AndroidVulnerabilities.org

Fake ID

(json)

• CVE numbers:
• Coordinated disclosure?: true
• Categories: signature
• Details: The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. The vulnerability resides in the createChain() and findCert() functions of the Android JarUtils class. [securitytracker-1030654] Google bug 13678484 [blackhat-briefing-fakeid]
• Discovered by: Jeff Forristal of Bluebox [bluebox-fakeid] on: Unknown
• Reported on: 2014-07-29 [ars-fake-id]
• Fixed on: 2014-04-17 [fakeid-patch]
• Fix released on: Unknown
• Affected versions: 2.1 -- 4.4 [ars-fake-id] regex: (2.[1-9].[0-9])|(3.[0-9].[0-9])|(4.[0-3].[0-9])|(4.4.[0-4])
• Affected devices:
• Affected manufacturers: all [bluebox-fakeid]
• Fixed versions: there is no single, specific “fixed” version of Android. In fact, multiple vendors are maintaining the same prior version number, and only patching the functionality. We have confirmed “fixed” versions existing within the ranges of 4.1, 4.2, 4.3, and 4.4 [bluebox-fakeid]
• Submission: by: Khilan Gudka, on: 2014-07-29; by: Daniel R. Thomas, on: 2014-09-09; by: Jeff Forristal, on: 2014-09-11