Project

General

Profile

Replicant 4.2 [current] is NOT affected to the following vulnerabilities

Added by My Self over 3 years ago

"GNU C Library (glibc) - aka GHOST vulnerability (CVE-2015-0235)"
More informations about the vulnerability: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

I have researched a bit and IMHO that vulnerability does not exist in Replicant, because this is using bionic instead of glibc.
I've also found a little validation, that bionic is not vulnerable to GHOST:
"[...] most low-end embedded devices use a lightweight alternative to glibc (uClibc or Bionic) and are therefore not vulnerable in the first place."
Source: https://threatpost.com/of-ghost-glibc-vulnerability-patching-and-exploits/110719

Result: (based on research [see above]), Replicant is not affected.


Replies (10)

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

"com.android.phone vulnerability (CVE-2013-6272)"
More informations about the vulnerability: http://blog.curesec.com/article/blog/35.html
POC app: http://www.curesec.com/data/CRT-Kolme.apk

Result: (based on the executed testing app), Replicant is not affected.

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

"Android KeyStore Stack Buffer Overflow (CVE-2014-3100)"
More informations about the vulnerability: https://securityintelligence.com/android-keystore-stack-buffer-overflow-to-keep-things-simple-buffers-are-always-larger-than-needed/

Result: (based on research), Replicant is not affected, because: "The vulnerability affects Android 4.3 only"
Comment: Ticket opened, anyway: http://redmine.replicant.us/issues/1311

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

"DoubleDirect MitM Attack"
More informations about the vulnerability: http://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/

Result: in fact Replicant is vulnerable to this attack, but it's simple to protect it by setting the following values over a terminal (emulator):
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.default.accept_redirects=0

Comment: to make this permanent, (to survive a reboot) please have a look at the suggestions here: http://redmine.replicant.us/boards/39/topics/8079

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

[SAMSUNG related]

"ExynosAbuse exploit (CVE-2012-6422)"
More informations about the vulnerability: http://forum.xda-developers.com/showthread.php?t=2048511
POC app: http://forum.xda-developers.com/showthread.php?t=2050297

Result: (based on the executed testing app), Replicant is not affected.


"Remote Code Execution as System User on Samsung Phones (CVE-2015-4640 and CVE-2015-4641)"
More informations about the vulnerability: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
POC video: https://www.youtube.com/watch?v=uvvejToiWrY

Result: You're only affected, if you using the unpatched stock ROM (proprietary) "Swift keyboard" (SamsungIME.apk).
Comment: In other words, Replicant is not affected, until you install the vulnerable proprietary keyboard app on your own.

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

"OpenSSL bugs - Logjam & Alternative chains certificate forgery (CVE-2015-1793) & Heartbleed (CVE-2014-0160)"

POC app: https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner
(It's probably a good idea to test your device with an app like this, to scan if one of your apps uses a vulnerable OpenSSL version).

Result: (based on research and the executed testing app), Replicant is not affected, because: "So, who are running the OpenSSL 1.0.1f version may update to OpenSSL 1.0.1g. The users running older version of OpenSSL are safe."
Source: https://thehackernews.com/2014/04/heartbleed-openssl-zero-day-bug-leaves.html

Comment: Replicant 4.2.0003 uses OpenSSL 1.0.1c, to which the testing app says: "This version of OpenSSL is vulnerable, but heartbeats are disables so you're safe".
It furthermore says: "This version of OpenSSL is not vulnerable to Logjam" and "This version of OpenSSL is not vulnerable to CVE-2015-1793".
However, some apps comes with it's own OpenSSL version included, which could be vulnerable; that's why I advise to execute a testing app like the listed one on your setup. Sadly there is no way to do this with FOSS software, yet.

Hint: you could feed the search engine of your choice with something like "play apk downloader online" if you don't have a Google account.
Hint to the hint: watch out, better use more than one download service and compare the checksums of the .apk files to lower the omnipresent risk, that these services could compromise the binary files you get.

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

"Certifi-gate"
More informations about the vulnerability: http://blog.checkpoint.com/2015/08/06/certifigate/
POC app: https://play.google.com/store/apps/details?id=com.checkpoint.capsulescanner
POC video (over CommuniTake): https://www.youtube.com/watch?v=4b59eBx9lts

Result: (based on research and the executed testing app), Replicant is not affected.
Comment: You're only affected, if you using unpatched (proprietary; sometimes preinstalled within stock ROMs) "Remote Support Tools" (RSTs) like AnySupport, CommuniTake, RSupport and TeamViewer.

RE: Replicant 4.2 is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

"Android serialization vulnerability (CVE-2015-3825)"
More informations about the vulnerability: http://www.theregister.co.uk/2015/08/10/another_android_flaw_hitting_55_percent_handsets/
POC video: https://www.youtube.com/watch?v=VekzwVdwqIY

Result: (based on research), Replicant is not affected. The vulnerability affects Android >= 4.3 (including Android 6.0 Marshmallow Preview 1).
Comment: I'll keep this post updated...

RE: Replicant 4.2 [current] is NOT affected to the following vulnerabilities - Added by Paul Kocialkowski about 3 years ago

Thanks for your work! Did you actually test the POC applications on Replicant, or deduce that it wasn't affected given what you could find about the vulnerabilities online? Perhaps say a word or two about why you believe Replicant is not affected, so that we don't only have to believe your good word :)

RE: Replicant 4.2 [current] is NOT affected to the following vulnerabilities - Added by My Self about 3 years ago

Did you actually test the POC applications on Replicant, or deduce that it wasn't affected given what you could find about the vulnerabilities online?

Both, so I added a 'Result' (and sometimes a 'Comment') closure on every post, now.

RE: Replicant 4.2 [current] is NOT affected to the following vulnerabilities - Added by My Self almost 3 years ago

I've checked a new bunch of vulnerabilities against the Replicant 4.2 codebase.
The following were already patched/merged to this, which means Replicant >= 4.2 0004 isn't affected by the following ones:

CVE-2013-2597 - Qualcomm acdb audio buffer overflow

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_acdb_audio_buffer_overflow
patch: https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597

CVE-2010-EASY - RageAgainstTheCage adb

http://www.androidvulnerabilities.org/vulnerabilities/RageAgainstTheCage_adb
patch: https://android.googlesource.com/platform/system/core/+/44db990d3a4ce0edbdd16fa7ac20693ef601b723%5E%21/

ANDROID-3176774 - RageAgainstTheCage zygote

http://www.androidvulnerabilities.org/vulnerabilities/RageAgainstTheCage_zygote
patches:
https://android.googlesource.com/platform/dalvik/+/f36b57235b765c9eec3c001773b34c59cdefd87a
https://android.googlesource.com/platform/dalvik/+/886130bc7ff992940e152636f57072e58c91aa2e

CVE-2013-6123 - Qualcomm out of bounds camera

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_out_of_bounds_camera
patches:
https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=7beb04ea945a7178e61d935918d3cb152996b558
https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4

CVE-2013-4738 - Qualcomm stack buffer overflow camera

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_stack_buffer_overflow_camera
patches:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3ce

CVE-2009-1185 - exploid udev

http://www.androidvulnerabilities.org/vulnerabilities/exploid_udev
patch: https://android.googlesource.com/platform/system/netd/+/79b579c92afc08ab12c0a5788d61f2dd2934836f

CVE-2011-1350 & CVE-2011-1352 - levitator

http://www.androidvulnerabilities.org/vulnerabilities/levitator
patch: https://android.googlesource.com/platform/libcore/+/android-2.3.6_r1

CVE-2011-3874 zergRush

http://www.androidvulnerabilities.org/vulnerabilities/zergRush
patches:
https://android.googlesource.com/platform/build/+/refs/tags/android-2.2.3_r1
https://code.google.com/p/android/issues/attachmentText?id=21681&aid=216810001000&name=patch.diff&token=ABZ6GAfvlMlBkxs7HqzWgIcpTTsZwZmLBA%3A1443095673037

ANDROID-8219321 - APK duplicate file

http://www.androidvulnerabilities.org/vulnerabilities/APK_duplicate_file
patch: https://android.googlesource.com/platform/libcore/+/38cad1eb5cc0c30e034063c14c210912d97acb92

ANDROID-9950697 APK unchecked name

http://www.androidvulnerabilities.org/vulnerabilities/APK_unchecked_name
patch: https://android.googlesource.com/platform/libcore/+/2da1bf57a6631f1cbd47cdd7692ba8743c993ad9%5E%21/

ANDROID-9695860 - APK unsigned shorts

http://www.androidvulnerabilities.org/vulnerabilities/APK_unsigned_shorts
patch: https://android.googlesource.com/platform/libcore/+/9edf43dfcc35c761d97eb9156ac4254152ddbc55

Fake ID

http://www.androidvulnerabilities.org/vulnerabilities/Fake_ID
patch: https://android.googlesource.com/platform/libcore/+/2bc5e811a817a8c667bca4318ae98582b0ee6dc6

CVE-2011-1823 - Gingerbreak

http://www.androidvulnerabilities.org/vulnerabilities/Gingerbreak
patch: https://android.googlesource.com/platform/system/core/+/android-2.3.4_r1

CVE-2011-1149 - KillingInTheNameOf psneuter ashmem

http://www.androidvulnerabilities.org/vulnerabilities/KillingInTheNameOf_psneuter_ashmem
patches:
https://android.googlesource.com/platform/system/core/+/25b15be9120bcdaa0aba622c67ad2c835d9e91ca
https://android.googlesource.com/kernel/common/+/c98a285075f26e2b17a5baa2cb3eb6356a75597e

CVE-2013-2595 - Qualcomm Gandalf camera driver

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_Gandalf_camera_driver
patch: https://www.codeaurora.org/projects/security-advisories/uncontrolled-memory-mapping-camera-driver-cve-2013-2595

CVE-2013-4740 - Qualcomm Goodix driver procfs

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_Goodix_driver_procfs
patch: https://www.codeaurora.org/cgit/quic/la/kernel/msm-3.10/commit/?id=f53bcf29a6e7a66b3d935b8d562fa00829261f05

CVE-2013-4736 - Qualcomm Integer overflow camera

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_Integer_overflow_camera
patches:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=fab0bc54f4b70fd1d85300731822379a487d66ca
https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=8c5300aec8cd9882b89e9d169680221541da0d7f
https://www.codeaurora.org/cgit/quic/la//kernel/msm/commit/?id=81947189009afcfac17d1106101260c660421265

CVE-2012-4220 & CVE-2012-4221 & CVE-2012-4222 - Qualcomm Integer oveflow diagnostics

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_Integer_oveflow_diagnostics
patch: https://www.codeaurora.org/projects/security-advisories/multiple-issues-diagkgsl-system-call-handling-cve-2012-4220-cve-2012

CVE-2013-6124 - Qualcomm chown init scripts

http://www.androidvulnerabilities.org/vulnerabilities/Qualcomm_chown_init_scripts
patches:
https://www.codeaurora.org/cgit/quic/la//device/qcom/common/commit/?id=2e2d79df934fdb733adaaed060da5b19658af000
https://www.codeaurora.org/cgit/quic/la//platform/system/core/commit/?id=2419cf9e63d3a8532b2984196d759157569c2fef
https://www.codeaurora.org/cgit/quic/la//platform/system/core/commit/?id=cf514a3bbb028c84c7357bd5502013823ede9e4a
https://www.codeaurora.org/cgit/quic/la//platform/system/core/commit/?id=fd256a79a77b53e785fb4a0251efc910e8062c09

CVE-2014-3153 - TowelRoot

http://www.androidvulnerabilities.org/vulnerabilities/TowelRoot
patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8

    (1-10/10)