-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-027 Product: AirWatch Agent App for Android Vendor: VMWare Affected Version(s): any before 7.0 Tested Version(s): 5.3.2.790 Vulnerability Type: Lack of Binary Protections Risk Level: Medium Solution Status: Open Vendor Notification: 2016-04-04 Solution Date: 2017-01-17 Public Disclosure: 2016-01-30 CVE Reference: CVE-2017-4895 Author of Advisory: Finn Steglich, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: VMWare AirWatch Agent App for Android ensures the device security according the MDM policies. The vendor VMWare AirWatch describes the product as follows (see [1]): "AirWatch Mobile Security Management ensures your enterprise mobility deployment is secure and corporate information is protected with end-to-end security extending to users, devices, applications, content, data, email and networks. AirWatch provides real-time device details and continuous compliance monitoring to ensure your devices and corporate data are secure." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It was possible to circumvent the rooting detection of the AirWatch Agent App for Android. To do so, the su and daemonsu binaries, which are commonly used to allow root access, were simply renamed to inconspicuous names on both file system and process tree. To persist the root possibility, a boot file has to be changed as well. This approach can be used to root the device prior to the AirWatch enrollment, using any rooting approach including boot loader modifications. It can even be performed at the runtime of the AirWatch Agent using a root exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The public Android root exploit Towelroot [2] was used for this demonstration. The exploit itself was not recognized by the AirWatch Agent, but the binaries /system/xbin/su and /system/xbin/daemonsu, as well as the running daemonsu process were discovered. Thus, the PoC rooting app used by the SySS GmbH instantly executed commands after the Towelroot exploit execution. The binaries were then renamed to /system/xbin/syss and /system/xbin/daemonsyss and the device was rebooted. The following commands summarize the changes: mount -o rw,remount /system mv '/sbin/su' '/sbin/syss' mv '/system/xbin/su' '/system/xbin/syss' mv '/system/xbin/daemonsu' '/system/xbin/daemonsyss' echo -e '#!/system/bin/sh\n/system/xbin/daemonsyss --auto-daemon &' > /system/etc/install-recovery.sh mount -o ro,remount /system reboot The reboot was used as an easy way to kill the daemonsu process, which could be detected, and to reload the new daemonsyss binary (persisted in the boot file). It could be replaced by other means, to do so if a reboot has to be prevented, for instance, if the attacker does not know the device screen lock codes, or if the device is encrypted. The renaming proved to be fast enough so that the agent could not detect the su binaries even if running. After the reboot, the device is considered rooted but the AirWatch agent does not recognize the compromise. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to Airwatch Agent version 7.0 or later. See [3] for the VMWare Security Advisory on the issue and more information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-03-15: Vulnerability discovered 2016-04-04: Vulnerability reported to vendor 2017-01-17: Updated agent app published 2017-01-30: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] VMWare AirWatch website http://www.air-watch.com/solutions/mobile-security/ [2] Towelroot https://towelroot.com/ [3] VMWare Security Advisory on the issue http://www.vmware.com/security/advisories/VMSA-2017-0001.html [4] SySS GmbH, SYSS-2016-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-027.txt [5] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Finn Steglich of SySS GmbH. E-Mail: finn (dot) steglich (at) syss (dot) de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Finn_Steglich.asc Key ID: 0x978723E3 Key Fingerprint: 62E7 D39B 525D ADBC 3C0E 576C 80A1 3D93 9787 23E3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEYufTm1Jdrbw8DldsgKE9k5eHI+MFAliQhM8ACgkQgKE9k5eH I+P1kg//Sld88geyJhJuV/eaRJKhOyHhgoVRb/oNgAc60MdE3yiYKsfNz7j5NSMy 0stb5ChQN+iLwcsllg5OlLDFs7RtycgcCPFflFZTutICj03tiWS4VAEzY2W9XK16 XP7FUSBFMJSRVN1z+ob6WHYdMJQ1Kr+lHbr3yPnh7Beqn51cOh+LL8THqOMVdakN aS5YUtmalBGx1pPkip5/xp2DEup4/5kkSWtZ5EbWKMo6baxYAtpB+tuGav7cRaR+ SIzQmBMg3h4GD/Os9JT7M1izDLcm41DrPe0bmRxBnKereULW8LMkuPhIWjCWgwhk zrz94mHEkQM7tycbLj4GDpLn+AkOOOiNDnezAkgsfZQUHneSt0hhIPcFCrbe2v7r K55+zDdHdK2pJCNB0Te06YH8DF1mf2+6mxU8ZVSKOYkQ1C9L4csOZaP0vypOynLi 36gQ/vBo4b7rtsf+PkPCrSfwXMHMfc/S3VZCtx7kJzeMiuX8/DnmxsA5n9rEDZ+Y Q8c4+DlaMpQfaGkJ188tL6qLZORcWf9ghcBOhU+K0uQU/14MAouhSOVpAE1StCz5 yGABPZoLRf/rCmTkZHw5SAVUNgiGJFH5UDrQ1E09DP1mvsQBxLM7GiMj/fVYWoal 2RdiVSahcMpmDMs6ZhNjX96VyMO3e2BjRQOsVqkT+p8nEu8FC80= =W9EU -----END PGP SIGNATURE-----