Headline
CVE-2023-27650: SODA/CVE detail.md at main · LianKee/SODA
An issue found in APUS Group Launcher v.3.10.73 and v.3.10.88 allows a remote attacker to execute arbitrary code via the FONT_FILE parameter.
Code execution exists in Super Secuirty(CVE-2023-27650)
Vendor:APUS Group(https://www.apusapps.com/en/launcher)
Affected product:APUS Launcher(com.apusapps.launcher)
Version:3.10.88, 3.10.73
Download link: https://play.google.com/store/apps/details?id=com.apusapps.launcher
Description of the vulnerability for use in the CVE:An issue found in APUS Group Launcher v.3.10.73 and v.3.10.88 allows a remote attacker to execute arbitrary code via the FONT_FILE parameter.
Additional information:APUS Launcher allows unauthorized applications to launch its Activity and control the font files loaded on the APP desktop by adding additional information. Specifically, APUS Launcher has an open Activity that receives the path to the font file carried in the intent and then loads the APP desktop icon font based on that path, and by specifying the font file path the attacker is able to make APUS Launcher load the malicious font file. It is worth noting that the above attack is persistent, because the path will be stored in the SharedPreference file by APUS Launcher.
APUS Launcher’s HiFontCooperationActivity receives the “com.apus.launcher.extra.FONT_FILE” field information carried in the intent and uses this value as the file path to load the APP desktop icon font file path. However, HiFontCooperationActivity is exposed, the attacker can cause APUS Launcher to load malicious fonts by sending an intent carrying malicious file path information, resulting in display exceptions or security vulnerabilities (such as data leakage, application crashes, denial of service attacks, etc.).
poc:
private void attack() { Intent intent = new Intent(); ComponentName componentName = new ComponentName("com.apusapps.launcher", “com.apusapps.launcher.launcher.HiFontCooperationActivity”); intent.setComponent(componentName); intent.putExtra("com.apus.launcher.extra.FONT_FILE", “/data/local/tmp/方正胖头鱼.TTF”); try { System.out.println(“start activity”); startActivity(intent); } catch (Exception e) { } }