Lenovo & Infinix SQL Injection to Mobile SMS Leakage

I’m writing this article to show a critical and easy exploitable vulnerability which i found while playing with drozer framework.

drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app with limited privileges and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf

so let’s begin by mentioning the android version and model of tested device.

Model: Infinix X571
Android Version: 7 with latest security patches.

Model: Lenovo A7020
Android Version: 6 with latest security patches.

About.jpgAbout 2.png

Note: After reporting the vulnerability it was discovered that other newer phones were also vulnerable.

so let’s get in to the technical staff, drozer consists of Two components an agent which is installed on the Mobile and it has no privileges and a console application which is on the attacking machine which is used to send commands to the drozer agent to make security assessment on Mobile devices and application.

drozer has a module which scans mobile packages for SQL injection in their sqlite. while i was playing with the scanneer to scan all the mobile packages, i found a vulnerability in an interesting package

com.android.provider.telephony

this package contains many sensitive information like Calls,contacts,SMS,…etc.

so what to do if you want to exploit a sql injection vulnerbility? first you search for vulnerable Content provider , also Drozer automatic sql injection scanner will do that for you

from the image you will find content://wappush content provider has a sql injection vulnerabilitysqlinjection_wappush 2.png

looking in to accessible tables you will find SMS. and in order to exploit the vulnerability you can run the following command.

run app.provider.query content://wappush –projection “* from ‘SMS’ LIMIT 2”;–

here we are breaking the query and selecting every thing from SMS table but limiting results by only first TWO.

SMS Leak 1.jpg

and we can find SMS message with What’s APP activation code and a message from Vodafone as seen in screenshot.

So the main issue is that drozer application has only privilege on INTERNET so it’s not supposed to be able to access SMS messages(it doesn’t have READ_SMS permission). which is a very great breach to user Privacy, imagine you install an application which has access on GPS and it can read your SMS without your Knowledge.

After reporting the Vulnerability Lenovo fixed the vulnerability in multiple affected phones, i couldn’t reach any security guy from infinix so i’m not able to follow up on the vulnerability but i reported it to support@infinix.com

Finally this vulnerability might affect much more vendors or devices as it seems an issue with custom ROM used by Chinese Phones vendor(MAYBE), but i just had access to these two phones so i were able to verify it exist.

CVE Assigned:  CVE-2018-14066.

the link shows vulnerability exploit by drozer

1 thought on “Lenovo & Infinix SQL Injection to Mobile SMS Leakage”

Leave a Reply

Your email address will not be published. Required fields are marked *