CVE-2015-1574 - Google Email App 4.2.2 remote denial of service

Authors:Hector Marco & Ismael Ripoll
CVE:CVE-2015-1574
Dates:19 Jan 2015 - Public disclosure


Description

Receiving the email The App. is closed

A bug in the stock Google email application version 4.2.2.0200 has been found. An attacker can remotely perform an Denial Of Service attack by sending a specially crafted email. No interaction from the user is needed to produce the crash just receive the malicious email.

When the victim receives the malicious email, the application crashes while trying to download the email. Any attempt to open again the email application triggers a crash before the user can do anything. The email application can not be used until the offending email is removed.

Since the application crashes immediately, to remove the malicious email is a little bit tricky. The easiest and straightforward way to remove it is by using other email client (or via web) from the inbox at the email sever. Another way is by disabling the internet connexion (Airplane mode) before launching the email reader, and then you can remove the offending email.

Note that this is a workaround and does not prevent the attack. The attackers can send as many emails as they want, leaving the folder where the malicious email is present unusable until the email is removed.

Affected Email versions

We have found the bug in email version 4.2.2.0200 running on a Samsung Galaxy 4 mini fully updated (19 Jan 2015). Newer versions 4.2.2.0400 are not affected.

Impact

The email application affected is the stock email application from Google, which is present on the official versions of Android. Since the vulnerable email version is the one used in a popular mobile, there maybe a large number of affected users.

The bug

The bug appears because an incorrect handling of the Content-Disposition header. An incorrect Content-Disposition header causes the crash. The malformed header which produces the crash is:

Content-Disposition: ;

According to RFC2183 the parameters are missing. The correct header shall look like:

Content-Disposition: attachment; filename=genome.jpeg;
The source code of the Google Email Application can be found at: Google Email App Git repository.

Exploit

To successfully exploit this vulnerability the attacker only needs to send an email to the victim with an empty Content-Disposition followed by a semicolon.

I have written a simple python script which sends the crafted email to a target email user.

Email Android Google 4.2.2.0200 crasher
=======================================
Author:  Hector Marco 
Website: http://hmarco.org

$ ./crash_Android_Google_email_4.2.2.0200.py -s sender@email.com -r receiver@email.com
[+] Sending crafted message to: receiver@email.com
[+] Malicious email successfully sent.

Exploit: [crash_Android_Google_email_4.2.2.0200.py]

FIX

The straightforward way to fix this issue is by updating the email Android application to 4.2.2.0400 or higher. Unfortunately this is not possible in all cases. For instance, current Samsung Galaxy 4 mini fully updated (17 Jan 2015) is vulnerable to this attack and not higher versions to 4.2.2.0200 are available after update the system from "Software updates".

Non-official Android ROMs or manually updates are possible but in some cases require root privileges in your device which in most cases causes a loss of warranty of the device.



Hector Marco - http://hmarco.org