search

termux / termux-app

Termux - a terminal emulator application for Android OS extendible by variety of packages.
https://f-droid.org/en/packages/com.termux
Other
35.22k stars 3.7k forks source link

[NOTICE] 2022-02-15 Termux Apps Vulnerability Disclosures #2595

Open agnostic-apollo opened 2 years ago

agnostic-apollo commented 2 years ago

This is a vulnerability report for termux-app, termux-tasker and termux-widget being released on 2022-02-15. Users are advised to immediately update to Termux v0.118.0, Termux:Tasker v0.5 and Termux:Widget v0.13.0 if they are using any older version.

All private files like security keys for ssh or encryption keys should be assumed to be compromised for users who were using termux app version <= v0.117 . It is highly advisable to replace any such keys with new ones and look into any suspicious authorized access on any remote servers being connected to from termux.

People who are still using Google Playstore version are advised to immediately shift to F-Droid or Github releases since updates will not be released on Google Playstore any time soon, if ever, due to Android 10 issues. Playstore builds were deprecated more than ~150 days ago and are no longer supported. Check https://github.com/termux/termux-app#installation for more info on where to install/update the Termux app.

https://termux.github.io/general/2022/02/15/termux-apps-vulnerability-disclosures.html

Riders004 commented 1 year ago

This is a vulnerability report for termux-app, termux-tasker and termux-widget being released on 2022-02-15. Users are advised to immediately update to Termux v0.118.0, Termux:Tasker v0.5 and Termux:Widget v0.13.0 if they are using any older version.

All private files like security keys for ssh or encryption keys should be assumed to be compromised for users who were using termux app version <= v0.117 . It is highly advisable to replace any such keys with new ones and look into any suspicious authorized access on any remote servers being connected to from termux.

People who are still using Google Playstore version are advised to immediately shift to F-Droid or Github releases since updates will not be released on Google Playstore any time soon, if ever, due to Android 10 issues. Playstore builds were deprecated more than ~150 days ago and are no longer supported. Check https://github.com/termux/termux-app#installation for more info on where to install/update the Termux app.

https://termux.github.io/general/2022/02/15/termux-apps-vulnerability-disclosures.html

I'm using 0.119.1 🤣🤣

sylirre commented 1 year ago

I'm using 0.119.1

v0.119 was never released. The build poking around the Internet with such version is a fake app.

The official distribution sources are:

Termux is open source. Everyone can make and publish own Termux apps with different features and potentially can include malicious functionality. We can't control usage of the words "Termux" and "official", so everyone can claim that their app is "official Termux" while really it is nothing more than fake release.

We are not responsible for or support derivatives made by other users. Therefore require everyone to use our F-Droid or GitHub builds, unless users know what they are doing and possible consequences.

Riders004 commented 1 year ago

I'm using 0.119.1

v0.119 was never released. The build poking around the Internet with such version is a fake app.

The official distribution sources are:

Termux is open source. Everyone can make and publish own Termux apps with different features and potentially can include malicious functionality. We can't control usage of the words "Termux" and "official", so everyone can claim that their app is "official Termux" while really it is nothing more than fake release.

We are not responsible for or support derivatives made by other users. Therefore require everyone to use our F-Droid or GitHub builds, unless users know what they are doing and possible consequences.

Actually I don't I have fake termux or real i download a termux from Termux App Release that size is 100mb or 100mb + before 6 to 8 months i update in f droid version that time is 0.118 version and I installed some packages and update termux with apt update && apt upgrade

After some I checked so it will turned into 0.119.1 Actually I suddenly noticed my termux key are got red when I turned on so I checked my termux application version and I found it 0.119.1 so I don't it's fake or real application of termux

@agnostic-apollo @sylirre

sylirre commented 1 year ago

Application version can't be changed on its own.

v0.119.1 was never released, the older version 0.119.0 was never released too. You probably accidentally installed something unknown such as https://apkcombo.com/termux/com.termux/old-versions/0.119.1/.

As of now, the latest Git (bleeding-edge) version is 0.118: https://github.com/termux/termux-app/blob/eef5ac43a72f6391a5360a7c1f123e97dee85182/app/build.gradle#L44-L45. The version information is being hardcoded into APK file which is signed and become read-only after installation.

Again, never ever download Termux outside of F-Droid or our (!!!) GitHub page.

Some of fake Termux apps:

The list is not complete and shows that lots of third party application stores are not trustworthy.

Note: by "fake" Termux I mean the real Termux app that was compiled (modified + compiled) by unknown person.

One more thing: they used our test/debug signature key for making fake release. I've compared the certificate fingerprint with ours and it is basically same:

~/Download/D $ tail -n 3 com.termux-0.119.1-free/apktool.yml 
versionInfo:
  versionCode: '119'
  versionName: 0.119.1
~/Download/D $ openssl pkcs7 -print_certs -inform der -outform pem -out cert.pem -in com.termux-0.119.1-free/original/META-INF/CERT.RSA
~/Download/D $ openssl x509 -fingerprint -in cert.pem -noout
SHA1 Fingerprint=51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2
~/Download/D $ 
~/Download/D $ keytool -list -v -storepass xrj45yWGLbsO7W0v -keystore ~/Development/Termux/termux-app/app/testkey_untrusted.jks |& grep SHA1:
         SHA1: 51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2

As we publish our test key for use by contributors, everyone can use it for making builds compatible at signature level with our debug builds. So basically you can install fake Termux app over the real one as version upgrade. This security issue is mentioned in project README and we advice extra caution for users who use Termux from GitHub.

https://github.com/termux/termux-app#github:

Security warning: APK files on GitHub are signed with a test key that has been shared with community. This IS NOT an official developer key and everyone can use it to generate releases for own testing. Be very careful when using Termux GitHub builds obtained elsewhere except https://github.com/termux/termux-app. Everyone is able to use it to forge a malicious Termux update installable over the GitHub build. Think twice about installing Termux builds distributed via Telegram or other social media. If your device get caught by malware, we will not be able to help you.

Riders004 commented 1 year ago

Application version can't be changed on its own.

v0.119.1 was never released, the older version 0.119.0 was never released too. You probably accidentally installed something unknown such as https://apkcombo.com/termux/com.termux/old-versions/0.119.1/.

As of now, the latest Git (bleeding-edge) version is 0.118:

https://github.com/termux/termux-app/blob/eef5ac43a72f6391a5360a7c1f123e97dee85182/app/build.gradle#L44-L45

. The version information is being hardcoded into APK file which is signed and become read-only after installation. Again, never ever download Termux outside of F-Droid or our (!!!) GitHub page.

Some of fake Termux apps:

The list is not complete and shows that lots of third party application stores are not trustworthy.

Note: by "fake" Termux I mean the real Termux app that was compiled (modified + compiled) by unknown person.

One more thing: they used our test/debug signature key for making fake release. I've compared the certificate fingerprint with ours and it is basically same:

~/Download/D $ tail -n 3 com.termux-0.119.1-free/apktool.yml 
versionInfo:
  versionCode: '119'
  versionName: 0.119.1
~/Download/D $ openssl pkcs7 -print_certs -inform der -outform pem -out cert.pem -in com.termux-0.119.1-free/original/META-INF/CERT.RSA
~/Download/D $ openssl x509 -fingerprint -in cert.pem -noout
SHA1 Fingerprint=51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2
~/Download/D $ 
~/Download/D $ keytool -list -v -storepass xrj45yWGLbsO7W0v -keystore ~/Development/Termux/termux-app/app/testkey_untrusted.jks |& grep SHA1:
         SHA1: 51:79:55:EA:BF:69:FC:05:7C:41:C7:D3:79:DB:BC:EF:20:AD:85:F2

As we publish our test key for use by contributors, everyone can use it for making builds compatible at signature level with our debug builds. So basically you can install fake Termux app over the real one as version upgrade. This security issue is mentioned in project README and we advice extra caution for users who use Termux from GitHub.

https://github.com/termux/termux-app#github:

Security warning: APK files on GitHub are signed with a test key that has been shared with community. This IS NOT an official developer key and everyone can use it to generate releases for own testing. Be very careful when using Termux GitHub builds obtained elsewhere except https://github.com/termux/termux-app. Everyone is able to use it to forge a malicious Termux update installable over the GitHub build. Think twice about installing Termux builds distributed via Telegram or other social media. If your device get caught by malware, we will not be able to help you.

I don't what's the wrong with it btw can we change we change version of termux ?