Full Disclosure mailing list archives
SECV-07-1403 - Android SQLi Api - SQL Injection on delete() method
From: info <info () secveritas com>
Date: Sat, 26 Jul 2014 17:19:53 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SECV-07-1403 - Android SQLi Api - SQL Injection on delete() method Product description: Android is a mobile operating system (OS) based on the Linux kernel that is currently developed by Google. With a user interface based on direct manipulation, Android is designed primarily for touchscreen mobile devices such as smartphones and tablet computers, with specialized user interfaces for televisions (Android TV), cars (Android Auto), and wrist watches (Android Wear). The OS uses touch inputs that loosely correspond to real-world actions, like swiping, tapping, pinching, and reverse pinching to manipulate on-screen objects, and a virtual keyboard. Despite being primarily designed for touchscreen input, it also has been used in game consoles, digital cameras, and other electronics. As of 2011, Android has the largest installed base of any mobile OS and as of 2013, its devices also sell more than Windows, iOS, and Mac OS devices combined. As of July 2013 the Google Play store has had over 1 million Android apps published, and over 50 billion apps downloaded.[18] A developer survey conducted in April–May 2013 found that 71% of mobile developers develop for Android.[19] At Google I/O 2014, the company revealed that there were over 1 billion active monthly Android users (that have been active for 30 days), up from 538 million in June 2013. CVE-ID: CVE-2014-4959 Affected versions: ALL Vendor url: http://www.android.com Vulnerability status: Not acknowledged. But Android Security will update documentation. Advisory url: http://www.secveritas.com/secv-05-1403.html Vulnerability details: The Android SDK offers frameworks in order for developers develop their applications in the most secure way possible. Specifically it offers an SQLi API this api has all methods protected by the usage of prepared statements. Nevertheless the method delete from the class SQLiteDatabase is not protected. Source code: /frameworks/base/core/java/android/database/sqlite/SQLiteDatabase.java public int delete(String table, String whereClause, String[] whereArgs) { 1492 acquireReference(); 1493 try { 1494 SQLiteStatement statement = new SQLiteStatement(this, "DELETE FROM " + table + 1495 (!TextUtils.isEmpty(whereClause) ? " WHERE " + whereClause : ""), whereArgs); 1496 try { 1497 return statement.executeUpdateDelete(); 1498 } finally { 1499 statement.close(); 1500 } 1501 } finally { 1502 releaseReference(); 1503 } 1504 } Has it can be seen the argument whereClause is concatenated into the sql query that is build and passed for execution. Only the whereArgs argument is passed into the statment has an binded argument being protected against sqlInjection. This is not documented on the API documentation and only by reviewing the source code of the SQLi API would and developer be aware of this fact. Since the Android SDK in general and the SQLi API in particular have a high security awareness and all other method use indeed the prepared statements this fact may lead developers into a false sense of security. Workaround: Rewrite the delete method by extending the SQLiteDatabase class. Timeline: 15th Jul - Disclosed to Android Security 22nd Jul - Android Security denied the vulnerability requested a PoC 23rd Jul - PoC provided source code + APK 24th Jul - Android security team stated that it was not an API vulnerability. But admit that its not documented and that it will change documentation. 24th Jul - Android was notified of the public disclosure of this advisory. 26th Jul - Public disclosure Credits: MS - SecVeritas.com SECVeritas.com is a non-profit organization that aims to give their members contribute the internet security. The contents of this advisory are copyright(c) 2014 SECVeritas.com You may distribute this advisory has a whole or in parts as long has you maintain all the credits. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJT09UpAAoJEN3eoZ/uAn51j0oH/R6Yl8rJBZ6LLM6NHNAVExZf GO9INod1mPVCEbFqa5zQKfmwZkQv4UeLN7H4nQBhDUk+XWFdfL7iNyFgpE2sy5Za LdtgKZKyQa1sWGH/KphbQvm8nRyaeozaZztV4a82Sr01KalOEnHcWP97H6/D/K42 PLjxTU/Qu871QwhpqMxk7MgePVSYyG+CwkPIyX/mOEB9vJf3s9O0ZUZt3vu9DGMg bTJ1/TAA5wGnGlkB6tK19lKTLmLZAjJ+XpBbONj7ycng/qs1oe/RS2RxXisxewSQ Pf5BE3TOgBJT8H4LqfI3OJkSwI0ViryZnjjSm7CpMrSXX2Dr/cSnsDP4jMgEjUQ= =anCa -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SECV-07-1403 - Android SQLi Api - SQL Injection on delete() method info (Jul 26)