Announcement

Collapse
No announcement yet.

HTC Android users

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTC Android users

    Do your updates! This one is nasty.

    February 1, 2012

    --------------------------------------------------------------------------------
    Subject
    --------------------------------------------------------------------------------
    802.1X password exploit on many HTC Android devices


    --------------------------------------------------------------------------------
    Abstract
    --------------------------------------------------------------------------------
    There is an issue in certain HTC builds of Android that can expose the user's 802.1X Wi-Fi credentials to any program with basic WI-FI permissions. When this is paired with the Internet access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords, and SSID information) to a remote server. This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation.


    --------------------------------------------------------------------------------
    Affected Vendors:
    --------------------------------------------------------------------------------
    HTC


    --------------------------------------------------------------------------------
    Affected Versions:
    --------------------------------------------------------------------------------
    We have verified the following devices as having this issue (there may be others including some non-HTC phones):
    Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40 Glacier - Version FRG83 Droid Incredible - Version FRF91 Thunderbolt 4G - Version FRG83D Sensation Z710e - Version GRI40 Sensation 4G - Version GRI40 Desire S - Version GRI40 EVO 3D - Version GRI40 EVO 4G - Version GRI40


    --------------------------------------------------------------------------------
    Non-Affected Versions:
    --------------------------------------------------------------------------------
    myTouch3g (Appears to run either unmodified, or only lightly modified Android build) Nexus One (Runs unmodified Android build)


    --------------------------------------------------------------------------------
    Severity
    --------------------------------------------------------------------------------
    Critical


    --------------------------------------------------------------------------------
    See also
    --------------------------------------------------------------------------------
    CVE ID: CVE-2011-4872


    --------------------------------------------------------------------------------
    Timeline:
    --------------------------------------------------------------------------------
    - 2012-02-01: Public disclosure
    - 2012-01-31: Submit final public disclosure doc to HTC Global for feedback
    - 2012-01-31: HTC publishes information via their web site
    - 2012-01-20: Public disclosure ? postponed
    - 2012-01-19: Discussion with HTC Global on their time schedule
    - 2012-01-05: Conference call with HTC Global
    - 2012-01-02: Public disclosure ? postponed
    - 2011-12-05: Discussed public disclosure time frames with HTC and Google
    - 2011-10-11: Updated all individuals and groups that are aware of the issue
    - 2011-10-11: Follow-up conference call with HTC Global and Google
    - 2011-09-19: Updated all individuals and groups that were aware of the issue
    - 2011-09-19: Conference call with HTC Global and Google
    - 2011-09-08: HTC and Google verified exploit
    - 2011-09-07: Notified key government agencies and CERT under non-public disclosure
    - 2011-09-07: Initial email and phone call with HTC Global and Google



    --------------------------------------------------------------------------------
    Vulnerability Details:
    --------------------------------------------------------------------------------
    There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. When paired with the "android.permission.INTERNET" permission, an app could easily send user names and passwords to a remote server for collection. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation.

    Although the published Android APIs don't provide access to the 802.1X settings, it is possible to view the settings with the .toString() member of the WifiConfiguration class. The resulting output will look something like this:

    * ID: 2 SSID: "ct" BSSID: null PRIO: 16
    KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
    AuthAlgorithms:
    PairwiseCiphers: CCMP
    GroupCiphers: WEP40 WEP104 TKIP CCMP
    PSK:
    eap: PEAP
    phase2: auth=MSCHAPV2
    identity: [Your User Name]
    anonymous_identity:
    password:
    client_cert:
    private_key:
    ca_cert: keystore://CACERT_ct

    On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present.
    However, on affected HTC devices, the password field contains the actual user password in clear text.

    This is sample output from a Sprint EVO running Android 2.3.3:
    * ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21
    KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN
    AuthAlgorithms:
    PairwiseCiphers: CCMP
    GroupCiphers: WEP40 WEP104 TKIP CCMP
    PSK:
    eap: TTLS
    phase2: auth=PAP
    identity: test
    anonymous_identity:
    password: test
    client_cert:
    private_key:
    ca_cert: keystore://CACERT_wpa2eap


    --------------------------------------------------------------------------------
    Vendor Response
    --------------------------------------------------------------------------------
    Google and HTC have been very responsive and good to work with on this issue. Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone.

    Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/

    Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability.
    WRX


  • #2
    I am running 2.2.1, how far behind am I?

    Comment


    • #3
      Menu>Settings>About Phone>Look for either of these FRG83D, GRI40

      Comment


      • #4
        Good going, HTC!
        Originally posted by Broncojohnny
        HOORAY ME and FUCK YOU!

        Comment


        • #5
          Originally posted by Tx Redneck View Post
          Menu>Settings>About Phone>Look for either of these FRG83D, GRI40
          Is that supposed to be in the software information?

          Comment


          • #6
            I believe so but cannot remember since I haven't been on stock in quite some time.

            Comment


            • #7
              lol, no way in hell they will ever update the mytouch 3g software, the last update they sent out made the phones freeze and lag so bad. Fucking HTC. :|

              Comment


              • #8
                Originally posted by Tx Redneck View Post
                I believe so but cannot remember since I haven't been on stock in quite some time.
                So with my phone running CyanogenMod 7 is this something I should really be concerned about? My build number is GRI40.

                Comment


                • #9
                  Originally posted by ram57ta View Post
                  So with my phone running CyanogenMod 7 is this something I should really be concerned about? My build number is GRI40.
                  The probability of it being an issue for you is almost impossible. Media FUD

                  Sent from my iPhail eleventybillion

                  Comment

                  Working...
                  X