EvilZone

Hacking and Security => Mobile Hacking => : Polyphony November 26, 2014, 03:51:29 PM

: Android < 5.0 SMS & SQL injection vulnerabilities
: Polyphony November 26, 2014, 03:51:29 PM

So I'm not sure who all is subscribed to the fulldisclosure@seclists.org mailing list, but I definitely recommend it (warning, it's pretty active and you *will* receive a ton of emails)

Anyways, I know some of you are interested in Android development and this particular vulnerability lets a malicious application developer send SMS without user interaction and without the messaging privileges needed for normal sms applications.  The bug was fixed in android > 5.0 but that's definitely not the majority (they're pretty sure it has to be android >= 4.0 too) Link. (http://xteam.baidu.com/?p=164)

Also, there was another vulnerability, an SQL injection in WAPPushManager, that effects android < 5.0.  Link. (http://xteam.baidu.com/?p=167)

The SQL injection actually allows a remote attacker to start any arbitrary activity or service (with permission check).  Useful, but since you have to get the user's permission I'm not exactly sure how effective this will be, but it's definitely interesting to see the PoC.

So I guess this post was a half-endorsement for that seclists.org mailing list and some interesting links to some pretty cool android exploits.  I stopped messing with android dev a while back, but I might download eclipse (ugh) and start up an android emulator just to mess with this bug.   :D


EDIT: Oops, I haven't posted in a while and I forgot we had an android board, if you could move it over there that would be cool, I apologize for the derpness

: Re: Android < 5.0 SMS & SQL injection vulnerabilities
: Xires November 26, 2014, 07:16:00 PM

Interesting information.  Seclists.org can indeed fill an email box pretty quickly.  The RSS feeds aren't much better unless you're using a filtering aggregator.

Concerning the listed vulns; these both sound like something that's pretty easily patchable.  I'll be interested to see how long it takes for carriers and/or manufacturers to push out an update.  It looks like the SQLi was reported over a month ago and the SMS vuln was reported 2 months ago.  Clock's ticking.

As for android dev; you don't have to use eclipse anymore.  Android Studio is based on IntelliJ CE and I've found it far easier to work with.  I also dislike having to use eclipse if I can avoid it.  IntelliJ has proven to be a bit faster for me as well.

: Re: Android < 5.0 SMS & SQL injection vulnerabilities
: naenae December 11, 2014, 12:45:12 PM

thanks for the info