CyanogenMod ROM zero day vulnerability to Man-in-the-Middle attack

Android’s popular third party ROM, CyanogenMod susceptible to Man-in-the-Middle (MitM) attack

Popular third party Android ROM called CyanogenMod ROM is susceptible to a Man-in-the-Middle (MitM) attack.  This vulnerability can cause around 10 million CyanogenMod ROM users to be exposed to man-in-the-middle (MitM) attacks.  The MitM vulnerability can mean that a Android user using CyanogenMod ROM can be targeted from any browser installed on the Android smartphone/tablet.

This zero day vulnerability is present in the most popular Android ROM thanks to reuse of vulnerable sample code by Team CyanogenMod over various builds.

CyanogenMod ROM

CyanogenMod ROM is an open source operating system for Android smartphones and tablets. Most users who are not happy with the stock Google Android OS or want to do some technical wizardry with their smartphones use CyanogenMod Rom or other ROMs.  It allows root access to the Android users otherwise denied by Google’s proprietary operating system.  This in turn lets users tweak and trick the smartphone to behave exactly as the user wants it.  It is one of most popular ROMs because it is free, open source and it is updated regularly by its team lead by Steve Kondik with plenty of forums dedicated for nitpicking bugs and tricks in the operating system.

Man-in-the-Middle attack

Man-in-the-Middle attack commonly called as MitM attack is when the hacker manages to eavesdrop on the victim through arbitrary execution of certificates.  In a MitM, the hacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled, watched and noted by the hacker. A simple example of a user opening a banking website and communicating with the banking server.  Normally, the SOP doesnt allow any third party to snoop on this communication but in case of MitM attack, a hacker can get access to this particular communication using valid entry points without the knowledge of the user.

For a MitM to succeed both the communicating parties, i.e. your PC and the banking website have to be satisfied about mutual authenticity. This is done through certificates that your machine and the banking servers communicate and verify.  A false certification approval by the website can open door for MitM attacks.

The Anonymous tipper

A security researcher who wishes to remain anonymous and works for a top-tier smartphone vendor tipped The Register’s Australian bureau also known as Vulture South about this zero day vulnerability.

He stated that the vulnerability arises from the fact that Cyanogenmod developers had taken Oracle’s sample code for Java 1.5 for parsing certificates to obtain hostnames and implemented it on all subsequent releases of CyanogenMod ROMs and Nightlys. The problem was that these certificates were vulnerable to an older bug and were  later patched by Oracle.  However, CyanogenMod developers team still used the old unpatched certificates.

“I was looking at HTTP component code and I was thinking I had seen this code before,” the researcher said, he add “They just copy-pasted the sample code and that’s what was vulnerable.”

The researcher then checked the online Git repository, Github to only to find many others using the same unpatched certificates.

The Flaw

The flaw which was discovered in 2012 relates to the SSL Vulnerabilities in Libraries and had created much furore among Java users at that time. It was further researched upon February this year.   The flaw allowed attackers can use any hostname they wished on SSL certificates and have it accepted by big certificate bodies, opening avenues for large scale MitM attacks on the certificate users.

“If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the ‘organisation name’ field you put the ‘value,cn=*domain name*, it will be accepted as the valid domain name for the certificate”

Thus the flaw got carried over to every CyanogenMod build released by the developers without any attention to the unpatched libraries.

Conclusion

The researcher was apparently rebuffed by CyanogenMod team when he approached them with the PoC for this vulnerability and after rebuffed, he mentioned it at the zero-day at the Ruxcon security event in Melbourne.

LEAVE A REPLY

Please enter your comment!
Please enter your name here