014-10-25: Programa de Seguridad en TIC requested an status update about the issue and communicated an estimated release date of the advisory by the 27th of October, 2014. Vendor requested to push back the release due to an internal re-organization of the teams. . 2014-10-27: Programa de Seguridad en TIC accepted to delay the advisory but only on the basis in receiving details about the status of the issue and a date commitment to release an updated version which fixes the problem. . 2014-10-28: Vendor informed that a patch was already developed and requested for advise as to how to avoid exposing clients running versions the app that lacked an automatic update capability to exploitation of the vulnerability. . 2014-10-29: Programa de Seguridad en TIC asked the vendor to send a copy of the patch so it could then confirm the security issue was addressed. The vendor was advised to inform the users about the vulnerability and the risk involved so clients would be encouraged to update the application so as to minimize the vulnerability impact. . 2014-10-30: Vendor sent the patched version of the application to the researcher and notified that the modification consisted in changing the HostNameVerifier from 'ALLOW_ALL_HOSTNAME_VERIFIER' to 'STRICT_HOSTNAME_VERIFIER'. . 2014-11-3: Programa de Seguridad en TIC informed the vendor that the patch did not fix the problem since the application was still not verifying the certificate chain and that the root CA was a valid one from the Android CA store because they were using an empty TrustManager. Vendor was also notified that the advisory would be published on November, 10th. . 2014-11-10: Vendor acknowledged the problem and informed that an update would be available in Google Play store by November 10th. 9. *References* [1] https://play.google.com/store/apps/details?id=com.prey [2] https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/HttpUtils.java [3] https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/EasySSLSocketFactory.java 10. *About Fundacin Dr. Manuel Sadosky* The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the countrys most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar 11. *Copyright Notice* The contents of this advisory are copyright (c) 2014 Fundacin Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top