Permalink
Browse files

Add a check for Samsung WifiCredService remote code execution (Androi…

…d 5)
  • Loading branch information...
amoulu
amoulu committed Oct 27, 2015
1 parent 4a28469 commit 429c687fe03ef0db2999a36f2ec7d31101cd78da
@@ -3,6 +3,8 @@
package="com.android.vts" >

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

<application
android:allowBackup="true"
Binary file not shown.
@@ -18,6 +18,7 @@
import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2014_3153;
import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2014_4943;
import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2015_3636;
import fuzion24.device.vulnerability.vulnerabilities.system.SamsungCREDzip;

public class VulnerabilityOrganizer {

@@ -40,7 +41,7 @@
tests.add(new OpenSSLTransientBug());
tests.add(new CVE_2015_3636());
//tests.add(new ZergRush()); // Hide super old bugs?

tests.add(new SamsungCREDzip());
return tests;
}
}
@@ -0,0 +1,81 @@
package fuzion24.device.vulnerability.vulnerabilities.system;

import android.content.Context;
import android.content.pm.PackageManager;
import android.content.res.AssetManager;

import java.io.File;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.FileOutputStream;
import java.io.IOException;

import java.lang.Thread;
import android.os.Build;

import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;

public class SamsungCREDzip implements VulnerabilityTest {

private final static int BUFFER_SIZE = 1024;
private final static String DESTINATION = "/sdcard/Download/";
private final static String FILENAME = "cred.zip";
private final static String ASSETNAME = "Samsung_cred.zip";

@Override
public String getName() {
return "Samsung WifiCredService remote code execution";
}

private boolean thisHasSDCardPermission(Context ctx)
{
String readPermission = "android.permission.READ_EXTERNAL_STORAGE";
String writePermission = "android.permission.WRITE_EXTERNAL_STORAGE";
return (ctx.checkCallingOrSelfPermission(readPermission) == PackageManager.PERMISSION_GRANTED &&
ctx.checkCallingOrSelfPermission(writePermission) == PackageManager.PERMISSION_GRANTED);
}

private boolean isSamsungPhone(){
return Build.MANUFACTURER.equals("samsung");
}

@Override
public boolean isVulnerable(Context context) throws Exception {
boolean isVuln = false;

if(!isSamsungPhone()) return false;

if(!thisHasSDCardPermission(context))
throw new Exception("No SDCard permission assigned to app to perform Samsung cred.zip remote code execution test");

try{
AssetManager assetFiles = context.getAssets();
File outFile = new File(DESTINATION, FILENAME);
InputStream in = assetFiles.open(ASSETNAME);
OutputStream out = new FileOutputStream(outFile);

byte[] buffer = new byte[BUFFER_SIZE];
int read;
while((read = in.read(buffer)) != -1){
out.write(buffer, 0, read);
}
in.close();
out.close();

Thread.sleep(3000);

outFile = null;
outFile = new File(DESTINATION, FILENAME);
if(outFile.exists()){
isVuln = false;
outFile.delete();
}else{
isVuln = true;
}
}catch(IOException e){
throw new Exception("Error when extracting the asset file: " + e);
}

return isVuln;
}
}

0 comments on commit 429c687

Please sign in to comment.