tanprathan · June 19, 2018 04:10
diff --git a/CVE-2018-12445.txt b/CVE-2018-12445.txt
 > [Description]
 > ** DISPUTED ** An issue was discovered in the com.dropbox.android
 > application 98.2.2 for Android. The FingerprintManager class for
 > Biometric validation allows authentication bypass through the callback
 > method from onAuthenticationFailed to onAuthenticationSucceeded with
 > null, because the fingerprint API in conjunction with the Android
 > keyGenerator class is not implemented. In other words, an attacker
 > could authenticate with an arbitrary fingerprint. NOTE: the vendor
 > indicates that this is not an attack of interest within the context of
 > their threat model, which excludes Android devices on which rooting
 > has occurred.
 >
 > ------------------------------------------
 >
 > [Additional Information]
 >
 > Exploitation Narrative for bypass local authentication on Fingerprint
 >
 > 1. De-compiling process was used to determine application logic
 > through source code. Even the application was minified (Seem to be
 > using Proguard), We still can analyse the logic of Fingerprint
 > authentication on "com.dropbox.android.activity.lock.c" class.
 >
 > 2. We notice that the fingerprint method is implemented through
 > FingerprintManager class.
 >
 > 3. Frida script was created to hook into "b" method in order to set
 > the onAuthenticationSucceeded to "null".
 >
 > Recommendation
 > Using fingerprint API in conjunction with the Android keyGenerator class.
 >
 > ------------------------------------------
 >
 > [VulnerabilityType Other]
 > OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
 >
 > ------------------------------------------
 >
 > [Vendor of Product]
 > Dropbox
 >
 > ------------------------------------------
 >
 > [Affected Product Code Base]
 > com.dropbox.android (Android: Google Play Store) - 98.2.2
 >
 > ------------------------------------------
 >
 > [Affected Component]
 > Bio-metric(Fingerprint) authentication
 >
 > ------------------------------------------
 >
 > [Attack Type]
 > Context-dependent
 >
 > ------------------------------------------
 >
 > [Impact Information Disclosure]
 > true
 >
 > ------------------------------------------
 >
 > [CVE Impact Other]
 > Authentication Bypass
 >
 > ------------------------------------------
 >
 > [Attack Vectors]
 > An attacker who is able to access on rooted Android device, could
 > perform runtime manipulation on Bio-metric authentication 
 > which allow attacker to force the return value to be "true".
 > A malicious application which may evade Google Play Store
 > detection, could attack the Dropbox application on rooted device by
 > hooking into Bio-metric mechanism in order to bypass authentication
 > process.
 >
 > ------------------------------------------
 >
 > [Has vendor confirmed or acknowledged the vulnerability?]
 > true
 >
 > ------------------------------------------
 >
 > [Discoverer]
 > Prathan Phongthiproek, Boonpoj Thongakaraniroj
	> [Description]
	> DISPUTED An issue was discovered in the com.dropbox.android
	> application 98.2.2 for Android. The FingerprintManager class for
	> Biometric validation allows authentication bypass through the callback
	> method from onAuthenticationFailed to onAuthenticationSucceeded with
	> null, because the fingerprint API in conjunction with the Android
	> keyGenerator class is not implemented. In other words, an attacker
	> could authenticate with an arbitrary fingerprint. NOTE: the vendor
	> indicates that this is not an attack of interest within the context of
	> their threat model, which excludes Android devices on which rooting
	> has occurred.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	>
	> Exploitation Narrative for bypass local authentication on Fingerprint
	>
	> 1. De-compiling process was used to determine application logic
	> through source code. Even the application was minified (Seem to be
	> using Proguard), We still can analyse the logic of Fingerprint
	> authentication on "com.dropbox.android.activity.lock.c" class.
	>
	> 2. We notice that the fingerprint method is implemented through
	> FingerprintManager class.
	>
	> 3. Frida script was created to hook into "b" method in order to set
	> the onAuthenticationSucceeded to "null".
	>
	> Recommendation
	> Using fingerprint API in conjunction with the Android keyGenerator class.
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Dropbox
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> com.dropbox.android (Android: Google Play Store) - 98.2.2
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Bio-metric(Fingerprint) authentication
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Context-dependent
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Authentication Bypass
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> An attacker who is able to access on rooted Android device, could
	> perform runtime manipulation on Bio-metric authentication
	> which allow attacker to force the return value to be "true".
	> A malicious application which may evade Google Play Store
	> detection, could attack the Dropbox application on rooted device by
	> hooking into Bio-metric mechanism in order to bypass authentication
	> process.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?]
	> true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Prathan Phongthiproek, Boonpoj Thongakaraniroj