what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Google I/O 2017 Android Man-In-The-Middle

Google I/O 2017 Android Man-In-The-Middle
Posted May 20, 2017
Authored by Yakov Shafranovich | Site wwws.nightwatchcybersecurity.com

Google I/O 2017 application for Android versions prior to 5.1.4 suffer from a man-in-the-middle vulnerability.

tags | advisory, info disclosure
advisories | CVE-2017-9045
SHA-256 | 1fa0559e9edae7e21ef67d5f155d2d2b4db4d4651ee541249e1393abaf366ace

Google I/O 2017 Android Man-In-The-Middle

Change Mirror Download
[Original posted here:
https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-google-io-2017-android-app/]

SUMMARY

Google I/O 2017 Application for Android does not use SSL for
retrieving some information to populate the app. This would allow an
MITM attacker to inject their own content into the application. The
vendor (Google) fixed the issue in v5.1.4 of the application.

DETAILS

The Google I/O 2017 application for Android is a companion app
produced by Google for their annual I/O conference that takes place in
May. This particular version was produced for I/O conference in May of
2017.

While performing network level testing of various Google applications,
we discovered that the content for the application did not use SSL.
This would allow an MITM attacker to inject their own content into the
application using a method like ARP spoofing, DNS takeover, etc.

To replicate the issue on v5.03:
1. Install the application
2. Setup the proxy without an SSL certificate and point the Android
device to it.
3. Go to the application and select the "feed" option (middle icon on
the bottom).
4. Go back to the proxy and observe captured traffic.

[Screenshots are in the blog post]


The specific URL was
"http://storage.googleapis.com/io2017-festivus/manifest_v1.json" which
then causes the device to download additional URLs. The following URLs
are downloaded:
- http://storage.googleapis.com/io2017-festivus/manifest_v1.json
- http://storage.googleapis.com/io2017-festivus/blocks_v4.json
- http://storage.googleapis.com/io2017-festivus/map_v4.json
- http://storage.googleapis.com/io2017-festivus/session_v1.70.json

This can also be seen in the source code of the I/O 2016 application
on Github here (lines 42-43):
https://github.com/google/iosched/blob/master/gradle.properties

----
# API manifest URLs. These URLs provide the data files to load to
download data for the app.
# When data needs to change the underlying data file is published as a
new revision and the manifest
# is updated with the new file name.
staging_api_manifest_endpoint =
https://storage.googleapis.com/io2016-bucket-dev/manifest_v1.json
production_api_manifest_endpoint =
http://storage.googleapis.com/io2016-festivus/manifest_v1.json
----

All testing was done on Android 7, Google I/O version 5.03. Network
captures were performed using an on-device proxy (PacketCapture)
without a trusted SSL certificate.

PROOF OF CONCEPT

All testing was done on Ubuntu v17.04 and Android 7:
1. Install nginx - "sudo apt-get install nginx".
2. Install dnsmasq - "sudo apt-get install dnsmasq"
3. Find out the IP address of your computer via ifconfig.
4. Add the IP address mapping to the hosts file: "192.168.1.x
storage.googleapis.com"
5. Create and download the files from Google to the NGINX directory:
- cd /var/www/html
- mkdir io2017-festivus
- cd io2017-festivus
- wget http://storage.googleapis.com/io2017-festivus/manifest_v1.json
- wget http://storage.googleapis.com/io2017-festivus/blocks_v4.json
- wget http://storage.googleapis.com/io2017-festivus/map_v4.json
- wget http://storage.googleapis.com/io2017-festivus/session_v1.70.json
6. Modify "blocks_v4.json" to add your content.
7. Install version 5.03 of the application on the Android device.
8. Change DNS on the device to point to the Ubuntu machine.
9. Open the app, skip sign in, and on the main screen choose the feed icon.
10. Switch back to the first section and observe injected content
(screenshots in the blog post).

VENDOR RESPONSE

This issue was responsibly reported to the vendor and fixed in version 5.14.

REFERENCES

CVE ID: CVE-2017-9045
Google I/O 2016 source code: https://github.com/google/iosched

BOUNTY INFORMATION

Pending...

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE

2017-05-11: Initial report to the vendor
2017-05-11: Report triaged by the vendor and bug filed
2017-05-13: Fixed version released by the vendor
2017-05-16: Draft advisory sent to vendor for comment
2017-05-17: Public disclosure


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close