-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2020-001 : Cellebrite Hardcoded ADB Authentication Keys Title: Cellebrite Hardcoded ADB Authentication Keys Advisory ID: KL-001-2020-001 Publication Date: 2020.04.13 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2020-001.txt 1. Vulnerability Details Affected Vendor: Cellebrite Affected Product: UFED Affected Version: 5.0 - 7.29 Platform: Embedded Windows CWE Classification: CWE-321: Use of hardcoded cryptographic keys CVE ID: CVE-2020-11723 2. Vulnerability Description Cellebrite UFED uses four hardcoded RSA private keys to authenticate to the ADB daemon on target devices. Extracted keys can be used to place evidence onto target devices when performing a forensic extraction. 3. Technical Description The AndroidLib.dll file will be found in the Program Files directory at the following path: C:\Program Files\Cellebrite Mobile Synchronization\UFED Touch\AndroidLib.dll This file contains the code used to authenticate to the ADB daemon on devices to be forensically imaged. This library relies on the CryptImportKey function to import a private key for use during this operation. The bytes used to repsent the key are hardcoded into the AndroidLib.dll file. This file may be protected by Themida but can be recovered through deobfuscation techniques. The CryptImportKey function uses a private key structure called: MS PRIVATEKEYBLOB. Keys that are following this format can be found by searching for "RSA2" as US-ASCII values inside of the AndroidLib.dll file. There are three keys available between the versions 5.0 and 7.1. 0x6c598 952 ?PrivateKey1@ADBAuth@@0QBEB Ordinal_952 XREF[2]: Entry Point(*), 100867b4(*) ?PrivateKey1@ADBAuth@@0QBEB 1006c598 07 ?? 07h 1006c599 02 ?? 02h 1006c59a 00 ?? 00h 1006c59b 00 ?? 00h 1006c59c 00 ?? 00h 1006c59d a4 ?? A4h 1006c59e 00 ?? 00h 1006c59f 00 ?? 00h 1006c5a0 52 ?? 52h R 1006c5a1 53 ?? 53h S 1006c5a2 41 ?? 41h A 1006c5a3 32 ?? 32h 2 ... 0x6ca30 953 ?PrivateKey2@ADBAuth@@0QBEB Ordinal_953 XREF[2]: Entry Point(*), 100867b8(*) ?PrivateKey2@ADBAuth@@0QBEB 1006ca30 07 ?? 07h 1006ca31 02 ?? 02h 1006ca32 00 ?? 00h 1006ca33 00 ?? 00h 1006ca34 00 ?? 00h 1006ca35 a4 ?? A4h 1006ca36 00 ?? 00h 1006ca37 00 ?? 00h 1006ca38 52 ?? 52h R 1006ca39 53 ?? 53h S 1006ca3a 41 ?? 41h A 1006ca3b 32 ?? 32h 2 ... 0x6cec8 954 ?PrivateKey3@ADBAuth@@0QBEB Ordinal_954 XREF[2]: Entry Point(*), 100867bc(*) ?PrivateKey3@ADBAuth@@0QBEB 1006cec8 07 ?? 07h 1006cec9 02 ?? 02h 1006ceca 00 ?? 00h 1006cecb 00 ?? 00h 1006cecc 00 ?? 00h 1006cecd a4 ?? A4h 1006cece 00 ?? 00h 1006cecf 00 ?? 00h 1006ced0 52 ?? 52h R 1006ced1 53 ?? 53h S 1006ced2 41 ?? 41h A 1006ced3 32 ?? 32h 2 ... A fourth key can be found within the KnockoutNG EPR file but exists in the normally used PEM format: 00000000 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 |-----BEGIN RSA P| 00000010 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |RIVATE KEY-----.