Bypassing ContentProvider.openFile() internal security checks in Android

[1/3]
I've discovered an interesting trick that you may use to access private information using a content provider ImageImage
[2/3]
The attack is possible if:
1. The content provider is exported
2. Internally, it checks the calling UID, package name, and/or permission set as shown on the screenshots
[3/3]
It's possible to call ContentProvider.openFile() via IActivityManager.openContentUri(). It will check access rights, but then proxy the call from its context leading to Binder.getCallingUid() == 1000, and all permissions granted

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sergey Toshin 🇺🇦

Sergey Toshin 🇺🇦 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_bagipro

Nov 18, 2020
#bugbountytips
An almost universal way to theft or overwrite arbitrary files on #android is sharing activities. You can find them in AndroidManifest.xml. They handle android.intent.action.SEND. Use the PoC from blog.oversecured.com/Evernote-Unive… (ctrl+f "EXTRA_STREAM") and test 4 scenarios:
1. Send a Uri to an internal file using file:// scheme (direct or using a symlink)
2. Send a Uri to an internal file using a victim app's internal content provider
now grep private file contents on SD card
3. Send a Uri to your own file like explained in the article above (test _display_name and last path segment values to be vulnerable to path-traversal)
now run "ls -la dir | grep file_name" on /sdcard and /data/data/app

and also read hackerone.com/reports/288955, love that technique
Read 4 tweets
Aug 16, 2020
#bugbounty

You must love #Android deeplinks! They are the easiest way to get bounties
1. Decompile an app with jadx
2. Collect all deeplink handlers from AndroidManifest.xml, they look like <data android:scheme="airbnb" android:host="d"/>
3. Grep among all sources and resources a pattern from a handler, in this case, airbnb://d
4. You could find a lot of hardcoded urls like airbnb://d/openurl?url=https:// airbnb.com/blabla. That's much simpler than learning app's sources
5. Now try to put your own domains with adb (adb shell am start -a android.intent.action.VIEW -d airbnb://d/openurl?url=http:// evil.com) or on HTML pages (check out the H1 report below)
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(