BugTraq
CVE-2016-1520: GrandStream Android VoIP App Update Redirection Mar 17 2016 12:16PM
Georg Lukas (lukas rt-solutions de)
CVE-2016-1520: GrandStream Android VoIP App Update Redirection
==============================================================

Affected app: [Grandstream Wave][GSWAVE] version 1.0.1.26 (and probably earlier)

Classification:

* [CWE-300 Channel Accessible by Non-Endpoint][CWE300]
* [CWE-319 Cleartext Transmission of Sensitive Information][CWE319]
* CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (score 6.4)

## Summary

The Grandstream Wave app periodically queries the Grandstream server for app
updates. If a new update is found, the app shows a notification to the user
that either opens the app's Google Play page or auto-downloads the APK file
and opens it for installation.

The update information is downloaded over an insecure connection from
`media.ipvideotalk.com` and contains the version code and the update URL.
An active attacker can redirect this request and trick the user into
downloading a malicious update package. Users that have "Unknown Sources"
enabled in the Android security preferences, or enable it upon request, can be
tricked into installing a malicious application that disguises itself as a
Wave update.

## Details

The Grandstream Wave app downloads an update info XML on each app start. The
address is hardcoded in the application properties as follows:

updateinfo_serverurl=http://media.ipvideotalk.com/upgrade/updateinfo.xml

This file was last updated in March 2015 and contains the following outdated
information:

<?xml version="1.0" encoding="utf-8"?>
<info>
<version>1.0.1.6</version>
<versioncode>69</versioncode>
<updateurl>market://details?id=com.softphone</updateurl>
<description>æ£?æµ?å?°æ??æ?°ç??æ?¬ï¼?请å?æ?¶æ?´æ?°ï¼</description>
</info>

The version available via Google Play at time of this writing is 1.0.1.26
(versioncode 89), therefore no update dialog will be shown by the application.

Internally, the XML is processed by the app as follows:

1. Check if the received `versioncode` is higher than the app's.
2. Prompt the user to install the update.
3. If the `updateurl` contains `"market://details"`, open the Google Play page
for the app's package (this is secure, the URL from the XML is not used).
4. Otherwise, download the file linked to by `updateurl` to
`/sdcard/GSWave/upgrade/GSWave.apk` and open an installation
dialog.
5. If the user has "Unknown Sources" disabled, a warning dialog will be shown
that forwards the user to the Android Security Preferences. If
the user taps "Settings" and enables "Unknown Sources", the next update
attempt will continue to step 6.
6. If "Unknown Sources" are allowed, Android will proceed with the app
installation. For a normal user it is almost impossible to distinguish an
official upgrade from a disguised malicious app.

As from the user's perspective this is an update to a trustworthy app, which
was initiated by the app itself, there is no reason to mistrust the
installation and to question the permissions asked by the installer.

## Impact

With a one-time Man-in-the-Middle attack, it is possible to trick the user into
installing a malicious Android application with permissions to make phone
calls, access the contact data, recording audio and video and much more. Such
an application can perform extensive surveillance of the user afterwards.

## Mitigation

It is not possible to disable update checks in the Wave application. Therefore,
no technical mitigation mechanisms are possible. However, the following steps
can be undertaken to reduce risk:

* Do not launch the Wave app on untrusted networks
* Use an automatic VPN connection to a trusted network
* Disable "Unknown Sources" in the Android security settings
* Inform the users not to install apps manually

## Timeline

* 2015-11-25 Discovery of the issue
* 2015-11-25 Requested CVE number
* 2015-12-01 Notification of vendor
* 2016-01-20 CVE number assigned
* 2016-03-16 Public disclosure

## Contact

Please contact Dr. Georg Lukas with any further questions regarding this
vulnerability.

PDF version with images: http://rt-solutions.de/images/PDFs/Veroeffentlichungen/CVE-2016-1520-app
-update-redirection.pdf
[GSWAVE]: https://play.google.com/store/apps/details?id=com.softphone
[CWE300]: https://cwe.mitre.org/data/definitions/300.html
[CWE319]: https://cwe.mitre.org/data/definitions/319.html

--
Dr.-Ing. Georg Lukas
rt-solutions.de GmbH
Oberländer Ufer 190a
D-50968 Köln

Tel. : (+49)221 93724 16
Fax : (+49)221 93724 50
Mobil: (+49)179 4176591
Web : www.rt-solutions.de
rt-solutions.de
experts you can trust.

