Android KeyStore vulnerability

As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat. Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.

Android provides a secure storage service implemented by /system/bin/keystore. In the past, this service was accessible to other applications using a UNIX socket daemon found under /dev/socket/keystore; nowadays, however, it is accessible by the Binder interface. Each Android user receives his or her own secure storage area. A Blob is encrypted with AES using a master key, which is random, and is encrypted on-disk using a key that is derived from a password (the lock screen credentials) by the PKCS5_PBKDF2_HMAC_SHA1 function.

A stack buffer is created by the ‘KeyStore::getKeyForName’ method. This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’). Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application. As you can see, the ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.

Successfully exploiting this vulnerability leads to a malicious code execution under the keystore process. Such code can:

  • Leak the device’s lock credentials. Since the master key is derived by the lock credentials, whenever the device is unlocked, ‘Android::KeyStoreProxy::password’ is called with the credentials.
  • Leak decrypted master keys, data and hardware-backed key identifiers from the memory.
  • Leak encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack.
  • Interact with the hardware-backed storage and perform crypto operations (e.g., arbitrary data signing) on behalf of the user.

The vulnerability was discovered in September 2013 and fixed with the release of Android 4.4 shortly thereafter.

IBM Security Intelligence: