lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 Sep 2019 21:55:02 +0800
From: "flanker" <i@...nker017.me>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] [CVE-2019-14783] Arbitrary file create with system-app
	privilege in Samsung Mobile Android FotaAgent Component

[CVE-2019-14783] Arbitrary file create with system-app privilege in Samsung Mobile Android FotaAgent Component


Software:
--------
Samsung Mobile Android FotaAgent Component


Description:
----------
A vulnerability in FotaAgent allows creating privileged files without proper permission from unprivileged process. The patch adds proper permission check on FotaAgent to address the vulnerability. This issue is reported to & confirmed and patched by Samsung Mobile Security Rewards Program under case ID 101825.


Patched version:
------------
- Samsung Mobile Android N(7.x), O(8.x), P(9.0) with SMR-AUG-2019 patch level and after


Impact:
-------
A successful local attack can create arbitrary file with system privilege.


Solution:
---------
Update the device to at lease SMR-AUG-2019 patch level.


Credit:
-------
Discovered by Qidan He (a.k.a Edward Flanker, @flanker_hqd). Detailed about this vulnerability will be released shortly after confirmation from Samsung Mobile for responsible disclosure.


------------------
Sincerely
Qidan (a.k.a Flanker)

Website: https://blog.flanker017.me

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists