MasterKey.B

Severity Level: Medium
AppRisk Coverage: Yes
Type: Exploit
OWASP: M4: Unintended Data Leakage
Aliases:

• Master Key vulnerability

Platform: Android
File size (bytes): N/A
Filename: N/A
App title: N/A
MD5 Hash: N/A
SHA1 hash: N/A
Affected CVE:

• CVE-2013-4787

Details or analysis:

MasterKey exploits a defect of cyptographic signature checking in Android devices to execute arbitrary code. This exploit attempts to gain root privilege of the affected Android device via neutering the Android property service.

Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications. This could allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature.

Distribution of this exploit code may involve multiple entries in a Zip archive file with the same name in which one entry is validated but the other entry is installed. This is also known as Android Security Bug 8219321 and the “Master Key” vulnerability.

Reference:

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4787
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4787
• http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
• http://blog.sina.com.cn/s/blog_be6dacae0101bksm.html