A serious code-execution vulnerability in Android 4.3 and earlier was patched in KitKat, the latest version of the operating system.
Researchers at IBM this week disclosed the nature of the vulnerability, which was privately disclosed to the Android Security Team in September and patched last November.
“Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure,” said Roee Hay, a security research group leader at IBM.
Hay’s team found a stack-based buffer overflow vulnerability in Android’s KeyStore service, which according to the Android developers’ website is responsible for storing and securing a device’s cryptographic keys.
IBM said it is not aware of any exploits in the wild targeting this vulnerability. A successful exploit would compromise a device completely, allowing an attacker to execute code of their choosing under the keystore process, IBM said.
As a result, an attacker could gain access to a device’s lock credentials, encrypted and decrypted master keys, and be able to interact with hardware-backed storage and carry out cryptographic functions such as arbitrary signing of data, IBM said.
An attacker could use a malicious application to target the security issue, but there are a number of challenges to overcome, IBM said.
For example, a malicious application must be able to bypass memory-based protections native to the operating system such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). DEP is an exploit mitigation that limits where code can be executed. Attackers have had success using Return Oriented Programming (ROP) attacks in order to bypass DEP.
ASLR, meanwhile, specifically mitigates buffer overflow attacks that exploit vulnerabilities such as this one in Android. ASLR randomizes data areas making it difficult for an attacker’s malicious code to guess where an open area might be available and execute.
A stack canary is also present in Android, which helps detect stack buffer overflow bugs such as this one before malicious code can execute.
Android also makes use of encoding, which could also put up a barrier to code execution.
“However, the Android KeyStore is respawned every time it terminates,” Hay cautions. “This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding.”
IBM said the vulnerability occurs because bounds checking is absent for a stack buffer created by the KeyStore::getKeyForName method.
“This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application,” Hay said. “The ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.”
According to the Android developer site, KitKat adoption is closing in on 14 percent, putting the vast majority of Android users at risk; 29 percent of users are on Jelly Bean 4.1, the highest version distribution.
While Google and the Android Security Team are generally prompt in making patches and advisories available, most mobile Android users, for example, must wait until either their carrier or handset maker pushes the patch down. This business model has drawn the ire of security and privacy experts, and the attention of the U.S. Federal Trade Commission, which has taken action in the past against hardware maker HTC, as well as the four major carriers for their lack of prompt updates.