| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_31FE41DA51470E9472AA6D25@qq.com> Date: Wed, 25 Sep 2019 21:55:02 +0800 From: "flanker" <i@...nker017.me> To: "fulldisclosure" <fulldisclosure@...lists.org> Subject: [FD] [CVE-2019-14783] Arbitrary file create with system-app privilege in Samsung Mobile Android FotaAgent Component [CVE-2019-14783] Arbitrary file create with system-app privilege in Samsung Mobile Android FotaAgent Component Software: -------- Samsung Mobile Android FotaAgent Component Description: ---------- A vulnerability in FotaAgent allows creating privileged files without proper permission from unprivileged process. The patch adds proper permission check on FotaAgent to address the vulnerability. This issue is reported to & confirmed and patched by Samsung Mobile Security Rewards Program under case ID 101825. Patched version: ------------ - Samsung Mobile Android N(7.x), O(8.x), P(9.0) with SMR-AUG-2019 patch level and after Impact: ------- A successful local attack can create arbitrary file with system privilege. Solution: --------- Update the device to at lease SMR-AUG-2019 patch level. Credit: ------- Discovered by Qidan He (a.k.a Edward Flanker, @flanker_hqd). Detailed about this vulnerability will be released shortly after confirmation from Samsung Mobile for responsible disclosure. ------------------ Sincerely Qidan (a.k.a Flanker) Website: https://blog.flanker017.me _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists