BugTraq
Insecure application-coupling in Good Authentication Delegation [MZ-15-03] Sep 25 2015 07:19AM
modzero (security modzero ch)

Hi,

we decided to publish this advisory without coordination with the
vendor (GOOD Technology) as they were not cooperative (again).

There is a blog-posting about why we decided to not proceed with
Responsible Disclosure this time:

http://www.modzero.ch/modlog/archives/2015/09/24/on_responsible_full_dis
closure/index.html

You can find this advisory right here:
http://www.modzero.ch/advisories/MZ-15-03-GOOD-Auth-Delegation.txt

We also published an old advisory from 2013 - you should read the
blog-post to learn, why we didn't published it back in 2013.

cheers,

ths

-https://twitter.com/mod0

---------------------------------------------------------------- v1 -

modzero Security Advisory: Insecure application-coupling in Good
Authentication Delegation [MZ-15-03]

---------------------------------------------------------------------

---------------------------------------------------------------------

1. Timeline

---------------------------------------------------------------------

* 2015-08-18: Vulnerability has been discovered
* 2015-09-09: Vendor contact to agree on responsible disclosure
* 2015-09-25: Public Disclosure.

---------------------------------------------------------------------

2. Summary

---------------------------------------------------------------------

Vendor: Good Technology, Inc.
Products known to be affected:
* Combination of Android Good Dynamics SDK version 1.11.1206
Android Good Access app version 2.3.1.626
Android Good for Enterprise app version 3.0.0.415
Good Control server version 1.10.47.31
Good Proxy server version 1.10.47.2
Good for Enterprise server version 7.2.2.5c
* Other products, versions and apps using authentication-delegation
may be affected as well.
Severity: Medium/High

The Good Mobile Device Management solution provides two separate
Android applications, Good for Enterprise [1] (a mobile device
management Android application with functionality such as E-Mail) and
Good Access [2] (an Android application that has similar
functionality as a regular browser app to access company intranet
servers). Both apps use the underlying Good Dynamics framework to
communicate with the Good server located in the customer's company
network.

Authentication delegation is a method to provision the Good Access
Android app by using the Good for Enterprise Android app. Using this
mechanism, an employee does not need to manually enter an activation
key to provision the Good Access app, if Good for Enterprise was
already provisioned before.

Third-party apps can spoof their identity and try to request access
to company servers and data. Users could be tricked into allowing
access to company intranet servers to a faked Good Access app. The
server administrator is not able to prevent or detect the
unauthorized access.

A CVE has not yet been assigned to this vulnerability.

---------------------------------------------------------------------

3. Details

---------------------------------------------------------------------

As a precondition for this vulnerability, the Good servers have to
allow access to intranet servers on the company network via the Good
Access app. It is also necessary to enable authentication delegation
through Good for Enterprise.

A specially crafted third-party Android app can use an Android
package name that starts with "com.good.gdgma" (the Good Access
package name). Subsequently the app is able to announce itself as the
Good Access app to the authentication delegate (Good for Enterprise).
The user of the Android device has to explicitly grant access to this
third-party app [3], even though the specially crafted application
might be indistinguishable from the legitimate app for a user. It is
possible to activate not only one, but several faked apps through the
authentication delegate (Good for Enterprise) by using different
package names (e.g. "com.good.gdgma.test1", "com.good.gdgma.test2",
etc.).

The Good Dynamics server administrator can not distinguish between a
malicious third-party app and the legitimate app accessing company
data, as the provisioned app in the Good backend web interface is
showing that Good Access was provisioned.

As a mitigation the Good for Enterprise app could protect its
authentication-delegation-API intent (Android IPC mechanism) with the
signature level protection provided by the Android operating system
(android:protectionLevel="signature"). Only apps signed with the same
private key can use such permissions.

---------------------------------------------------------------------

4. Impact

---------------------------------------------------------------------

After tricking a user into installing a modified application that
pretends to be a Good Access app towards the authentication
delegation mechanism, the missing authentication can be exploited to
gain access to the intranet data via the Good servers. Additionally,
other third-party apps could request permission to access
company-data from the user - the Good server administrator is not
able to prevent usage of such third-party apps.

---------------------------------------------------------------------

5. Proof of concept exploit

---------------------------------------------------------------------

As a proof of concept, an example app of the Good Dynamics Android
SDK can be used. modzero used the ApacheHttp example application.
After loading the example project in the Android Studio IDE, the
GDApplicationID variable in the included settings.json file has to be
changed to "com.good.gdgma". Additionally the package name in the
AndroidManifest.xml file must be changed to a value that starts with
"com.good.gdgma". The included classes have to be refactored to match
the new package name. After installing the example application and
clicking the button to use authentication delegation, Good for
Enterprise will show the dialog to confirm access to company data
[3]. If the user enters his Good for Enterprise app password, the
malicious application is allowed to access intranet servers [4].

An alternative to demonstrate the issue is probably to disassemble
the Good Access app via apktool [5], add malicious code to the
application and reassemble the app via apktool.

---------------------------------------------------------------------

6. Workaround

---------------------------------------------------------------------

Users can deactivate authentication delegation and revoke access for
Good Access. Another workaround is not known.

---------------------------------------------------------------------

7. Fix

---------------------------------------------------------------------

It is not known to modzero, if a security fix is available.

---------------------------------------------------------------------

8. References

---------------------------------------------------------------------

[1] https://play.google.com/store/apps/details?id=com.good.android.gfe
[2] https://play.google.com/store/apps/details?id=com.good.gdgma
[3] http://www.modzero.ch/advisories/media/good_dynamics_provisioning.png
[4] http://www.modzero.ch/advisories/media/good_dynamics_usage.png
[5] https://ibotpeaches.github.io/Apktool/

---------------------------------------------------------------------

9. Credits

---------------------------------------------------------------------

* Tobias Ospelt

---------------------------------------------------------------------

10. About modzero

---------------------------------------------------------------------

The independent Swiss company modzero AG assists clients with
security analysis in the complex areas of computer technology. The
focus lies on highly detailed technical analysis of concepts,
software and hardware components as well as the development of
individual solutions. Colleagues at modzero AG work exclusively in
practical, highly technical computer-security areas and can draw on
decades of experience in various platforms, system concepts, and
designs.

https://www.modzero.ch

contact (at) modzero (dot) ch [email concealed]

---------------------------------------------------------------------

11. Disclaimer

---------------------------------------------------------------------

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus