Re-route Your Intent for Privilege Escalation: A Universal Way to Exploit Android PendingIntents in High-profile and System Apps

Presented at Black Hat Europe 2021, Nov. 10, 2021, 10:20 a.m. (40 minutes)

PendingIntent, the advanced version of normal Android Intent, provides powerful inter-component communication on Android. A PendingIntent holds a base Intent that can be executed by another app under the creator app's identity (UID) and permissions as if the target app was the creator. To securely deliver a PendingIntent and prevent hijacking, developers should set their PendingIntents explicitly with the target component name. However, this is not the case in many real-world apps.

Previous research showed a few examples attacking a PendingIntent with the empty base Intent (i.e., no component and action), but they did not know how to exploit a PendingIntent with the implicit base Intent (i.e., no component yet with action) and commonly believed that it is also unexploitable like an explicit PendingIntent. Moreover, previous research did not identify common attack surfaces of retrieving PendingIntents. To address these two fundamental problems, we first discovered new surfaces of retrieving PendingIntents, including the widely-used Notifications, the SliceProvider commonly in the AOSP Settings app, and the rare MediaBrowserService. We then proposed a novel method of exploiting implicit PendingIntents for various privilege escalation, including information disclosure, data stealing, and even arbitrary code execution.

We further developed a static analysis tool based on control and data flows to identify potentially vulnerable PendingIntents at scale. We then manually inspected them and identified vulnerabilities in many high-profile and system apps, including the popular Twitter, Airbnb, Google Play Service apps, and SystemUI (CVE-2020-0114 and CVE-2021-0304), SettingsSliceProvider (CVE-2020-0188), BluetoothMediaBrowserService. Our vulnerability reporting triggered Google to introduce significant security changes about PendingIntents in Android 12 and assign new lint security rules in Android Studio.


Presenters:

  • Daoyuan Wu - Research Assistant Professor, The Chinese University of Hong Kong
    Dr. Daoyuan Wu is currently a Research Assistant Professor (RAP) at the Department of Information Engineering, The Chinese University of Hong Kong. He received his PhD degree from Singapore Management University in 2019, M.Phil from The Hong Kong Polytechnic University in 2015, and B.E. from Nanjing University of Posts and Telecommunications in 2011, all in Cybersecurity. His research interests include mobile system security, blockchain security, mining for code security, and web privacy. He is leading the Vulnerability and Privacy Research (VPR) Lab at CUHK.
  • Wenbo Chen - Security Researcher,  
    Wenbo Chen is an Android security researcher who has worked in Keen Lab of Tencent and ZIWU Lab of OPPO. His research mainly focuses on technologies such as program automation analysis, vulnerability mining and exploitation. He has also reported many vulnerabilities to Google, Samsung and many application vendors in China.
  • En He - Senior Security Researcher, OPPO ZIWU Security Lab
    En He is a security researcher with more than a decade of working experience in the field of information security. He has found many interesting vulnerabilities in Android AOSP and popular Google Play APPs. He was also a speaker at CNCERT2016 (China), POC2018 (Korea), and an author of DIMVA 2020.

Links:

Similar Presentations: