| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3235f559-45b0-4b68-b429-277e4ad7749a@korelogic.com>
Date: Thu, 8 Jan 2026 15:03:37 -0600
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access
via Context Hijacking
KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Advisory ID: KL-001-2026-001
Publication Date: 2026-01-08
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt
1. Vulnerability Details
Affected Vendor: yintibao
Affected Product: Fun Print Mobile
Affected Version: 6.05.15
Platform: ARM64 - Android
CWE Classification: CWE-926: Improper Export of Android
Application Components
CVE ID: CVE-2025-15464
2. Vulnerability Description
Exported Activity allows external applications to gain
application context and directly launch Gmail with inbox access,
bypassing security controls.
3. Technical Description
* Performed on Android 13 aarch64 - Samsung (Galaxy Tab A7 Lite)
* Using Frida client on Ubuntu 24.04 LTS - Frida server on
Samsung Rooted Device.
* The target Activity is exported true. Which means any
application may interact with it, given that permissions are
provided.
* The attacking host needs to attach the device email to the
application; then the account can be used by the application.
The PandoraEntry activity is exported (android:exported="true")
and processes external intents without validation. Below is
the PandoraEntryActivity code:
protected void onCreate(Bundle bundle) {
// ... INITALIZATION CODE ... super.onCreate(bundle);
// BELOW EXTERNAL INTENT ACCEPTED WITHOUT VALIDATION Intent
intent = getIntent();
// ... PROCESSING CONTINUES WITH UNVALIDATED INTENT ...
if (intent.hasExtra(IntentConst.START_FROM_TO_CLASS) &&
SDK.isUniMPSDK()) {
String stringExtra =
intent.getStringExtra(IntentConst.START_FROM_TO_CLASS);
if (!TextUtils.isEmpty(stringExtra) &&
stringExtra.startsWith("io.dcloud.feature.sdk.multi")) {
intent.setClassName(getPackageName(), stringExtra);
intent.removeExtra(IntentConst.START_FROM_TO_CLASS);
}
} else {
intent.putExtra(IntentConst.WEBAPP_SHORT_CUT_CLASS_NAME,
PandoraEntry.class.getName()); intent.setClass(this,
PandoraEntryActivity.class);
}
//UNVALIDATED INTENT FORWARDED startActivity(intent);
overridePendingTransition(0, 0);
}
4. Mitigation and Remediation Recommendation
No response from vendor. There are no known mitigations to
end-users of the affected application version(s).
5. Credit
This vulnerability was discovered by Felix Segoviano of
KoreLogic, Inc.
6. Disclosure Timeline
2025-12-01 : KoreLogic requests security contact from vendor
via weizhengsl@....qq.com and 277517409@...com.
2025-12-08 : KoreLogic submits vulnerability details to vendor
via weizhengsl@....qq.com and 277517409@...com.
2026-01-08 : KoreLogic public disclosure.
7. Proof of Concept
URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.poc.js.txt
SHA256sum: ddb3c840c94b204fbbe2931a68771ae28d8ea9c778310cfa83e218a64a41ffd5
The contents of this advisory are copyright(c) 2026
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists