发布时间 :2013-07-09 13:55:01
修订时间 :2013-10-11 10:49:51

[原文]Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature, probably involving multiple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security bug 8219321 and the "Master Key" vulnerability.

[CNNVD]Android Donut/Jelly Bean APK 任意代码执行漏洞(CNNVD-201307-154)

        Android是美国谷歌(Google)公司和韩国开放手持设备联盟(简称OHA)共同开发的以Linux为基础的开源操作系统。该操作系统主要用于移动设备,其特点是用甜点作为版本代号,包括Cupcake(纸杯蛋糕)、Donut(甜甜圈)、 Eclair(松饼)、Froyo(冻酸奶)、Gingerbread(姜饼)、Honeycomb(蜂巢)、Ice Cream Sandwich(冰激凌三明治)以及Jelly Bean(果冻豆)。
        Android 1.6 Donut至4.2 Jelly Bean版本中存在漏洞,该漏洞源于程序没有正确对应用程序检查加密签名。攻击者可通过修改的方式不违反加密签名的应用程序数据包文件(APK),利用该漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-310 [密码学安全问题]

- CPE (受影响的平台与产品)

cpe:/o:google:android:4.2Google Android Operating System 4.2 (Jelly Bean)
cpe:/o:google:android:4.0.3Google Android Operating System 4.0.3
cpe:/o:google:android:4.0.2Google Android Operating System 4.0.2
cpe:/o:google:android:4.0Google Android Operating System 4.0
cpe:/o:google:android:2.3.7Google Android Operating System 2.3.7
cpe:/o:google:android:4.0.4Google Android Operating System 4.0.4
cpe:/o:google:android:4.1Google Android Operating System 4.1
cpe:/o:google:android:2.0.1Google Android Operating System 2.0.1
cpe:/o:google:android:4.0.1Google Android Operating System 4.0.1
cpe:/o:google:android:2.3:rev1Google Android Operating System 2.3 Revision 1
cpe:/o:google:android:2.2:rev1Google Android Operating System 2.2 Revision 1
cpe:/o:google:android:1.6Google Android Operating System 1.6
cpe:/o:google:android:2.2.1Google Android Operating System 2.2.1
cpe:/o:google:android:3.1Google Android Operating System 3.1
cpe:/o:google:android:3.2Google Android Operating System 3.2
cpe:/o:google:android:2.3.5Google Android Operating System 2.3.5
cpe:/o:google:android:2.2.2Google Android Operating System 2.2.2
cpe:/o:google:android:2.2.3Google Android Operating System 2.2.3
cpe:/o:google:android:2.3.6Google Android Operating System 2.3.6
cpe:/o:google:android:2.3.3Google Android Operating System 2.3.3
cpe:/o:google:android:2.3.4Google Android Operating System 2.3.4
cpe:/o:google:android:2.3.1Google Android Operating System 2.3.1
cpe:/o:google:android:2.0Google Android Operating System 2.0
cpe:/o:google:android:2.1Google Android Operating System 2.1
cpe:/o:google:android:2.3.2Google Android Operating System 2.3.2
cpe:/o:google:android:2.3Google Android Operating System 2.3
cpe:/o:google:android:3.2.4Google Android Operating System 3.2.4
cpe:/o:google:android:2.2Google Android Operating System 2.2
cpe:/o:google:android:3.2.1Google Android Operating System 3.2.1
cpe:/o:google:android:3.2.2Google Android Operating System 3.2.2
cpe:/o:google:android:3.2.6Google Android Operating System 3.2.6
cpe:/o:google:android:3.0Google Android Operating System 3.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  60952

- 漏洞信息

Android Donut/Jelly Bean APK 任意代码执行漏洞
高危 加密问题
2013-07-11 00:00:00 2013-07-11 00:00:00
        Android是美国谷歌(Google)公司和韩国开放手持设备联盟(简称OHA)共同开发的以Linux为基础的开源操作系统。该操作系统主要用于移动设备,其特点是用甜点作为版本代号,包括Cupcake(纸杯蛋糕)、Donut(甜甜圈)、 Eclair(松饼)、Froyo(冻酸奶)、Gingerbread(姜饼)、Honeycomb(蜂巢)、Ice Cream Sandwich(冰激凌三明治)以及Jelly Bean(果冻豆)。
        Android 1.6 Donut至4.2 Jelly Bean版本中存在漏洞,该漏洞源于程序没有正确对应用程序检查加密签名。攻击者可通过修改的方式不违反加密签名的应用程序数据包文件(APK),利用该漏洞执行任意代码。

- 公告与补丁


- 漏洞信息

Google Android Unauthorized Application Package (APK) Modification
Local Access Required, Mobile Phone / Hand-held Device Cryptographic
Loss of Integrity Solution Unknown
Exploit Private Vendor Verified

- 漏洞描述

Android contains a flaw that is due to the program failing to properly restrict users from modifying APK code. This may allow a local attacker to change APK code without breaking an application's cryptographic signature and subvert legitimate applications into running malicious code.

- 时间线

2013-07-03 Unknow
2013-07-08 2013-02-01

- 解决方案

Google has noted that the flaw in Google Play that would have allowed a user to distribute an application with these modifications has been corrected. However if an attacker tricks a user into manually installing a malformed update for an application that was originally downloaded from Google Play the device may then become vulnerable again. It is reported that Google fixed this issue in February, 2013, although the exact date is not known. CyanogenMod users can apply a patch released on 2013-07-07.

- 相关参考

- 漏洞作者

Unknown or Incomplete