ID

VAR-201202-0161

CVE

CVE-2011-4872

TITLE

Multiple HTC Devices 'Android.permission.ACCESS_WIFI_STATE' Information Disclosure Vulnerability

DESCRIPTION

Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class. A user's 802.1X WiFi credentials and SSID information may be exposed to any application with basic WiFi permissions on certain HTC builds of Android. HTC Made Android On the device, Wi-Fi There is a vulnerability in which authentication information is leaked. HTC Made Android The device has a problem managing authentication information, Wi-Fi There is a vulnerability in which authentication information is leaked.Configured for the product by a remote third party Wi-Fi Authentication information may be obtained. If the same application also has android.permission.INTERNET permission, the application can collect this information and send it to the server on the remote Internet. Multiple HTC devices are prone to an information-disclosure vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to install a malicious application with 'android.permission.ACCESS_WIFI_STATE' and 'android.permission.INTERNET' permissions on the device running Android. Remote attackers can exploit this issue to gain access to sensitive information. This may aid in further attacks.   This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation. -------------------------------------------------------------------------------- Affected Vendors: -------------------------------------------------------------------------------- HTC -------------------------------------------------------------------------------- Affected Versions: -------------------------------------------------------------------------------- We have verified the following devices as having this issue (there may be others including some non-HTC phones): Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40 Glacier - Version FRG83 Droid Incredible - Version FRF91 Thunderbolt 4G - Version FRG83D Sensation Z710e - Version GRI40 Sensation 4G - Version GRI40 Desire S - Version GRI40 EVO 3D - Version GRI40 EVO 4G - Version GRI40 -------------------------------------------------------------------------------- Non-Affected Versions: -------------------------------------------------------------------------------- myTouch3g  (Appears to run either unmodified, or only lightly modified Android build) Nexus One  (Runs unmodified Android build) -------------------------------------------------------------------------------- Severity -------------------------------------------------------------------------------- Critical -------------------------------------------------------------------------------- See also -------------------------------------------------------------------------------- CVE ID: CVE-2011-4872 -------------------------------------------------------------------------------- Timeline: -------------------------------------------------------------------------------- - 2012-02-01: Public disclosure - 2012-01-31: Submit final public disclosure doc to HTC Global for feedback - 2012-01-31: HTC publishes information via their web site - 2012-01-20: Public disclosure ? postponed - 2012-01-19: Discussion with HTC Global on their time schedule - 2012-01-05: Conference call with HTC Global - 2012-01-02: Public disclosure ? postponed - 2011-12-05: Discussed public disclosure time frames with HTC and Google - 2011-10-11: Updated all individuals and groups that are aware of the issue - 2011-10-11: Follow-up conference call with HTC Global and Google - 2011-09-19: Updated all individuals and groups that were aware of the issue - 2011-09-19: Conference call with HTC Global and Google - 2011-09-08: HTC and Google verified exploit - 2011-09-07: Notified key government agencies and CERT under non-public disclosure - 2011-09-07: Initial email and phone call with HTC Global and Google -------------------------------------------------------------------------------- Vulnerability Details: -------------------------------------------------------------------------------- There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation. The resulting output will look something like this: * ID: 2 SSID: "ct" BSSID: null PRIO: 16 KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN AuthAlgorithms: PairwiseCiphers: CCMP GroupCiphers: WEP40 WEP104 TKIP CCMP PSK: eap: PEAP phase2: auth=MSCHAPV2 identity: [Your User Name] anonymous_identity: password: client_cert: private_key: ca_cert: keystore://CACERT_ct On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present. However, on affected HTC devices, the password field contains the actual user password in clear text. This is sample output from a Sprint EVO running Android 2.3.3: * ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21 KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN AuthAlgorithms: PairwiseCiphers: CCMP GroupCiphers: WEP40 WEP104 TKIP CCMP PSK: eap: TTLS phase2: auth=PAP identity: test anonymous_identity: password: test client_cert: private_key: ca_cert: keystore://CACERT_wpa2eap -------------------------------------------------------------------------------- Vendor Response -------------------------------------------------------------------------------- Google and HTC have been very responsive and good to work with on this issue.   Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone. Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/ Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability. -------------------------------------------------------------------------------- Credit -------------------------------------------------------------------------------- Chris Hessing from The Open1X Group (http://www.open1x.org) who is currently working on Android, iOS, Windows, Mac OSX, and Linux 802.1X tools for Cloudpath Networks (http://www.cloudpath.net/) discovered this password exploit. -------------------------------------------------------------------------------- Contact Information -------------------------------------------------------------------------------- Chris Hessing      Senior Engineer, Cloudpath Networks (chris.hessing@cloudpath.net)      Chief Architect, Open1X Group (chris@open1x.org) Bret Jordan CISSP      Senior Security Architect, Open1X Group (jordan@open1x.org) -------------------------------------------------------------------------------- About -------------------------------------------------------------------------------- Cloudpath Networks Cloudpath Networks provides software solutions that allow diverse environments to operate WPA2-Enterprise and 802.1X networks in a scalable, sustainable manner.ˇ From Bring Your Own Device (BYOD) in enterprise to student-owned devices in education, Cloudpath's XpressConnect Wizard has been proven to provide unmatched simplicity on millions of devices around the globe. XpressConnect is an automated, self-service wizard for connecting users to WPA2-Enterprise and 802.1X across a wide range of device types and authentication methods, including credential-based (PEAP and TTLS) and certificate-based (TLS).ˇ For certificate-based environments, XpressConnect?s integration technology seamlessly connects to existing Microsoft CA servers to extend automated certificate issuance to non-domain devices, including iOS (iPhone, iPad, iPod Touch), Android, Windows, Mac OS X, and Linux. The Open1X Group The Open1X Group is a strategic research and development group established in 2001 to support the creation and adoption of secure authentication systems over traditionally insecure network connection. The Open1X Group performs active and ongoing research and analysis in to the IEEE 802.1X protocol, the IETF EAP Methods, emerging authentication technologies, and various cryptographic implementations.   The Open1X Group has had the support of major Universities, enterprise companies, major Hi-Tech companies, and non-profit organizations.   The Open1X Group also performs on-going analysis of business and academic interests in to secure authentication and single sign-on systems, and Government and non-Government regulations and mandates for compliance in secure authentication. The Open1X Group leverages a distributed team of security architects, engineers, and research scientists with specializations in 802.1X, gird and high performance computing, wireless networking, federated authentication, black box testing, cryptography, large enterprise and University deployment experiences, and global project development. The Open1X Group is a pioneer in the secure authentication space with the first major wide spread 802.1X federated deployment back in 1999/2000, and the development of a fully featured 802.1X supplicant, XSupplicant. Bret Jordan CISSP Sr Security Architect PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." . The vulnerability is caused due to an unspecified error and can be exploited by an application system administrator to gain super user privileges. The vulnerability is reported in versions 6.0, 6.5, and 6.6. SOLUTION: Apply patches (please see the vendor's advisory for details). ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: HTC Products Wi-Fi Credentials Disclosure Weakness SECUNIA ADVISORY ID: SA47837 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47837/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47837 RELEASE DATE: 2012-02-02 DISCUSS ADVISORY: http://secunia.com/advisories/47837/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47837/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47837 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Open1X Group has reported a weakness in multiple HTC products, which can be exploited by malicious people to disclose potentially sensitive information. The weakness is caused due to the "WifiConfiguration::toString()" method returning Wi-Fi credentials of stored networks in clear text. Successful exploitation requires that a malicious application is installed with "android.permission.ACCESS_WIFI_STATE" permissions. PROVIDED AND/OR DISCOVERED BY: Chris Hessing, Open1X Group. ORIGINAL ADVISORY: HTC: http://www.htc.com/www/help/ Open1X Group: http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html US-CERT VU#763355: http://www.kb.cert.org/vuls/id/763355 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Chris Hessing and Bret Jordan

SOURCES

LAST UPDATE DATE

2024-08-14T14:14:37.863000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE