Timeline

A vulnerability was discovered within the modified Amazon Fire Phones CertInstaller package which would enable applications to install certificates without user interaction due to incorrect usage of User ID validation functions.

Description

The CertInstaller package on the Amazon Fire Phone allows applications to install certificates without interaction with the user. Although the application’s name is identical to the base Android package, the source code has been modified specifically for the Amazon Fire Phone. Successful exploitation of the vulnerability would allow an attacker to Man-in-the-Middle (MiTM) encrypted traffic. Although no user interaction is required, a notification is sent when a certificate has been installed.

Impact

If the vulnerability was to be successfully exploited, all encrypted traffic that does not make use of certificate pinning could be intercepted in a Man-in-The-Middle attack.

Cause

The package checks for an extra that, if set, results in the silent installation of a certificate.

Interim Workaround

Users are advised to only install applications from trusted sources and exclusively make use of trusted networks. Users that notice any notifications regarding “Certificate Installed” should immediately remove the certificate and uninstall any possibly malicious applications that were recently added.

Solution

Users should update to the latest version of Fire OS, as the issue has been addressed in Fire OS 4.6.1.

Technical Details

The onCreate method of the CertInstaller activity is given below:

protected void onCreate(Bundle savedStates) { super.onCreate(savedStates); this.mCredentials = createCredentialHelper(getIntent()); if (this.mCredentials.installSilently() || UserHandle.myUserId() == 0) { this.mState = savedStates == null ? 1 : 2; if (this.mState != 1) { this.mCredentials.onRestoreStates(savedStates); this.mNextAction = (MyAction) savedStates.getSerializable(NEXT_ACTION_KEY); } else if (!this.mCredentials.containsAnyRawData()) { showErrorDialogAndFinish(R.id.activity_text); } else if (!this.mCredentials.hasPkcs12KeyStore()) { MyAction action = new InstallOthersAction(); if (needsKeyStoreAccess()) { sendUnlockKeyStoreIntent(); this.mNextAction = action; } else { action.run(this); } } else if (this.mCredentials.hasScepPassword()) { this.mNextAction = new Pkcs12ExtractAction(this.mCredentials.getScepPassword()); this.mNextAction.run(this); } else if (this.mCredentials.installSilently()) { Log.e(TAG, “Installing silently? Pkcs password missing! Aborting…”); finish(); } else { showDialog(STATE_RUNNING); } } else { showErrorDialogAndFinish(R.string.only_primary_user_allowed); } }

The following line is where the vulnerability exists:

if (this.mCredentials.installSilently() || UserHandle.myUserId() == 0) {

Even when installSilently returns false, the package still installs the certificate silently. This is due to the incorrect usage of the myUserId() function. The function will return 0 for any application, as can be seen by the following excerpts from the Android API 17 source code:

/** * @hide Range of uids allocated for a user. */ public static final int PER_USER_RANGE = 100000;

/** * Returns the user id of the current process * @return user id of the current process * @hide */ public static final int myUserId() { return getUserId(Process.myUid()); }

/** * Returns the user id for a given uid. * @hide */ public static final int getUserId(int uid) { if (MU_ENABLED) { return uid / PER_USER_RANGE; } else { return 0; } }

It should be noted that applications that are installed have a UID between 10000 and 99999. Consequently, myUserId() will always return 0, as PER_USER_RANGE is equal to 100000 and integer division is being performed. For the Amazon Fire Phone used to verify the issue, CertInstaller had a UID of 32008.