From 3ae35f467f6ac2d729238da9e57e42e54c79fe59 Mon Sep 17 00:00:00 2001 From: Ryan Welton Date: Wed, 25 Nov 2015 15:40:11 -0500 Subject: [PATCH 1/6] This can sometimes use tcp/ip instead of unix sockets --- .../vulnerability/vulnerabilities/system/WeakSauce.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java index bc97d5a..e2b3afb 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java @@ -12,8 +12,6 @@ import java.util.List; public class WeakSauce implements VulnerabilityTest { - - @Override public List getSupportedArchitectures() { ArrayList archs = new ArrayList(); @@ -41,6 +39,6 @@ public boolean isVulnerable(Context context) throws Exception { throw new Exception("No internet permission assigned to app to perform WeakSauce Test"); File dmAgentSocket = new File("/dev/socket/dmagent"); - return dmAgentSocket.canWrite() && dmAgentSocket.canRead(); + return dmAgentSocket.exists(); } } From 031f0e68040c3153175276a28f1bfb235d3189eb Mon Sep 17 00:00:00 2001 From: Ryan Welton Date: Wed, 25 Nov 2015 15:41:01 -0500 Subject: [PATCH 2/6] Re-enable the weaksauce check --- .../vulnerability/vulnerabilities/VulnerabilityOrganizer.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java index a3e5fde..ee1c9a5 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java @@ -25,6 +25,7 @@ import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2015_3636; import fuzion24.device.vulnerability.vulnerabilities.system.CVE20151528; import fuzion24.device.vulnerability.vulnerabilities.system.SamsungCREDzip; +import fuzion24.device.vulnerability.vulnerabilities.system.WeakSauce; public class VulnerabilityOrganizer { @@ -42,7 +43,7 @@ public static List getTests(Context ctx){ allTests.add(new CVE_2014_3153()); allTests.add(new CVE_2014_4943()); //tests.add(new StumpRoot()); - //tests.add(new WeakSauce()); + allTests.add(new WeakSauce()); allTests.add(new GraphicBufferTest()); allTests.addAll(StageFright.getTests(ctx)); allTests.add(new CVE_2015_6602()); From 47522e39cd403816e6b2811a9d1faa2183bbc621 Mon Sep 17 00:00:00 2001 From: Ryan Welton Date: Wed, 25 Nov 2015 15:46:52 -0500 Subject: [PATCH 3/6] Update vuln map for weaksauce --- app/src/main/assets/vuln_map.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/app/src/main/assets/vuln_map.json b/app/src/main/assets/vuln_map.json index a0955d7..6b108fa 100644 --- a/app/src/main/assets/vuln_map.json +++ b/app/src/main/assets/vuln_map.json @@ -17,6 +17,25 @@ "cvssv2": 4.9, "cvedate": "08/05/2015" }, + "WeakSauce": { + "cve": "WeakSauce", + "altnames": [ + "WeakSauce" + ], + "description": "HTC devices have a poorly written device management agent which has been continually exploited for privledge escalation purposes", + "impact": "Local privilege escalation to root from an unprivileged app", + "external_links": [ + "http://newandroidbook.com/Articles/HTC.html", + "https://plus.google.com/+JustinCaseAndroid/posts/515qRPK7c7D", + "https://plus.google.com/+JustinCaseAndroid/posts/GhTCJpr5HcT", + "http://forum.xda-developers.com/showthread.php?t=2699089", + "http://gsec.hitb.org/materials/sg2015/D2%20-%20Ryan%20Welton%20and%20Marco%20Grassi%20-%20Current%20State%20of%20Android%20Privilege%20Escalation.pdf" + ], + "patch": [ + ], + "cvssv2": 8, + "cvedate": "11/25/2015" + }, "CVE-2014-4943": { "cve": "CVE-2014-4943", "altnames": [ From 2186596e49ae228b32dd0c1c44f24857a548120f Mon Sep 17 00:00:00 2001 From: Ryan Welton Date: Wed, 25 Nov 2015 15:48:31 -0500 Subject: [PATCH 4/6] Only check for dmagent on HTC Devices --- .../vulnerability/vulnerabilities/system/WeakSauce.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java index e2b3afb..96a204e 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java @@ -3,6 +3,7 @@ import android.content.Context; import android.content.pm.PackageManager; +import android.os.Build; import fuzion24.device.vulnerability.util.CPUArch; import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest; @@ -18,6 +19,9 @@ public List getSupportedArchitectures() { archs.add(CPUArch.ALL); return archs; } + private boolean isHTCPhone(){ + return Build.MANUFACTURER.equals("htc"); + } @Override @@ -35,6 +39,10 @@ private boolean thisHasInternetPermission(Context ctx) @Override public boolean isVulnerable(Context context) throws Exception { + if(!isHTCPhone()){ + return false; + } + if(!thisHasInternetPermission(context)) throw new Exception("No internet permission assigned to app to perform WeakSauce Test"); From 97496eee4290b1ddc0caa98d6edc46ed493d4211 Mon Sep 17 00:00:00 2001 From: Ryan Welton Date: Wed, 25 Nov 2015 15:53:51 -0500 Subject: [PATCH 5/6] Set cvss2 score the same as pingpong root since the impact is the same --- app/src/main/assets/vuln_map.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/src/main/assets/vuln_map.json b/app/src/main/assets/vuln_map.json index 6b108fa..6e2b212 100644 --- a/app/src/main/assets/vuln_map.json +++ b/app/src/main/assets/vuln_map.json @@ -33,7 +33,7 @@ ], "patch": [ ], - "cvssv2": 8, + "cvssv2": 4.9, "cvedate": "11/25/2015" }, "CVE-2014-4943": { From 734a6c1faec44bb761b49120b707e441db53bc3c Mon Sep 17 00:00:00 2001 From: Ryan Welton Date: Wed, 25 Nov 2015 15:58:50 -0500 Subject: [PATCH 6/6] Case insensitive compare for htc --- .../device/vulnerability/vulnerabilities/system/WeakSauce.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java index 96a204e..3e24fa8 100644 --- a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java +++ b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/WeakSauce.java @@ -20,7 +20,7 @@ public List getSupportedArchitectures() { return archs; } private boolean isHTCPhone(){ - return Build.MANUFACTURER.equals("htc"); + return Build.MANUFACTURER.equalsIgnoreCase("htc"); }