Skip to content ↓ | Skip to navigation ↓

Researchers have disclosed a stack-based buffer overflow vulnerability in the Android KeyStore that could expose cryptographic keys in as many as 86% of devices in use, threatening the security of banking applications, PIN code device locks, and VPN services.

“A stack buffer is created by the ‘KeyStore::getKeyForName’ method. This function has several callers, which are accessible by external applications using the Binder interface (e.g., ‘android::KeyStoreProxy::get’),” the researchers reported.

“Therefore, the ‘keyName’ variable can be controllable with an arbitrary size by a malicious application. As you can see, the ‘encode_key’ routine that is called by ‘encode_key_for_uid’ can overflow the ‘filename’ buffer, since bounds checking is absent.”

The researchers say that exploiting this vulnerability could allow malicious code execution within the keystore process leaving users vulnerable to attacks that can:

  • Leak the device’s lock credentials. Since the master key is derived by the lock credentials, whenever the device is unlocked, ‘Android::KeyStoreProxy::password’ is called with the credentials
  • Leak decrypted master keys, data and hardware-backed key identifiers from the memory
  • Leak encrypted master keys, data and hardware-backed key identifiers from the disk for an offline attack
  • Interact with the hardware-backed storage and perform crypto operations (e.g., arbitrary data signing) on behalf of the user

The vulnerability only affects Android version 4.3, but is not present in Android 4.4, and attackers would have to successfully get past some obstacles in order to perform a successful exploit, including bypassing DEP (Data Execution Protection) and ALSR (Address Space Layout Randomization).

“As always, we adhered to our responsible disclosure policy and privately reported this issue to the Android Security Team; the result is a patch that is now available in KitKat. Considering Android’s fragmented nature and the fact that this was a code-execution vulnerability, we decided to wait a bit with the public disclosure.”

Read More Here…