Category Archives: Tips

How to protect yourself from the Samsung keyboard vulnerability in Android devices

Application Security, Hardening and Mitigations, Tips, Vulnerabilities, What have I discovered?Eitan Caspi

A few weeks ago, on June 2015, the mobile devices security company “NowSecure”, has published a post about a vulnerability they have found, titled “Remote Code Execution as System User on Samsung Phones Summary”, discovered by its researcher, Mr. Ryan Welton.
This research was also marked using two official vulnerability identifications of CVE-2015-4640 and CVE-2015-4641.

On the above blog post the company wrote “Unfortunately, the flawed keyboard app can’t be uninstalled or disabled”.
I believe this is not fully correct as the relevant Android service of the this keyboard can be disabled if the device is rooted.

In the rest of this post I will show you how to do just that.

***
Disclaimer:
Following are the steps of how to work-around the vulnerabilities mentioned in the post blog of “NowSecure” – but the fact it worked for me does not necessarily means it will work for you or that it won’t harm your device and/or data.
I will have NO responsibility NOR liability for the following steps, if you will perform the following steps – it will be on your own personal responsibility and liability.
***

There is a workaround, which means it is not fixing the problem and the relevant software is still vulnerable, it is just that we will make sure the relevant software will not load into the device memory, so attackers will not be able to exploit this vulnerability.

***
The following procedure requires a root access for the device.
***

The concept outline is:
1. Installing another Android keyboard software
2. Making the new keyboard app the device active keyboard
3. Disabling the Samsung keyboard (including across device reboots)

This replaces the vulnerable keyboard with a (probably…) non-vulnerable keyboard and blocking the vulnerable keyboard from loading into memory, so it cannot be exploited.

First of all – make a full backup of the target Android device! And save the backup output OUTSIDE the device itself!

1. Make sure you have a root access on your Android device.
The free app of “Root Checker” may help you verify this.
If you do not have root access – the decision if and how to get root access is up to you to decide as it has many and serious implication on your device operation, maybe even its warranty – further beyond this workaround.
See the following two articles discussing the advantages and disadvantage of rooting and Android device:
a. Rooted vs. Unrooted Android: Your Best Arguments
b. To Root or Not to Root

2. Install an alternate free keyboard, like the “Google Keyboard”.
Here are some recommendations (not by me) for other alternate keyboards apps.

3. Make the non-Samsung keyboard the active system keyboard
The steps to do this may change from Android version to another, but you can get a hint in the following articles:
a. How to replace your Android or iOS keyboard
b. Type in style: How to change your Android keyboard

4. Reboot the device and make sure that the new keyboard app is the active keyboard and that it is working properly (say, do a Google search)

5. Install the free app of “Disable Service”. I installed and used it and it worked fine for me.

6. Disable the “Samsung Keyboard” app using the following steps:
a. Open the “Disable Service” app and choose the “System” tab on the right side of the app interface
b. Find the app named “Samsung Keyboard” (the actual name (partial or complete) of the app may be different as it may be written using the interface language of your phone) and choose it
(you can easily find the “Samsung Keyboard” app using the “Disable Service” app search option (the magnifier icon at the top-left side of its interface) – just type there “samsung”)
c. Un-check all the check boxes of the sub-items listed, the ones which the “Samsung Keyboard” is attached to. Once you un-check an item it will be disabled and its text color will turn from white to red.
You will probably be prompted, using a pop-up window, to grant the “Disable Service” app a root access – you HAVE to approve this request for this procedure to succeed (the pop-up window will enable you to limit this access for only 15 minutes. You can do this as well, as you suppose to complete the whole procedure within a few minutes)
d. That’s it – exit the app
e. To verify that the “Samsung Keyboard” is disabled – return to the Android keyboard selection section, as mentioned in step number 3 above and make sure that there is no item of “Samsung Keyboard” listed

In case you wish to re-enable the Samsung keyboard, use the following steps:

a. Open the “Disable Service” app and choose the “System” tab on the right side of the app interface
b. Find the app named “Samsung Keyboard” (the actual name (partial or complete) of the app may be different as it may be written using the interface language of your phone) and choose it
(you can easily find the “Samsung Keyboard” app using the “Disable Service” app search option (the magnifier icon at the top-left side of its interface) – just type there “samsung”)
c. Check/Select all the check boxes at the list you will be presented with. Once you check/select an item it will be enabled and its text color will turn from red to white.
You will probably be prompted, using a pop-up window, to grant the “Disable Service” app a root access – you HAVE to approve this request for this procedure to succeed (the pop-up window will enable you to limit this access for only 15 minutes. You can do this as well, as you suppose to complete this procedure within a few minutes)
d. Exit the app
e. To verify that the “Samsung Keyboard” is enabled – return to the Android keyboard selection section, as mentioned in step number 3 above and make sure that an item of “Samsung Keyboard” is listed there

The above procedure is meant for most folks as it easy and less prone to cause any harm – most folks should use it.

The following procedure will give the same result but it is intended for more technically experienced folks as it is more prone for possible mistakes and damage, as it is using low-level operating system commands. Use it only if are very technically knowledgeable about the low-system-levels of Android.

Perform steps 1 to 4 the same as mentioned above.
From step 5 and forward use the following steps:

5. Install a shell/terminal emulator like the free app of “Terminal Emulator for Android”, which I tested and found it to work fine and easy.

a. Open the “Terminal Emulator for Android” app and at the command line type the text “su” (without the quotes. su means “super user”, which is what we call “root” mode) and hit the “Enter” key, found on the edge of the lower-right corner of the app’s online keyboard. It looks like a thin line with large arrow-head that is pointing to the left
b. You will probably be prompted, using a pop-up window, to grant the “Terminal Emulator for Android” app a root access – you HAVE to approve this request for this procedure to succeed (the pop-up window will enable you to limit this access for only 15 minutes, you can do this as well, as you suppose to complete this procedure within a few minutes)
c. You will be returned to the command line. Notice that the sign at the right side of the line’s initials is changed from the dollar sign, “$”, to be the sign of “#”, which symbols you are now in “root” mode.

