what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Airdroid 1.0.4 Beta Implementation Weaknesses

Airdroid 1.0.4 Beta Implementation Weaknesses
Posted Jul 13, 2012
Authored by Tobias Glemser, Dominique Dewitt, Kathrin Schaberle

Airdroid version 1.0.4 Beta suffers from multiple security design implementation weaknesses.

tags | advisory, info disclosure
advisories | CVE-2012-3884, CVE-2012-3885, CVE-2012-3886, CVE-2012-3887, CVE-2012-3888
SHA-256 | e6777f2cf37fd0cc0c4fad4bc5839eb4b7f717137929dae19f8b618c9f4dfd25

Airdroid 1.0.4 Beta Implementation Weaknesses

Change Mirror Download
TC-SA-2012-02: Several weaknesses in implementation of security features in AirDroid 1.0.4 beta

Published: 2012/07/12
Advisory-Version: 1.0

Affected products:
AirDroid 1.0.4 beta

References:
TC-SA-2012-02 www.tele-consulting.com/advisories/TC-SA-2012-02.txt (used for updates)
CVE-2012-3884 - authentication uses direct transmission of a hash
CVE-2012-3885 - the default password length is too short
CVE-2012-3886 - the MD5 algorithm is used for transmitted data
CVE-2012-3887 - the vendor claims the use of encryption, but encryption is not used when sending private data
CVE-2012-3888 - an attacker can defeat a protection mechanism against multiple logins

Summary:
“AirDroid is a fast, free app that lets you wirelessly manage &
control your Android devices (phone & tablet) from a web browser.
It's designed with the vision to bridge the gap between your
Android device and web browser, on desktop computers or tablet devices,
on Windows or Mac. “ (http://airdroid.com/userguide.html)
“Application Security for AirDroid (..)
• LAN Connection (..)
• Password Protection (..)
• Limit Login Attempts (..)
• Encrypted Transmission (..)
• Forbid Multiple Logins (..)”
The original goal of this test was to resend and manipulate
messages, which were sent over the AirDroid web interface.
During the tests it turned out all data traffic is send
unencrypted over HTTP and without any proper protection.
So an attacker could get complete control over the web interface
and its offered services.

Effect:
3 of 5 security features (see list above) have been broken during
the tests.
As a result an attacker within the same wireless network is able
to use the complete feature set within the original Web-GUI
after the valid user started his session.
It is only necessary to capture one request from the original user.
The session will stay valid until a session restart is done or the
application is closed at the handset.

##### Password Protection
AirDroid provides two types of password, Dynamic Password and Predefined Password.
By default, a Dynamic password is generated each time when AirDroid service starts.
Users can enable Predefined Password and customize password to
login to AirDroid desktop.” (http://airdroid.com/security.html)

AirDroid uses a MD5 hash prevent clear text transmission of the
authentication information from the web browser to the handset.
This is done without transport layer protection (HTTPS) or other
mechanisms like digest-authentication. After a successful login,
each request by the user is sent with the MD5 hash of the password
in each request as part of a cookie.
By default a 4-digit alphanumeric random password is used, which
can easily be recovered by use of a rainbow table attack. Google will do this for you.
Even user set, more complex passwords should not be sent MD5 only
to prevent brute forcing the MD5 hash or rainbow table attacks.

Example Login:

http://$airdroid_handeld/sdctl/comm/checklogin/?key=9e3e26184cd266d60db618395e02b63f&callback=_jqjsp&_1331543318006=
MD5 Hash: 9e3e26184cd266d60db618395e02b63f, guess the Dynamic Password using google.

Example Cookie (without Google Analytics, see below):_
JXID=DD7xTr5rHtX4XADTS6Rn9lsc; JXHID=false; 7bb=9e3e26184cd266d60db618395e02b63f
$_COOKIE[‘7bb’] always contains the MD5 hash as well in each request

##### Encrypted Transmission
“AirDroid uses MD5 digital signatures for authentications to eliminate the threat of password cracking.
Additionally, all quests for key information must be checked and authorized, so as to avoid the possibility
of a third person being able to take control of your device and private data.” (http://airdroid.com/security.html)

As seen above, MD5 hashes (which are not a “digital signature”) are not enough to eliminate the threat of password cracking
if captured.

Further the transmission is not encrypted using transport layer protection or other encryption mechanisms.
To prevent clear text submission of sensitive information, several encodings are used, to obfuscate the information.

Example SMS sending attempt:

POST /sdctl/sms/send/single/
(..)
data=params%3D%7B%22content%22%3A%22
JTI1N0IlMjUyMm51bWJlciUyNTIyJTI1M0ElMjUyMjEyMzQ1Njc4OSUyNTIyJTI1MkMlMjUyMmNvbnRlbnQlMjUyMiUyNTNBJTI1MjJIZWxsbyUyNTIyJTI1N0Q
%22%7D

$_POST[‘data’] contains the complete SMS including sender and text.
It’s a JSON-Request splitted in three parts with different Base64 and URL-Encodings.

First part raw: params%3D%7B%22content%22%3A%22
First part URL-decoded: params={"content":"

Second part raw:
JTI1N0IlMjUyMm51bWJlciUyNTIyJTI1M0ElMjUyMjEyMzQ1Njc4OSUyNTIyJTI1MkMlMjUyMmNvbnRlbnQlMjUyMiUyNTNBJTI1MjJIZWxsbyUyNTIyJTI1N0Q
Second part base64 and double-URL-decoded: {"number":"123456789","content":"Hello"}

Third part raw: %22%7D
Third part URL-decoded: “}

The complete requests decoded looks like this:
params={"content":"{"number":"123456789","content":"Hello"}"}

##### Forbid Multiple Logins
Even if an attacker has the clear text password by googling it from the md5 hash,
he will not be able to login as long as the user is logged in himself.
After a logout of the user without closing the app on the handheld, the attacker could login.
But it is also possible to do the following from an attacker’s point of view:
1. Point browser to http://$airdroid_handeld/
2. Force each HTTP-Request to be sent with the captured cookie (e.g. using an intercepting proxy like burp)
3. After you sent the login, intercept the servers response which would look like this:
jqjsp({"pass":3,"left_count":0,"left_time":435}), change the value of pass to 1 instead of 3.
The flash interface will count the login as successful.
As all following requests are authenticated by the cookie, you will have full control over all air droid features like
• send and receive messages
• install/remove apps (additional interaction required on handheld)
• manage files on SD Card
• view, delete, download photos
• view, delete, download ringtones
AirDroid does not detect the “dual usage” from different clients, so multiple logins are possible.

Possible solution:
use AirDroid v1.0.7 beta (HTTP/S encryption possible)

Disclosure Timeline:
2012/03/21 vendor contacted via support@airdroid.com
2012/04/05 initial vendor response
2012/06/05 first patch (AirDroid v1.0.7 beta) by the vendor
2012/07/12 public disclosure

Credits:
Kathrin Schäberle (kschaeberle@tele-consulting.com)
Dominique Dewitt (ddewitt@tele-consulting.com)
Tobias Glemser (tglemser@tele-consulting.com)
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.
##################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close