CVE-2013-4787

Severity

93%

Complexity

86%

Confidentiality

165%

Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature, probably involving multiple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security bug 8219321 and the "Master Key" vulnerability.

Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature, probably involving multiple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security bug 8219321 and the "Master Key" vulnerability.

CVSS 2.0 Base Score 9.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Overview

Type

Google Android Operating System

First reported 11 years ago

2013-07-09 17:55:00

Last updated 11 years ago

2013-10-11 14:49:00

Affected Software

Google Android Operating System 1.6

1.6

Google Android Operating System 2.0

2.0

Google Android Operating System 2.0.1

2.0.1

Google Android Operating System 2.1

2.1

Google Android Operating System 2.2

2.2

Google Android Operating System 2.2 Revision 1

2.2

Google Android Operating System 2.2.1

2.2.1

Google Android Operating System 2.2.2

2.2.2

Google Android Operating System 2.2.3

2.2.3

Google Android Operating System 2.3

2.3

Google Android Operating System 2.3 Revision 1

2.3

Google Android Operating System 2.3.1

2.3.1

Google Android Operating System 2.3.2

2.3.2

Google Android Operating System 2.3.3

2.3.3

Google Android Operating System 2.3.4

2.3.4

Google Android Operating System 2.3.5

2.3.5

Google Android Operating System 2.3.6

2.3.6

Google Android Operating System 2.3.7

2.3.7

Google Android Operating System 3.0

3.0

Google Android Operating System 3.1

3.1

Google Android Operating System 3.2

3.2

Google Android Operating System 3.2.1

3.2.1

Google Android Operating System 3.2.2

3.2.2

Google Android Operating System 3.2.4

3.2.4

Google Android Operating System 3.2.6

3.2.6

Google Android Operating System 4.0

4.0

Google Android Operating System 4.0.1

4.0.1

Google Android Operating System 4.0.2

4.0.2

Google Android Operating System 4.0.3

4.0.3

Google Android Operating System 4.0.4

4.0.4

Google Android Operating System 4.1

4.1

Google Android Operating System 4.1.2

4.1.2

Google Android Operating System 4.2 (Jelly Bean)

4.2

References

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

http://review.cyanogenmod.org/#/c/45251/

94773

60952

http://www.zdnet.com/google-releases-fix-to-oems-for-blue-security-android-security-hole-7000017782/

https://jira.cyanogenmod.org/browse/CYAN-1602

https://plus.google.com/113331808607528811927/posts/GxDA6111vYy

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.