Android (AOSP) Download Provider Request Headers Disclosure (CVE-2018-9546)
A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider request headers table. These headers may include sensitive information, such as session cookies or authentication headers, for any download started from the Android Browser or Google Chrome, among other applications. Consider the impact that this would have on a user downloading a file from an authenticated website or URL. For example, an electronic statement file from an online bank or an attachment from corporate webmail may allow an attacker to impersonate the user on…
Android (AOSP) Download Provider Permission Bypass (CVE-2018-9468)
A malicious application without any granted permission could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. The level of access will be similar to having the ACCESS_ALL_DOWNLOADS permission granted, which is a signature-protected permission. The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.
Android (AOSP) Download Provider SQL Injection (CVE-2018-9493)
By exploiting an SQL injection vulnerability, a malicious application without any permission granted could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. Also, applications that were granted limited permissions, such as INTERNET, can also access all database contents from a different URI. The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store. Further access…
RSA Conference Requires Changes
For many years, IOActive has been hosting our IOAsis event as a refuge from the madness of crowds and marketing pitches. This was a hugely successful event and we appreciate everyone’s support and participation over the years to make it a high-quality “hallway con” in an upscale environment. Last year, we noticed a reduction in the quality of attendance at our event even though there was an increase in overall RSA Conference (RSAC) attendance. We discovered in talking to our clients, friends and peers in the industry that many of…
Bypassing Chrome’s CSP with Link Preloading
In this post I’m going talk about a bug I found a while back in Google’s Chrome browser that allows attackers to bypass the Content Security Policy (CSP). Besides breaking the CSP, the bug also allows attackers a means to ex-filtrate information from inside an SSL/TLS connection. The bug was reported a couple of years back and we got word that the fix is in, so I decided to dust off this blog post and update it so you folks can learn about it. The CSP is a configuration setting…
Synaptics TouchPad SynTP Driver Leaks Multiple Kernel Addresses
Synaptics TouchPad Windows driver leaks multiple kernel addresses and pointers to unprivileged user mode programs. This could be used by an attacker to bypass Windows Kernel Address Space Layout Randomization (KASLR). (CVE-2018-15532)
Extracting Bluetooth Metadata in an Object’s Memory Using Frida
Here’s a script I wrote to extract information from the Bluetooth metadata in an object’s memory. The script makes use of the Frida instrumentation framework, and I’ll take a little time to explain a simple scripting methodology/thought framework for solving problems with Frida. What you will need: Frida Server for your device https://www.frida.re/docs/installation/ Frida script to run https://github.com/IOActive/BlueCrawl Target Android phone (preferably with root permissions) Getting Started: Your first Script Frida forwards APIs that wrap Java objects and introduce means to inspect them, modify…
Smart Cities: Cybersecurity Worries
Infodocument providing a visual exploration into the growing security concerns of smart city technologies. Featuring detail to the myriad technologies, problems, threats, possible targets, as well as current examples of cities having experienced attacks.
Commonalities in Vehicle Vulnerabilities
With the connected car becoming commonplace in the market, vehicle cybersecurity continues to grow more important every year. At the forefront of security research, IOActive has amassed real-world vulnerability data illustrating the general issues and potential solutions to the cybersecurity threats today’s vehicles face.
Reverse Engineering & Bug Hunting on KMDF Drivers
Enrique Nissim’s presentation from 44CON. September 12, 2018. The focus will be on finding bugs and not on exploitation. This will highlight interesting functions and how to find them. See MSDN and references for full details on KMDF.