Janus Vulnerability (CVE-2017-13156)

Whats Janus Vulnerability

A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the signatures.

Details

1. On device running android version 5.X & 6.X, Apk signature was verified using only v1 scheme Janus vulnerability was found in v1 signing scheme and google released a patch on 2017 December 01 to fix Janus on these android versions. so even though apk is signed only with v1 which can bem run on 5.x & 6.x, if 2017 December 01 patch is installed in the device Janus cannot be exploited.

2. After releasing the patch for Janus, Google released v2 signing scheme and prioritized device to use v2 scheme over v1 scheme if v2 was used along with v1 scheme but they did not integrate the patch into the system until android 8.1. This made possible to exploit Janus on android 7.x & 8.0 also, as long as 2017 December patch is not installed.

3. Applications signed with v2 or v3 along with v1 are also vulnerable to Janus if they are made to run on android versions 5.x & 6.x as it verifies only v1 scheme without installing the patch.

4. Finally v1 scheme was removed and V4 scheme has been introduced in Android 11, Applications that are only signed with v1 scheme will not run on Android 11

How to Test

• We use apksigner tool to find the signature schemes used by the application

apksigner verify -verbose h5.apk

apk has been signed only with v1, no v2 or v3 signature

• Use apktool to find the min android version on which we can run this application

Application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from 5.x, 6.x, 7.x & 8.0 to exploit it.

apktool -s d h5.apk && cat h5/apktool.yml | grep minSdk

• Get classes.dex from any other apk

apktool -s d WhatsApp.apk && mv WhatsApp/classes.dex

• To Inject this classes.dex file into our h5 application, we use this exploit code from VEO’s repo. Copy the code and create new file named janus.py and paste into it

python janus.py classes.dex h5.apk kal-h5.apk

• Install adb exploit

adb install h5.apk
adb install -r kal-h5.apk

Automation

https://github.com/h0tak88r/j88nxgithub.com

# Basic APK analysis
go run main.go -apk path/to/your.apk

# Analysis with custom POC dex file
go run main.go -apk path/to/your.apk -dex path/to/poc.dex

Resources

Exploiting Apps vulnerable to Janus (CVE-2017–13156)Medium