Skip to content

kpatsakis/PoC_CVE-2017-0807

Repository files navigation

Proof of concept of CVE-2017-0807

This is a demo application with deliberately sloppy interface for the CVE-2017-0807 reported by Efthimios Alepis and Constantinos Patsakis. The vulnerability illustrates that due to security issues in every Android version up to Nougat, an unprivileged user can overlay almost every Android interface and trick the user into getting his input. In the demo we overlay a screen which makes our app administrator of the device, however, there are numerous other possibilities to exploit this vulnerability. Contrary to other attacks, e.g. cloak and dagger our attack does not request any dangerous or system permission like SYSTEM ALERT WINDOW. A video which showcases the issue can be found here. For more details the interested reader may refer to: Alepis, Efthimios, and Constantinos Patsakis. "Trapped by the UI: The Android case." International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, Cham, 2017. Link

External links

NIST Pixel / Nexus Security Bulletin—October 2017

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704) and is based upon work from COST Action CRYPTACUS, supported by COST (European Cooperation in Science and Technology).

Releases

No releases published

Packages

No packages published

Languages