ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6384/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

97 lines
3.6 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Intent redirection vulnerabilities occur when an application publicly exposes a
feature that uses an externally provided intent to start a new component.
In that case, an application running on the same device as the affected one can
launch the exposed, vulnerable component and provide it with a specially crafted
intent. Depending on the application's configuration and logic, this intent will
be used in the context of the vulnerable application, which poses a security
threat.
=== What is the potential impact?
An affected component that forwards a malicious externally provided intent does so using the vulnerable application's context. In particular, the new component is created with the same permissions as the application and without limitations on what feature can be reached.
Therefore, an attacker exploiting an intent redirection vulnerability could
manage to access a private application's components. Depending on the features
privately exposed, this can lead to further exploitations, sensitive data
disclosure, or even persistent code execution.
==== Information disclosure
An attacker can use the affected feature as a gateway to access other components
of the vulnerable application, even if they are not exported. This includes
features that handle sensitive information.
Therefore, by crafting a malicious intent and submitting it to the vulnerable
redirecting component, an attacker can retrieve most data exposed by private
features. This affects the confidentiality of information that is not
protected by an additional security mechanism, such as an encryption algorithm.
==== Attack surface increase
Because the attacker can access most components of the application, they can
identify and exploit other vulnerabilities that would be present in them. The
actual impact depends on the nested vulnerability. Exploitation probability
depends on the in-depth security level of the application.
==== Privilege escalation
If the vulnerable application has privileges on the underlying devices, an
attacker exploiting the redirection issue might take advantage of them. For
example by crafting a malicious intent action, the attacker could be able to
pass phone calls on behalf of the entitled application.
This can lead to various attack scenarios depending on the exploited
permissions.
==== Persistent code execution
A lot of applications rely on dynamic code loading to implement a variety of
features, such as:
* Minor feature updates.
* Application package size reduction.
* DRM or other code protection features.
When a component exposes a dynamic code loading feature, an attacker could use
it during the redirection's exploitation to deploy malicious code into the
application. The component can be located in the application itself or one of
its dependencies.
Such an attack would compromise the application execution environment entirely
and lead to multiple security threats. The malicious code could:
* Intercept and exfiltrate all data used in the application.
* Steal authentication credentials to third-party services.
* Change the application's behavior to serve another malicious purpose
(phishing, ransoming, etc)
Note that in most cases, the deployed malware can persist application or
hosting device restarts.
// How to fix it section
include::./how-to-fix-it/android.adoc[]
== Resources
include::../common/resources/docs.adoc[]
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Change this code to not perform arbitrary intent redirection.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink