A recent code-execution vulnerability residing in Android 4.3 and earlier was recently patched in the latest version of the Android KitKat operating system.
“Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure,” said Roee Hay, a security research group leader at IBM.
Hay’s team recently found a stack-based buffer overflow vulnerability inside Android’s KeyStore service, which is reported by Android developers to be responsible for storing and securing Android cryptographic keys.
IBM stated it was unaware of any exploits when stumbling upon this vulnerability. A successful exploit would comprise an Android device completely, allowing an attacker to execute any form of code into the keystore process, IBM reported.
Results could leak to an attack gaining access to locked device credentials, encrypt and decrypt master keys, and have the ability to interact with hardware-backed storage and carry our cryptographic functions such as an arbitrary signing of data, IBM said.
Attackers could utilize malicious applications in the targeting of this vulnerability, but there are a number of challenges attackers may face.
As an example, such malicious applications must have the ability to bypass memory-based protections native to the Android operating system, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). DEP is an exploit mitigation technique that limits where code can execute throughout the device. Attackers have succeeded in bypassing DEP by using Return Oriented Programming (ROP) attacks.
ASLR techniques specifically mitigate buffer overflow attacks that exploit vulnerabilities such as this recent code execution flaw found in Android. ASLR randomizes common data areas making it difficult for attackers malicious applications to filtrate in common areas to execute.
Stack canary is also implemented into Android, meaning it will help detect common stack buffer overflow bugs – such as the current code execution bug – before such attacks could execute.
Android also utilized encoding which could bar the device against a code execution attack.
“However, the Android KeyStore is respawned every time it terminates,” Hay alerts. “This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding.”
IBM reported the vulnerability occurs because bound checking is absent for stack buffer created by the KeyStore::getKeyForName method.
“This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application,” Hay reported. “The ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.”
Reported by Android developer website, KitKat governs less than 14 percent of the market, putting near 86 percent of Android users at risk, along with 29 percent reported to be using Jelly Bean 4.1, the most commonly used distribution.
Most users will have to wait for their carrier to push individual updates down the line. To update Android devices and patch various bugs in the system navigate to Settings > About Phone > System Updates.