Android (AOSP) TV Provider SQL Injection in Query Projection Parameter (CVE-2019-2211)
A malicious application without any granted permission could retrieve all entries from the TV Provider internal database, bypassing all currently implemented access control mechanisms by exploiting an SQL injection in the projection parameter. The information retrieved from this provider may include personal and potentially sensitive information about other installed applications and user preferences, habits, and activity, such as available channels and programs, watched programs, recorded programs, and titles in the “watch next” list.
Buffer Overflow, Cross-Site Scripting / Request Forgery, URI Injection, Insecure SSH Key Exchange in Antaira LMX-0800AG
(eight advisories in document) Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by a memory corruption vulnerability when processing cookies. An unauthenticated attacker could leverage the vulnerability to take full control over the switch. It is also affected by a memory corruption vulnerability when processing ioIndex GET parameter values. An attacker with valid credentials for the web interface could leverage the vulnerability to take full control of the switch. Antaira’s firmware version 3.0 for the LMX-0800AG switch (among other supported devices) is affected by…
Configuration Shell Escape injecting OS/IPV6 commands, and HTML Injection in LLDP Packet System Name Field Leading to Persistent Cross-site Scripting in Antaira LMX-0800AG
(two advisories in document) An authenticated malicious user with access to the web interface (with manager privileges) or via SSH/Serial connection (with enable/config privileges) can inject Operating System (OS) commands in ipv6 commands, which will be executed with root privileges on the switch. An unauthenticated attacker located in an adjacent network could send malicious Link Layer Discovery Protocol (LLDP) packets containing JavaScript code embedded in the System Names attribute. It should be noted that LLDP discovery is not enabled by default in firmware v2.8.
ASUS – ZenUI Launcher AppLockReceiver | AppLockProvider Exposed
(2) A malicious application without any permission could remove applications and gain read and write access from the list of locked applications configured in AppLock, therefore bypassing the security pattern configured by the user to protect them. (two advisories in document)
ASUS – ZenUI Dialer & Contacts PrivateContactsProvider | BlockListProvider Exposed
(2) A malicious application without any permission could gain read and write access to the list of Private Contacts and blocked numbers configured in ZenUI Dialer & Contacts. (two advisories in document)
ASUS – ZenUI Messaging PrivateSmsProvider-PrivateMmsProvider | SmsReceiverService Exposed
(2) A malicious application without any permission could gain read and write access to the private SMS and MMS messages configured in ZenUI Messaging as well as send arbitrary SMS messages to arbitrary phone numbers. (two advisories in document)
Android (AOSP) Download Provider Request Headers Disclosure (CVE-2018-9546)
A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider request headers table. These headers may include sensitive information, such as session cookies or authentication headers, for any download started from the Android Browser or Google Chrome, among other applications. Consider the impact that this would have on a user downloading a file from an authenticated website or URL. For example, an electronic statement file from an online bank or an attachment from corporate webmail may allow an attacker to impersonate the user on…
Android (AOSP) Download Provider Permission Bypass (CVE-2018-9468)
A malicious application without any granted permission could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. The level of access will be similar to having the ACCESS_ALL_DOWNLOADS permission granted, which is a signature-protected permission. The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.
Android (AOSP) Download Provider SQL Injection (CVE-2018-9493)
By exploiting an SQL injection vulnerability, a malicious application without any permission granted could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. Also, applications that were granted limited permissions, such as INTERNET, can also access all database contents from a different URI. The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store. Further access…
Synaptics TouchPad SynTP Driver Leaks Multiple Kernel Addresses
Synaptics TouchPad Windows driver leaks multiple kernel addresses and pointers to unprivileged user mode programs. This could be used by an attacker to bypass Windows Kernel Address Space Layout Randomization (KASLR). (CVE-2018-15532)