CVE-2025-10184 OnePlus OxygenOS Telephony provider permissio...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/
• Blog Title: CVE-2025-10184: OnePlus OxygenOS Telephony provider permission bypass (NOT FIXED)
• Suggested Section: Generic Hacking -> Android Pentesting -> Content Providers (permission bypass & SQLi)

🎯 Content Summary

CVE-2025-10184 — OnePlus OxygenOS Telephony provider permission bypass via blind SQL injection (NOT FIXED)

Affected/confirmed builds
• OnePlus 8T / KB2003 — TelephonyProvider pkg 3.4.135, OxygenOS 12, build KB2003_11_C.33
• OnePlus 10 Pro 5G / NE2213 — pkg 14.10.30, OxygenOS 14, build NE2213_14.0.0.700(EX01)
• OnePlus 10 Pro 5G / NE2213 — pkg 15.30.5, OxygenOS 15, build NE2213_15.0.0.502(EX01)
• OnePlus 10 Pro 5G / NE2213 — pkg 15.30.10, OxygenOS 15, build ...

🔧 Technical Details

Abusing content provider write permission defaults: If an Android content provider sets readPermission but omits writePermission, unprivileged apps can invoke insert/update/delete provided those methods are implemented. Search OEM-modified providers for exported components missing writePermission, then test write operations via ContentResolver or adb content.

WHERE-clause SQL injection on update(): Some providers pass the caller-supplied WHERE string directly to SQLiteDatabase.update(). Inject subqueries that read sensitive tables in the same DB (e.g., sms). If direct query() is protected, piggyback on update() to exfiltrate via inference.

Blind inference oracle using rows-affected and constraint errors: Treat update() > 0 or a "UNIQUE constraint failed" exception as TRUE; otherwise FALSE. Use unicode...

🤖 Agent Actions

I analyzed the Rapid7 post and found concrete, reusable Android pentesting techniques that weren’t fully covered in HackTricks, specifically:

• Abusing exported content providers that set readPermission but omit writePermission
• Leveraging unsafe update() WHERE clause handling for SQL injection
• Building a blind Boolean inference oracle via rows-affected and UNIQUE-constraint errors
• Seeding empty tables via insert() to enable the oracle
• Using sqlite_master checks and adb cmd content to confirm DB co-location and exploit prerequisites

Repository exploration and chosen locations:

• I explored the Android section and found the best fit to be the existing Content Providers page under Mobile Pentesting > Android > drozer tutorial.
• I also enhanced the Android Applications Basics page to document content provider permission semantics and secure patterns.

Changes implemented (as files were modified via PR tools):

1. Updated: src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

• Added a new section “writePermission omission + blind SQLi via update()” under the SQL Injection context, prior to the File System-backed Content Providers section.
• Content includes:
  • Explanation of the permission-bypass caused by missing writePermission on exported providers
  • End-to-end approach to blind inference via update()’s WHERE clause and UNIQUE errors
  • Discovery workflow and schema co-location probes using sqlite_master
  • Seeding rows via insert() to activate the oracle
  • Pseudocode for a character-by-character binary search oracle
  • adb cmd content examples, including a WHERE-based Boolean probe
  • Notes and mitigations for developers
  • Example URIs found “in the wild” (service-number, push-mms, push-shop)
• References section updated to include:
  • Rapid7 CVE-2025-10184 blog
  • Android docs (Content providers basics, provider read/writePermission, ContentResolver.update)
  • Kept existing references

2. Updated: src/mobile-pentesting/android-app-pentesting/android-applications-basics.md

• Inside the Content Provider subsection, added “Permission semantics and pitfalls (Content Providers)”:
  • Documented that omitting writePermission means null default, allowing unprivileged insert/update/delete if implemented
  • Reinforced sanitization/whitelisting of projection/selection/sortOrder and safe patterns (SQLiteQueryBuilder, projection map, fixed WHERE templates)
  • Recommended android:exported="false" by default and grantUriPermissions for selective sharing
• Updated the file’s References (at end) to include the Rapid7 CVE, Android docs for content providers/readPermission/writePermission, and ContentResolver.update()

Why these updates:

• HackTricks already covered content provider SQLi via projection/selection in query(), but didn’t cover the update() WHERE injection technique combined with permission bypass via omitted writePermission and blind oracle extraction using rows-affected/UNIQUE constraint handling.
• The new material generalizes the CVE into reusable methodology pentesters can leverage beyond OnePlus devices.

No new files were created; content was integrated into the most relevant existing pages. References were updated per guidelines at the end of each modified file.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> Android Pentesting -> Content Providers (permission bypass & SQLi)".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge