CVE-2014-N/A com.android.contactsDate: 2014-07-04 11:46:39
This bug is similar to CVE-2013-6272 but is only exploitable on older Android versions. The bug exists in the component com.android.contacts.
Authors: Marco Lux, Pedro Umbelino
This bug is not related to CVE-2013-6272 but has the same result. Reading the source code it probably exists at least from version 1.5. However we have only tested with SDK 10.
The Bug was corrected in version 3.0, SDK 11. Still, we would be interested in feedback by people testing the supplied exploitation techniques with their testdevices.
The bug is located in src/com/android/contacts/ContactsListActivity.java. Like in CVE-2013-6272, this activity is exported when it probably should not.
When this activity is created it parses the Intent for which it has been called:
This basically means we can fool the activity into thinking we clicked on the dial number of a search suggestion and make it call any number we want since the number comes from intent.getData(). This also works for MMI and USSD codes (those that would normally require the user to press the SEND button after the code, android secret codes don't work nor *#06# to see the IMEI for example).
In conclusion this bug can be exploited as CVE-2013-6272, but it has a different codebase.
For the audience to play, test and execute the vulnerability we provide the following tools:
- Test application “CRT-Kolme” (includes CVE-2013-6271, CVE-2013-6272 and CVE-2014-NA)
- Exploits to use with drozer
- Manual drozer testing commandlines
You can download “Curesec Research Team – Kolme (Callmeh)” at
Source Code: https://www.curesec.com/data/CRT-Kolme.7z
After installation just click on the Curesec Logo and the testscreen will appear:
Choose the SDK you want to test. If your phone is vulnerable, it will call the number 31337:
Exploits for drozer
Drozer Commandline Foo
Call any number:
In order to make the codes work, you can use the following command:
The usual # symbol for the MMI codes has to be replaced by %23 to work properly.
FAQ1. Why is this a bug?
Android normally has to grant permission so that your applications can conduct actions. If your installed application does not own the right to do a phone call, the Android OS should throw a permission denied.
However this bug is circumventing the situation and allows any malicous app to do a phone call, send mmi or ussd codes or hangup an ongoing call.2. Is there an app to test this issue on my phone?
You can use the APK we published. You will find details in the next sections.3. How would an attacker abuse this?
This bug can be abused by a malicious application. Take a simple game which is coming with this code. The game wont ask you for extra permissions to do a phone call to a toll number, however it is able to do it.
This is normally not possible without giving the app this special permission. But not only might it be disturbing or expensive for someone to call a toll number or getting ongoing calls hung up. It is also possible to send USSD or MMI codes.
The list of USSD/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls(forwarding), blocking your simcard, enable or disable caller anonymisation and so on.
Please note that Curesec GmbH is not responsible for any damage your device might suffer while you try to execute such codes.4. Are tools which revoke permissions from apps blocking this attack?
No. As the app does not have the permission but is abusing a bug, such apps cannot easily protect you from this without the knowledge that this bug exists in another class on the system.5. How can I contact you?
|10/24/2013||Initial Report of CVE-2013-6272 by Curesec||Curesec|
|10/24/2013||Forwarded to the dedicated Team by Google|
|11/11/2013||Engineers working on the issue|
|17/01/2014||Engineers still working on the issue|
|23/01/2014||Issue is reported to be patched and integrated the next two weeks.|
|6/5/2014||Request if the issue is resolved now. No response yet.||Curesec|
|4/7/2014||Public Disclosure of CVE-2013-6272 and CVE-2014-N/A||Curesec|
DownloadsCRT-Kolme.apk (test application)
CRT-Kolme.7z (source code)
dz_exploit (exploit archive cve-2013-6271, cve-2013-6272 and cve-2014-n/a)