Samsung Galaxy - Open Activities Via Samsung Browser

Samsung Galaxy - Open Activities Via Samsung Browser

CVE-2021-25354

Share

Type

  • Application security bypass

Severity

  • Medium

Affected products

  • Android devices with Samsung Internet (prior to version 13.2.1.46)

Remediation

  • Samsung has released Samsung Browser version 13.2.1.46 which fixes the issue outlined in this advisory. F-Secure recommends that users upgrade Samsung Browser to at least version 13.2.1.46.

Credits

  • This issue was discovered by Ken Gannon.

Read more

Timeline
02/11/2020Issue disclosed to Samsung Mobile Security
02/11/2020Issue assigned to a Samsung Security Analyst
12/01/2021Follow up sent to Samsung
17/01/2021Samsung confirms the vulnerability and rates it as a moderate risk issue
09/02/2021Patch released, Samsung initiates process for bug bounty reward
12/03/2021Bug Bounty Paid
25/03/2021CVE published by Samsung
26/03/2021Advisory published

Description

F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An issue was discovered that allowed a specific browsable intent in Samsung Browser (com.sec.android.app.sbrowser) to either:

  • Launch non-exported activities in the Samsung Browser application
  • Launch an exported activity in any installed application

Note that while this issue was found on a Samsung Galaxy device, the Samsung Internet browser application is available on the Google Play store and can be installed on any Android device with access to said store. It was confirmed that this issue could be exploited on any Android device that had the Samsung Internet application installed

Technical Details

The issue is due to the class “com.sec.android.app.sbrowser.capsule.BixbySBrowserLauncherActivity” methods “handleIntent” and “handleShareVia”. First, “handleIntent” does the following:

  • Parses the passed intent and establishes the URI “data” from the intent’s data
  • Parses the URI “data” and establishes the list “pathSegments” from the URI’s path segments
  • If the first item in the list “pathSegments” is “ShareVia”, then the method “handleShareVia” is executed

private void handleIntent(final Intent intent) { final String action = intent.getAction(); final Uri data = intent.getData(); int n = 1; if (“android.intent.action.VIEW”.equals(action) && data != null) { final String string = data.toString(); final List pathSegments = data.getPathSegments(); if ((this.mPathSegments = (List)pathSegments) != null) { if (pathSegments.size() != 0) { final String pathSegments2 = this.getPathSegments(0); if (pathSegments2 == null) { return; } Label_0738: { switch (pathSegments2.hashCode()) { … case -679124017: { if (pathSegments2.equals(“ShareVia”)) { n = 4; break Label_0738; } break; } … switch (n) { … case 4: { this.handleShareVia(); break; }

Next, “handleShareVia” does the following:

  • Creates a new intent “createIntentWithTargetTask”
  • Checks if the second item in the list “pathSegments” is “result_type_success”
  • Checks if the third and fouth items in the list “pathSegments” are not null
  • If the fourth item in the list “pathSegments” is not “com.sec.android.app.sbrowser.ReceiveWeChatMomentActivity”, then assign the following “createIntetWithTargetTask” extra values:
    • “packageName” = the third item in the list “pathSegments”
    • “activityName” = the fourth item in the list “pathSegments”
  • Start the activity outlined in the intent “createIntentWithTargetTask”

private void handleShareVia() { String pathSegments = getPathSegments(1); if (pathSegments != null) { Intent createIntentWithTargetTask = createIntentWithTargetTask(“com.sec.android.app.sbrowser.INTENT_SHARE_VIA”); createIntentWithTargetTask.putExtra(“resultType”, pathSegments); if (“result_type_success”.equals(pathSegments)) { String pathSegments2 = getPathSegments(2); String pathSegments3 = getPathSegments(3); if (pathSegments2 != null && pathSegments3 != null) { if (pathSegments3.equals(“com.sec.android.app.sbrowser.ReceiveWeChatMomentActivity”) && !this.isWeChatAvailable()) { Log.d(“BixbyLauncherActivity”, “WeChat is not installed!”); createIntentWithTargetTask.putExtra(“resultType”, “result_type_fail”); } else { createIntentWithTargetTask.putExtra(“packageName”, pathSegments2); createIntentWIthTargetTask.putExtra(“activityName”, pathSegments3); } } else { return; } … try { getApplicationContext().startActivity(createIntentWithTargetTask); } catch (ActivityNotFoundException e) { Log.d(“BixbyLauncherActivity”, “[handleShareVia]” + e.toString()); } } }

Using this information, it is possible to create a custom intent that launches a specific activity:

intent://com.sec.android.app.sbrowser/ShareVia/result_type_success//

The following example browsable intent link will launch the non-exported component “com.sec.android.app.sbrowser/com.google.zxing.client.android.SecCaptureActivity” in the Samsung Browser application:

click here

By replacing the appropriate fields, it is also possible to launch activities that are exported in other applications. The following browsable intent link will launch the exported component “com.sec.android.app.myfiles/com.sec.android.app.myfiles.external.ui.PickerActivity”:

click here