63 lines
2.7 KiB
Plaintext
63 lines
2.7 KiB
Plaintext
=== What is the potential impact?
|
|
|
|
An affected component that forwards a malicious externally provided intent does so using the vulnerable application's context. In particular, the new component is created with the same permissions as the application and without limitations on what feature can be reached.
|
|
|
|
Therefore, an attacker exploiting an intent redirection vulnerability could
|
|
manage to access a private application's components. Depending on the features
|
|
privately exposed, this can lead to further exploitations, sensitive data
|
|
disclosure, or even persistent code execution.
|
|
|
|
==== Information disclosure
|
|
|
|
An attacker can use the affected feature as a gateway to access other components
|
|
of the vulnerable application, even if they are not exported. This includes
|
|
features that handle sensitive information.
|
|
|
|
Therefore, by crafting a malicious intent and submitting it to the vulnerable
|
|
redirecting component, an attacker can retrieve most data exposed by private
|
|
features. This affects the confidentiality of information that is not
|
|
protected by an additional security mechanism, such as an encryption algorithm.
|
|
|
|
==== Attack surface increase
|
|
|
|
Because the attacker can access most components of the application, they can
|
|
identify and exploit other vulnerabilities that would be present in them. The
|
|
actual impact depends on the nested vulnerability. Exploitation probability
|
|
depends on the in-depth security level of the application.
|
|
|
|
==== Privilege escalation
|
|
|
|
If the vulnerable application has privileges on the underlying devices, an
|
|
attacker exploiting the redirection issue might take advantage of them. For
|
|
example by crafting a malicious intent action, the attacker could be able to
|
|
pass phone calls on behalf of the entitled application.
|
|
|
|
This can lead to various attack scenarios depending on the exploited
|
|
permissions.
|
|
|
|
==== Persistent code execution
|
|
|
|
A lot of applications rely on dynamic code loading to implement a variety of
|
|
features, such as:
|
|
|
|
* Minor feature updates.
|
|
* Application package size reduction.
|
|
* DRM or other code protection features.
|
|
|
|
When a component exposes a dynamic code loading feature, an attacker could use
|
|
it during the redirection's exploitation to deploy malicious code into the
|
|
application. The component can be located in the application itself or one of
|
|
its dependencies.
|
|
|
|
Such an attack would compromise the application execution environment entirely
|
|
and lead to multiple security threats. The malicious code could:
|
|
|
|
* Intercept and exfiltrate all data used in the application.
|
|
* Steal authentication credentials to third-party services.
|
|
* Change the application's behavior to serve another malicious purpose
|
|
(phishing, ransoming, etc)
|
|
|
|
Note that in most cases, the deployed malware can persist application or
|
|
hosting device restarts.
|
|
|