tanprathan · August 13, 2018 14:09
diff --git a/CVE-2018-13446.txt b/CVE-2018-13446.txt
 > [Description]
 > ** DISPUTED ** An issue was discovered in the LINE jp.naver.line
 > application 8.8.1 for Android. The Passcode feature allows
 > authentication bypass via runtime manipulation that forces a
 > certain method's return value to true. In other words, an attacker
 > could authenticate with an arbitrary passcode. NOTE: the vendor
 > indicates that this is not an attack of interest within the context
 > of their threat model, which excludes Android devices on which
 > rooting has occurred.
 >
 > ------------------------------------------
 >
 > [Additional Information]
 > Exploitation Narrative for bypass local authentication on Passcode
 >
 > 1. De-compiling process was used to determine application logic
 > through source code. Even the application was minified (Seems to be
 > using Proguard), We still can analyse the logic of Passcode
 > authentication on the "b" method and found that the return type is
 > Boolean type.
 >
 > 2. Frida script was created to hook into "b" method in order to force the return value to be "true".
 >
 > Recommendation
 > * Consider code obfuscation not only using Proguard due to it is just minify not obfuscating
 >
 > ------------------------------------------
 >
 > [VulnerabilityType Other]
 > OWASP Mobile Top 10 2016:M4-Insecure Authentication, CWE-287 - Improper Authentication
 >
 > ------------------------------------------
 >
 > [Vendor of Product]
 > LINE Corporation
 >
 > ------------------------------------------
 >
 > [Affected Product Code Base]
 > jp.naver.line (Android: Google Play Store) - 8.8.1
 >
 > ------------------------------------------
 >
 > [Affected Component]
 > Passcode authentication
 >
 > ------------------------------------------
 >
 > [Attack Type]
 > Context-dependent
 >
 > ------------------------------------------
 >
 > [Impact Information Disclosure]
 > true
 >
 > ------------------------------------------
 >
 > [CVE Impact Other]
 > Authentication Bypass
 >
 > ------------------------------------------
 >
 > [Attack Vectors]
 > An attacker who is able to access on rooted Android
 > device, could perform runtime manipulation on Passcode authentication
 > which allow attacker to force the return value to be "true". A
 > malicious application which may evade Google Play Store detection,
 > could attack the LINE application on rooted device by hooking into
 > Passcode verification mechanism in order to bypass authentication
 > process.
 >
 > ------------------------------------------
 >
 > [Has vendor confirmed or acknowledged the vulnerability?]
 > true
 >
 > ------------------------------------------
 >
 > [Discoverer]
 > Boonpoj Thongakaraniroj, Prathan Phongthiproek
 >
 > ------------------------------------------
 >
 > [Reference]
 > https://play.google.com/store/apps/details?id=jp.naver.line.android&hl=en_US
	> [Description]
	> DISPUTED An issue was discovered in the LINE jp.naver.line
	> application 8.8.1 for Android. The Passcode feature allows
	> authentication bypass via runtime manipulation that forces a
	> certain method's return value to true. In other words, an attacker
	> could authenticate with an arbitrary passcode. NOTE: the vendor
	> indicates that this is not an attack of interest within the context
	> of their threat model, which excludes Android devices on which
	> rooting has occurred.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> Exploitation Narrative for bypass local authentication on Passcode
	>
	> 1. De-compiling process was used to determine application logic
	> through source code. Even the application was minified (Seems to be
	> using Proguard), We still can analyse the logic of Passcode
	> authentication on the "b" method and found that the return type is
	> Boolean type.
	>
	> 2. Frida script was created to hook into "b" method in order to force the return value to be "true".
	>
	> Recommendation
	> * Consider code obfuscation not only using Proguard due to it is just minify not obfuscating
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> OWASP Mobile Top 10 2016:M4-Insecure Authentication, CWE-287 - Improper Authentication
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> LINE Corporation
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> jp.naver.line (Android: Google Play Store) - 8.8.1
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Passcode authentication
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Context-dependent
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Authentication Bypass
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> An attacker who is able to access on rooted Android
	> device, could perform runtime manipulation on Passcode authentication
	> which allow attacker to force the return value to be "true". A
	> malicious application which may evade Google Play Store detection,
	> could attack the LINE application on rooted device by hooking into
	> Passcode verification mechanism in order to bypass authentication
	> process.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?]
	> true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Boonpoj Thongakaraniroj, Prathan Phongthiproek
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://play.google.com/store/apps/details?id=jp.naver.line.android&hl=en_US