***Be very careful here as you can make real damage using the root mode***

d. Type the following line exactly, and once you completed writing it – press the “Enter” key:
pm disable com.sec.android.inputmethod

If all is fine you will be replied with a message of:
Package com.sec.android.inputmethod new state: disabled

e. Exit the app by clicking on the “X” sign on the app’s upper-right corner

To enable back the Samsung keyboard using the same app:

Do most of the same steps as mentioned above using the “Terminal Emulator for Android” app, but for step “d” change the command to be:
d. Type the following line exactly, and once you completed writing it – press the “Enter” key:
pm enable com.sec.android.inputmethod

If all is fine you will be replied with a message of:
Package com.sec.android.inputmethod new state: enabled

e. Exit the app by clicking on the “X” sign on the app’s upper-right corner

.

That is all. I hope this post will assist you in protecting yourselves from this vulnerability.

Cheers!

Eitan Caspi

.

Microsoft’s detective

Learning and Enrichment, Tips, What have I discovered?Eitan Caspi

Just over a year ago, when I went through the logs of an IPS located at a dedicated and internal network (not facing the Internet or any external networks), I saw DHCP activity.
Since this is a servers based environment, presumably they all should have a fixed IP address, so any DHCP activity may indicate a non-authorized activity on the network, so I went into the details of the events.

So yes, they were DHCP Discovery events, but their details included three disturbing attributes:

First, the MAC addresses were obviously fake and not belonging to any networking vendor. For example, 4d:c8:43:bb:8b:a6 or 45:3b:13:0d:89:0, which did not return any match at a MAC-to-Vendor search site.

Second, the MAC addresses changed every 3 seconds …

Third, The Domain Name was DETECTIVE … (which of course did not exist on the network in question)

Oops, I thought to myself, there is someone or something bad going on around here…

Immediately I turned to the Internet, and I saw that I was not alone, nor the first, to encounter this phenomenon, wondering about a possible breach.
I searched but found nothing at Microsoft’s web sites, both regular and support, not by these MAC addresses, nor by the word DETECTIVE.

I turned to the employee responsible for the relevant VLAN in which the activity occurred and he said that at the date and time in question he was working on a particular “Windows 2003” based server. I checked the MAC addresses of the server and none of them matched the IPS detected MAC addresses, so I investigated the server’s running processes and all the processes that load at boot time – but nothing unusual was found.
As I was unable to go further in this investigation, I filed this case as a computerized voodoo and moved on with my work.

But after a month or so, the phenomenon returned, with exactly the same behavior. Again the same employee and again a “Windows Server 2003” but this time in another server.
This time, I said to myself, I am going all the way.

I thoroughly questioned the employee, whom I know as a knowledgeable and responsible person, and he told that he thinks that in both cases he used the “Configure Your Server Wizard” of the Windows server.
If so, I said to myself, let’s move up in the food chain.

I turned to the integration company that gave us support, with all the relevant links I found online, but no one there knew anything about this, so I asked to escalate the case to the Premier Support of Microsoft in Israel, and so it was.

But guess what? The Premier supporter didn’t really knew what to do or give an answer, although I handed to him all of the online references to similar cases and directed him to the problem applet. Still he denied that Windows Server 2003 has any issue and he strongly claimed that our network has a live malicious code or sophisticated intruder inside of it. He probably did not try to reproduce the case in a laboratory with a Sniffer or something even close to that.
I demanded to escalate the case higher in the support chain, abroad, but he refused, and even refused to transfer his answer in writing.

He did not know who he is messing with… 😉 Since I am known as a nagger who doesn’t rest until he reaches the bottom of thing, I turned to “Microsoft Israel” and demanded that the case will be escalated to a higher support level, abroad, because something is going on here.
It took them a while and I had to “yell” a bit over email, but eventually they agreed.

And then, at last, enlightenment! Paul from the premier support in England, who fortunately had access to the source code of all of Microsoft’s products, confirmed, in his first reply email, that the word “Detective” exists only once in all of MS products’ code, and only at the source code of “Windows Server 2003” and it is located in the applet of “Configure Your Server Wizard”…
In short, he confirmed my findings and those found on the internet, and said it was the way of the Wizard to locate active DHCP servers on the network, to impersonate as a client that does not exist, only for the discovery phase.
I explained to him that this method can cause some information security and network administrators a heart attack, seeing forged MAC addresses appear and change rapidly in succession plus a fake domain called DETECTIVE … and so Microsoft should publish a support knowledge-base article on the subject, so customers will receive “All Clear signal” from the manufacturer itself. He agreed with me and said he would see to it.
Pleasure. That’s support.

I tried to ask for public credit to me in the coming KB article, like the previous times, but apparently this time I didn’t reach the needed threshold to accept a public credit.

So, overall it took MS a few good months, and the first version was too technical and confused, but in the end they balanced with a reasonable version though not very friendly or relevant to the issue, with KB 945948, which appears as the first search result if you search using Google for the words DETECTIVE and DHCP at the support site of Microsoft – so the risk of a heart attack has decreased, and so I hope I could save at least one admin’s life

I’ve done my part.
.

(This post is a translation of a post from my Hebrew information security blog, from 10-August-2008)
.