exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android Proxy Auto Config (PAC) Crash

Android Proxy Auto Config (PAC) Crash
Posted Nov 8, 2016
Authored by Yakov Shafranovich | Site wwws.nightwatchcybersecurity.com

Android devices can be crashed forcing a halt and then a soft reboot by downloading a large proxy auto config (PAC) file when adjusting the Android networking settings. This can also be exploited by an MITM attacker that can intercept and replace the PAC file. However, the bug is mitigated by multiple factors and the likelihood of exploitation is low.

tags | exploit, denial of service
advisories | CVE-2016-6723
SHA-256 | 9a6a1af684f67a60cc245b0a7841aeca5cc4c686f0d9b20cffcd532b0d7b75f1

Android Proxy Auto Config (PAC) Crash

Change Mirror Download
[Original at: https://wwws.nightwatchcybersecurity.com/2016/11/07/crashing-android-devices-with-large-pac-files-cve-2016-6723/]

Summary

Android devices can be crashed forcing a halt and then a soft reboot
by downloading a large proxy auto config (PAC) file when adjusting the
Android networking settings. This can also be exploited by an MITM
attacker that can intercept and replace the PAC file. However, the bug
is mitigated by multiple factors and the likelihood of exploitation is
low.

This issue has been fixed in the November 2016 Android security bulletin.

Background a Proxy Auto Config (PAC) Files

Proxy Auto Config (PAC) files are text files that can be used as part
of the network settings configuration to allow a web browser and other
software that accesses the web. These files define which proxy servers
should be used for which types of requests. They usually contain a
Javascript function which can be called by the web browser to
determine the type of proxy server to use. An example PAC file appears
here:

function FindProxyForURL(url, host) {
if (isResolvable(host))
return "DIRECT";
else
return "PROXY proxy.mydomain.com:8080";
}
}

A related standard called Web Proxy Auto-Discovery Protocol (WPAD)
allows devices to find the locations of PAC files via DHCP and/or DNS.
However, WPAD is not currently supported on Android.

Vulnerability Details

When configuring a network in Android, one of the options available in
the aAdvanceda section is ability to indicate a Proxy Auto Config
(PAC) URL which will point to a PAC file described above. The current
code in Android does not check whether the PAC file may be too large
to load into memory, which allows an MITM attacker to replace a known
PAC file (if served without SSL) with a large one of their own and
crash the Android phone.

The vulnerability is that the Java code does not check how large the
data file actually is. If a file is served that is larger than the
memory available on the device, this results in all memory being
exhausted and the phone halting and then soft rebooting. The soft
reboot was sufficient to recover from the crash and no data was lost.
While we have not been able to achieve remote code execution, this
code path can potentially be exploited for such attacks and would
require more research.

The vulnerable code resides here a (PacManager.java, lines 120-127):

private static String get(Uri pacUri) throws IOException {
URL url = new URL(pacUri.toString());
URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
return new String(Streams.readFully(urlConnection.getInputStream()));
}

Specifically, the affected code is using Streams.readFully to read the
entire file into memory without any kind of checks on how big the file
actually is.

Because this attack require a user to configure a PAC file, and an
attacker to be present and know about that file, and the file needs to
be served without SSL to make the attack work, the possibility of an
attacker pulling this off is low. This is also true because Android,
unlike other operating systems does not support the WPAD protocol to
retrieve PAC files automatically which can be exploited using a rouge
access point or network.

Steps To Replicate (on Ubuntu 16.04)

1. Install NGINX:

sudo apt-get install nginx

2. Use fallocate to create a large PAC file in a/var/www/html/a

sudo fallocate -s 2.5G test.pac

3. Go in to advanced network settings on the Android device and add
the following URL as the PAC URL: http://192.168.1.x/test.pac

Save the settings which will trigger the bug. Once the phone starts
downloading the files, the screen will go black and it will reboot.

Mitigation Steps

Users should apply the November 2016 Android bulletin.

Bounty Information

This bug has fulfilled the requirements for Googleas Android Security
Rewards and a bounty has been paid.

References

Android security bulletin: November 2016
https://source.android.com/security/bulletin/2016-11-01.html

CVE-ID: CVE-2016-6723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6723

Google: Android bug # 215709 / AndroidID-30100884
https://code.google.com/p/android/issues/detail?id=215709

Netscape PAC file format definition: here (via the Internet Archive)
https://web.archive.org/web/20070602031929/http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

WPAD Internet Draft: here
https://tools.ietf.org/html/draft-ietf-wrec-wpad-01

WPAD not supported on Android: see bug report here
https://code.google.com/p/android/issues/detail?id=160886

Credits

Bug discovered by, and advisory written by Yakov Shafranovich.

Timeline

2016-07-11: Android bug report filed with Google
2016-07-19: Android bug confirmed as high
2016-08-18: Bug priority downgraded to moderate
2016-09-15: Coordination with Google on public disclosure
2016-11-07: Android security bulletin released with fix
2016-11-07: Public disclosure


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close