Sitz der Gesellschaft: Köln
Eingetragen beim Amtsgericht Köln: HRB 52645
Geschäftsführer: Prof. Dr. Ralf Schumann, Dr. Stefan Schemmer

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?20?60? 0
 *?H?÷
0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
000530104838Z
200530104838Z0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0?"0
 *?H?÷
?0?
?·÷3æò-9àN[í¼l͵ú#¶ÎÞ?3?¤)L}??½J¼?íãÏåmPZÖ?)?Z?°IzÛ.?ý¸Ê¿78-
>?A­pVÇðO?è2?tÊȐTéÆ_x?@<¬aª^??¡jPÜ×?N¯³¦q??q³P`
ǝ8?¨é¨i&«L°O#«:O?ØßÎ?áio»×B×kDäÇ­îmA_rZq7³ye¤Y ?7÷/
Â?rÚÐ8rÛ¨EÄ]*}·´ÖÄî¬ÍD·É+ÝC%úa¹ijX#·§3VuYõÍ)×F·
+e¶ÓBo²¸{ûïé]SÕ4Z'£Ü0Ù0U­½?z4´&÷úÄ&Tï½à$ËT0 U
0Uÿ0ÿ0?U#?0??­½?z4´&÷úÄ&Tï½à$ËT¡s¤q0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root?0
 *?H?÷
?°?à?%ÂÖ#â??A??Ù?yÙ[#6e°Øw»¬AlG`?Q°ù2=çüö&Ç?¥¿Zü?Ïxy?!?
âL
?5¼òÞQÄÒ?·Ü~Nîpý9ë Q-?½àÁßFuç$­ìôB´??pgº5JÓ+zÌQB¡zcÑ满Å+Â6¾
æ½c~y{§
@«jݏ?Ãöö?BQÔEõ?§b!h C<?ç|½$Ø©?s??V18´q?ÍÈ??.á???Ë1ñDLÆsIv`Çø½?k.éÌLZ?y
.Õ?c&U??Ø?Z{мǏN?0?¯0?? à#Ë?S?­anzTgk!0
 *?H?÷
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
 *?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
 *?H?÷
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?A0?) ~ ò¿nÓiBA_¿n:)0
 *?H?÷
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
160218000000Z
170217235959Z0&1$0" *?H?÷
 lukas (at) rt-solutions (dot) de0 [email concealed]?"0
 *?H?÷
?0?
?°Ï=fmQ»?? þù?s¤ ¿g<KS5¾}? ¯Eï³Ð?}ûõyPÀ#¶
xâóyØ/¥´?5+j"?Ù¬çý\öÈ0È2ÔIéz?¯}É¥eÀÚ_#dwpxCòTQQ??fµ£ã?eq?b®
ö81 Ih9!¸¾S?µª]½¬TRºw ôòá;T¶ß$Ôï32U?=}õÛ0f???Þ½8ÑXl~ô?­Y r¿Ø?ÛÙÅ'ä$ç®?¼Pa??!¾9ºë6?ü?Ê!¢2Ñ-ÿ9lg$U^³??bÅ4HR7?`¡ÆäãS?A.çíì??
£?ó0?ï0U#0??ak?ᢠªOìgñ£÷´?Áì0U9m3eðÑ°¥#>c[Ü?¦??«?
?0Uÿ 0 Uÿ00 U%0+ +²10 `?H?øB 0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0 U0lukas (at) rt-solutions (dot) de0 [email concealed]
 *?H?÷
 ?!ϲÖ;?4¬©£ ѹ×.u±]
îÝ?÷µß¾´85k9.¤¢[Ý??ssØ?÷@?ü0ÃÜÔ?ÃqÌ?°â?!LR®ïÖô®8µÅíjsÓM.3?0¹I³¼na-
hùÞxÖÇñÞl2¼]5¨6d}CcÓb¬±?ÌSB+ø?8)O§²{æ¯)fÀãľ<úýÝàVfª5ØK¢InX,µ0JËà
?5võm'Õ»ÚcõdÛª4lÂ$9¼néÎl¿?¥?sF?Xkܸó?²h?ΪÁýw«å"È?ÀØ??/×PMÐ
ªrD<d¤Ò×?È\e7?n1?Y0?U0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA~ ò¿nÓiBA_¿n:)0 + ?}0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
160317121632Z0# *?H?÷
 1Ø V®ôK¬w+NP%ß'êÔ0? *?H?÷
 1?0?0  `?He*0  `?He0
*?H?÷
0  `?He0*?H?÷
?0
*?H?÷
@0+0  `?He0  `?He0  `?He0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA~ ò¿nÓiBA_¿n:)0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA~ ò¿nÓiBA_¿n:)0
 *?H?÷
?+B-¦7¿?¬¿4ËÄ?í7uÝ´ð??²?71¦´ô&Ô^ª? x|}¢ÏÓð¼? /EAzÓûm6p}}Yë ?ä?JÓîaÔPçÄ?tn¯?þëXÐÁ?D6­"N?5MZDOCMlh?{È&îFðrG5ÆWìò¨(ë\µ¦MÓû?1
GEÄsHu8ª÷ÿ` ;'Óíígxrgb ¥Í?/þQü?XÂ4q?Ã?1Íä>_vÅ5??¡¯Ö?«ó#.>âe2ÍÏS>ñ#îb_ì¯Åiqu&úó??üJ"
?×J¢a?gG²ÎI`mã,k

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus