Multiple Samsung (Android) Application Vulnerabilities - MWR Labs [PDF]

Download PDF
4 downloads 198 Views 576KB Size Report
Comment
PUBLIC. © MWR InfoSecurity. 1 of 10. Multiple Samsung (Android). Application Vulnerabilities. MWR InfoSecurity Advisory. 13/12/2011. Package Name. Multiple ...
PUBLIC

Multiple Samsung (Android) Application Vulnerabilities MWR InfoSecurity Advisory 13/12/2011

Package Name

Multiple pre-installed Samsung applications

Date

13th December 2011 Samsung Galaxy S2 (I9100XWKI4) – Android 2.3.4 Other models running these applications may be affected

Affected Versions CVE Reference

Severity

None Tyrone Erasmus Mike Auty (Channels SQLi) High Risk

Local/Remote

Local

Vulnerability Class

Android Content Providers

Vendor

Samsung Vendor updated all vulnerable software and firmware releases after 13th March 2012 contain the fixes.

Authors

Vendor Response

Description Many Samsung applications are pre-installed by default on Samsung Android devices and these applications cannot be removed by the user. Some of these applications make use of content providers which are implicitly exported by default. This results in these content providers allowing other applications on the device to request sensitive information and successfully obtain it. This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. It should be noted that only applications disclosing potentially sensitive information are being reported on in this document. The following applications allow the retrieval of sensitive information from their content providers without any granted permissions:

© MWR InfoSecurity

Package

Obtainable Information

Version

com.seven.z7 (Social Hub)

Email address Email password Email contents Instant messages

7.52.10101

com.sec.android.socialhub (Social Hub)

Social networking messages

2.00.00001

1 of 10

PUBLIC

com.sec.android.im (IM)

Instant messages IM contacts

1.00.10201

com.android.providers.telephony (Dialer Storage)

SMS

2.3.4

com.sec.android.provider.logsprovider (LogsProvider)

SMS Email contents Instant messages Social networking messages Call logs

1.0

com.sec.android.widgetapp.weatherclock (AccuWeather.com)

Location

11.06.27.01

com.sec.android.app.minidiary (MiniDiary)

Notes Photo GPS coordinates

1.0

com.sec.android.app.memo (Memo)

Notes

1.0

com.sec.android.widgetapp.postit (Minipaper)

Notes

1.0

com.osp.app.signin (Samsung account)

Encrypted account information

1.0

com.android.providers.settings (Settings Storage)

Portable Wi-Fi hotspot credentials

2.3.4

Impact Malicious applications installed on the same device as the vulnerable applications could steal sensitive information from the user and transmit it back to the attacker.

Cause These vulnerabilities are present because insufficient security permissions are set on the content provider section in each of the vulnerable application’s AndroidManifest.xml file. © MWR InfoSecurity

2 of 10

PUBLIC

Interim Workaround Avoid using the vulnerable applications if you do not have access to the firmware update. To clear information stored in these applications go to Settings->Applications->Manage Applications and press “Clear data”.

Solution In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. An example is shown below: