CVE-2013-4787
published 2013-07-09CVE-2013-4787: Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.92%
99.0th percentile
Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature, probably involving multiple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security bug 8219321 and the "Master Key" vulnerability.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect APK ZIP files containing duplicate filenames (same entry name appearing more than once) — one entry is validated by signature verification while the other is installed, which is the core exploit primitive. ↗
- →Flag APK files where a ZIP append operation has been performed (e.g., via Python zipfile 'a' mode) to inject unsigned duplicate entries after the signed content. ↗
- →Monitor for PoC script patterns: shell scripts invoking apktool to decompile/recompile an APK followed by ZIP manipulation to append original entries into the rebuilt package. ↗
- →Inspect APK files for the Android Master Key bug 8219321: presence of duplicate ZIP entries where the second (appended) entry shadows the first during installation but the first was used for signature validation. ↗
- ·Affected Android versions span 1.6 Donut through 4.2 Jelly Bean; devices running versions outside this range or with vendor patches for bug 8219321 are not vulnerable. ↗
- ·The vulnerability does not require the APK's cryptographic signature itself to be broken — the APK passes signature verification because the validated entry is legitimate; only the installed (duplicate) entry is malicious. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Use of Multiple Resources with Duplicate Identifier
mitre_cwe·CVSS 9.3
[CRITICAL] CWE-694 Use of Multiple Resources with Duplicate Identifier
CWE-694: Use of Multiple Resources with Duplicate Identifier
The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
If the product assumes that each resource has a unique identifier, the product could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism. If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.
Scope: Other. Impact: Quality Degradation.
Potential Mitigations:
[Architecture and Design] Where possibl
CWE
Improper Control of Resource Identifiers ('Resource Injection')
mitre_cwe
CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
A resource injection issue occurs when the following two conditions are met: An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attack
http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/http://review.cyanogenmod.org/#/c/45251/http://www.osvdb.org/94773http://www.securityfocus.com/bid/60952http://www.zdnet.com/google-releases-fix-to-oems-for-blue-security-android-security-hole-7000017782/https://jira.cyanogenmod.org/browse/CYAN-1602https://plus.google.com/113331808607528811927/posts/GxDA6111vYyhttp://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/http://review.cyanogenmod.org/#/c/45251/http://www.osvdb.org/94773http://www.securityfocus.com/bid/60952http://www.zdnet.com/google-releases-fix-to-oems-for-blue-security-android-security-hole-7000017782/https://jira.cyanogenmod.org/browse/CYAN-1602https://plus.google.com/113331808607528811927/posts/GxDA6111vYy
2013-07-09
Published