14 DAY TRIAL // A stack buffer overflow vulnerability that has been eliminated in the KitKat edition of Android is still affecting previous versions of the mobile operating system.
Researchers at IBM discovered the security problem in the Android KeyStore service, which maintains cryptographic keys and their owners.
By exploiting this vulnerability, an attacker could gain access to important information, such as the device’s lock credentials, encrypted and decrypted master keys, data, and hardware-backed key identifiers from the memory, as well as the ability to perform crypto operations on behalf of the user.
The flaw occurs when a stack buffer is created by the “KeyStore::getKeyForName” method.
Roee Hay, who leads the application security research team at IBM, said that “this function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application” and, as a result, “the ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.”
In theory, taking advantage of the security risk can be achieved through a malicious app, but an exploit to leverage this vulnerability is not too easy to create because it has to get around memory protection mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and Stack Canaries.
“However, the Android KeyStore is respawned every time it terminates. This behavior enables a probabilistic approach; moreover, the attacker may even theoretically abuse ASLR to defeat the encoding,” says Hay in the disclosure.
IBM disclosed the findings privately to the Android Security Team on September 9, 2013, who provided a fix on November 11, 2013, making it a zero-day for a total of 63 days.
The delay for making the finding public was motivated by the fact that this is a critical vulnerability since it can lead to code execution.
The security issue is considered critical and the recommended course of action is to update the operating system to the latest major version, which remains unaffected. At the moment there is no information of an exploit being used in the wild.
Most owners of Android devices use the Jelly Bean edition of the operating system, versions 4.1.x, 4.2.x and 4.3, accounting for 58.4% of the total distribution. The KitKat revision has reached 13.6%.
This means that in case an exploit for the aforementioned stack buffer overflow vulnerability occurs, the majority of Android users are susceptible to it.