| 00000020 4d 49 49 45 70 51 49 42 41 41 4b 43 41 51 45 41 |MIIEpQIBAAKCAQEA| 00000030 75 74 72 41 62 39 37 43 74 4e 6e 6d 2b 57 53 5a |utrAb97CtNnm+WSZ| 00000040 7a 52 6b 2b 53 61 6c 50 32 6c 68 47 48 62 37 35 |zRk+SalP2lhGHb75| ... Once extracted, the keys can be converted into PEM using the openssl binary and are then available for use by the stock android adb client. $ ls -la total 36 drwxr-xr-x 1 level level 346 Oct 19 07:04 . drwxr-xr-x 1 level level 2842 Oct 13 09:32 .. -rw------- 1 level level 1671 Sep 10 06:56 cellebrite_adb_key1 -rw-r--r-- 1 level level 717 Sep 10 06:56 cellebrite_adb_key1.pub -rw------- 1 level level 1679 Sep 10 06:55 cellebrite_adb_key2 -rw-r--r-- 1 level level 717 Sep 10 06:56 cellebrite_adb_key2.pub -r--r--r-- 1 level level 1736 Oct 13 09:26 cellebrite_adb_key3 -r--r--r-- 1 level level 717 Oct 13 09:26 cellebrite_adb_key3.pub -rw------- 1 level level 1679 Oct 18 15:44 cellebrite_adb_key4 -rw-r--r-- 1 level level 451 Oct 18 15:46 cellebrite_adb_key4.pub 4. Mitigation and Remediation Recommendation The vendor has addressed this vulnerability in UFED v7.30 update released March 3, 2020. Licensed users should update via the MyCellebrite Portal. Release notes can be found at: https://www.cellebrite.com/en/productupdates/ufed-and-ufed-infield-7-30-provides-new-support-for-smartphones-with-huawei-kirin-processor/ 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2019.12.12 - KoreLogic submits vulnerability details to Cellebrite. 2019.12.12 - Cellebrite acknowledges receipt. 2020.01.29 - Cellebrite informs KoreLogic that a remediation will be implemented in the next scheduled release and asks for coordinated disclosure following subsequent customer updates. KoreLogic agrees. 2020.03.03 - Cellebrite releases UFED v7.30. 2020.03.04 - Cellebrite asks for disclosure to remain embargoed for 2-4 weeks for existing customers to upgrade. KoreLogic agrees. 2020.04.08 - CVE requested from MITRE. 2020.04.12 - MITRE assigns CVE-2020-11723. 2020.04.13 - KoreLogic public disclosure. 7. Proof of Concept See section 3. Technical Description. The contents of this advisory are copyright(c) 2020 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAl6Ux58aHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/P7iRAAk250Ec6Aa+YcNTprcrfR RK1KXSv9h1Lqu0Y6Syuj/w+eGR10Glols+AteGE75acy+CjkdE2A9oPOoq/jV+1i osV04qMZTxpKBnWj4SPZvTTjsNv4JPl15TicJ9C0FMxkgGvMoJ4vJeo4C2lFfjlE 6cCt9fcMX28VVT6hPLxzuRWj5KNdEaEz4eBrQUxw8KKdtvPb0GrZE0CPMMcqGnaP 2neCkdKFB5k4KWVrqfB0qdcMJE9R/IZ84tQif7ndPy333YrBsR04UwzHby+gLCtb 6xPIaqI8cv2oiwTBq8gnJk9PSPdUil4cyZFoOUb0wLVOc5E5aYbayUvF/hukjp9w cBVPpn8IXEv1V3tQI1qZDa3m+GXTmZL3sF5pgJ1vooZYyFFg2t6mu7V2um57wOr8 MFkrjBWkAw4gfHL+NmzA/SPa/K2lSV2bUur0CIAYS9m/zOZowvQgM4YsibjAP7Oe WzC9DiBZdMZyY+oTkfUUrzSW3flrOR720XsPwPPMzHofiyxIt6+hfnCpyHdIhmC3 1oaVSDICgmkyfFi55wXLgF8llv1cBSweAMq/6Uuo0zgn3nh8bN4BtyTk56VMwVTR iSS/ZUEHhDBFg9uuLK+xytCME8YkINXPraHKmBGTNsgj1cbbre2L/tKXVkPF1DNz rH57mgRkT0BHxndoQbWn4Y4= =9uvp -----END PGP SIGNATURE-----