tanprathan · June 20, 2018 13:34
diff --git a/CVE-2018-12446.txt b/CVE-2018-12446.txt
 > [Description]
 > ** DISPUTED ** An issue was discovered in the com.dropbox.android
 > application 98.2.2 for Android. The Passcode feature allows
 > authentication bypass via runtime manipulation that forces a certain
 > method's return value to true. In other words, an attacker could
 > authenticate with an arbitrary passcode. NOTE: the vendor indicates
 > that this is not an attack of interest within the context of their
 > threat model, which excludes Android devices on which rooting has
 > occurred.
 >
 > ------------------------------------------
 >
 > [Additional Information]
 > Exploitation Narrative for bypass local authentication on Passcode
 >
 > 1. We noticed that information regarding the passcode authentication
 > is disclosed through Android system log which could be identified
 > using "adb logcat" command while the application was running.
 >
 > 2. Once the Passcode authentication method was called (By entering
 > invalid Passcode), the application class would be shown through system
 > log which is "com.dropbox.android.activity.lock.LockCodeActivity".
 >
 > 3. De-compiling process was used to determine application logic
 > through source code. Even the application was minified (Seems to be
 > using Proguard), We still can analyse the logic of Passcode
 > authentication on the "b" method and found that the return type is Boolean
 > type.
 >
 > 4. Frida script was created to hook into "b" method in order to force
 > the return value to be "true".
 >
 > Recommendation
 >
 > * Remove logging on Passcode authentication method from
 >   com.dropbox.android.activity.lock.LockCodeActivity
 >
 > * Consider code obfuscation not only using Proguard due to it is just
 >    minify not obfuscating
 >
 > ------------------------------------------
 >
 > [VulnerabilityType Other]
 > OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
 >
 > ------------------------------------------
 >
 > [Vendor of Product]
 > Dropbox
 >
 > ------------------------------------------
 >
 > [Affected Product Code Base]
 > com.dropbox.android (Android: Google Play Store) - 98.2.2
 >
 > ------------------------------------------
 >
 > [Affected Component]
 > Passcode authentication
 >
 > ------------------------------------------
 >
 > [Attack Type]
 > Context-dependent
 >
 > ------------------------------------------
 >
 > [Impact Information Disclosure]
 > true
 >
 > ------------------------------------------
 >
 > [CVE Impact Other]
 > Authentication Bypass
 >
 > ------------------------------------------
 >
 > [Attack Vectors]
 > An attacker who is able to access on rooted Android device, could
 > perform runtime manipulation on Passcode authentication which
 > allow attacker to force the return value to be "true".
 > A malicious application which may evade Google Play Store
 > detection, could attack the Dropbox application on rooted device by
 > hooking into Passcode verification mechanism in order to bypass
 > authentication process.
 >
 > ------------------------------------------
 >
 > [Has vendor confirmed or acknowledged the vulnerability?]
 > true
 >
 > ------------------------------------------
 >
 > [Discoverer]
 > Boonpoj Thongakaraniroj, Prathan Phongthiproek

 Use CVE-2018-12446.
	> [Description]
	> DISPUTED An issue was discovered in the com.dropbox.android
	> application 98.2.2 for Android. The Passcode feature allows
	> authentication bypass via runtime manipulation that forces a certain
	> method's return value to true. In other words, an attacker could
	> authenticate with an arbitrary passcode. NOTE: the vendor indicates
	> that this is not an attack of interest within the context of their
	> threat model, which excludes Android devices on which rooting has
	> occurred.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> Exploitation Narrative for bypass local authentication on Passcode
	>
	> 1. We noticed that information regarding the passcode authentication
	> is disclosed through Android system log which could be identified
	> using "adb logcat" command while the application was running.
	>
	> 2. Once the Passcode authentication method was called (By entering
	> invalid Passcode), the application class would be shown through system
	> log which is "com.dropbox.android.activity.lock.LockCodeActivity".
	>
	> 3. De-compiling process was used to determine application logic
	> through source code. Even the application was minified (Seems to be
	> using Proguard), We still can analyse the logic of Passcode
	> authentication on the "b" method and found that the return type is Boolean
	> type.
	>
	> 4. Frida script was created to hook into "b" method in order to force
	> the return value to be "true".
	>
	> Recommendation
	>
	> * Remove logging on Passcode authentication method from
	> com.dropbox.android.activity.lock.LockCodeActivity
	>
	> * Consider code obfuscation not only using Proguard due to it is just
	> minify not obfuscating
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Dropbox
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> com.dropbox.android (Android: Google Play Store) - 98.2.2
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Passcode authentication
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Context-dependent
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Authentication Bypass
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> An attacker who is able to access on rooted Android device, could
	> perform runtime manipulation on Passcode authentication which
	> allow attacker to force the return value to be "true".
	> A malicious application which may evade Google Play Store
	> detection, could attack the Dropbox application on rooted device by
	> hooking into Passcode verification mechanism in order to bypass
	> authentication process.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?]
	> true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Boonpoj Thongakaraniroj, Prathan Phongthiproek

	Use CVE-2018-12446.