Cross-signed and malformed certificates can crash all Android devices including lollipop run ones

Cross-signed and malformed certificates can either crash  or slowdown  all Android devices including lollipop run ones

When A specially-constructed malformed certificate or a cross-signed  is introduced into any Android device running, it may either slow down the device or crash it,  forcing the user to reboot.

Wish Wu, a mobile threat research engineer has published a report in this regard on TrendMicro blog.  Wu says that Trend discovered this vulnerability in Android devices when researching the affects of  how Android device handles cross-signed certificates are handled.

Trend says that their research found that all devices running on Android operating system release including the Google’s latest release, Android 5.1 lollipop fail to handle such malformed certificates.  Malformed certificates are created when two certificates are signed with a looped certificate chain. Trend gives the example of ‘Certificate A’  being signed with ‘Certificate B’ and ‘Certificate B’  being signed with ‘Certificate A’ signs certificate B in a continuous loop.

The blog states that any such malformed certificate into the Android device either through a new App install or via importing the certificate directly, can cause the Android’s system to behave unexpectedly.  Trend says that such Android device may either slow down or hang up forcing the user to reboot.

Vulnerability Description

Trend explains that this particular vulnerability is caused when a malformed certificate is introduced into the classes of Android framework and can be used by attackers.  Android framework works on two common used classes,  JarFile and KeyStore classes.  Introducing the such a malformed certificate in any of these two classes can risk the device.

Android commonly used class

JarUtils (./libcore/luni/src/main/java/org/apache/harmony/security/utils/JarUtils.java)

These may be used by the JarFile class. It is used to verify a jar package’s certificates and signature files. Unfortunately, the JarUtils class cannot properly deal with a loop certificate chain and falls into endless loop. The problem happens in all Android versions.
Android external KeyStore providers’ classes

(Such as ./external/bouncycastle/src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java) – These are used to process PKCS#12 file for the Android KeyStore. If the PKCS#12 file contains a loop certificate chain, the processing in the codes will also fall into endless loop.

Proof of Concept

The Researcher has also given the PoC for this vulnerability on their blog.  They have worked with two different scenarios

Scenario 1 : A specially crafted App is installed on a Android device.

we will install a new app signed by one of the above certificates. We create a new app called LoopCertsChain, signed by A.cert, and try to install it onto an Android device. (The screenshots below are on a device with Android 4.1.2, although versions up to 4.4 are affected.) We get the following UI, which never ends.

Cross-signed and malformed certificates can crash all Android devices including lollipop run ones

Upon closer examination, we find a key process (system_server) in Android keeps using up system resources until it is killed, which triggers a device reboot. The user has no choice in the matter.

Scenario 2 : Importing a malformed certificate on Android.

In the second scenario, we import a malformed PKCS#12 file with a loop certificate chain into Android.

Cross-signed and malformed certificates can crash all Android devices including lollipop run ones

TrendMicro says that in both the scenarios the Android device either locks in a infinite loop or gets stuck leaving the user with no alternative but to reboot the Android device.

Cross-signed and malformed certificates can crash all Android devices including lollipop run ones

TrendMicro says that that this vulnerability at present does not have any direct security worries for Google but cyber criminals can use this vulnerability in future to further their gains like running a arbitary code.

Trend has informed Google of this Android vulnerability and said that Google has not provided them with any time frame for the fix/patch for it.

Resource : TrendMicro Labs

LEAVE A REPLY

Please enter your comment!
Please enter your name here