Re-route Your Intent for Privilege Escalation: A Universal Way to Exploit Android PendingIntents in High-profile and System Apps

Presented at Black Hat Europe 2021, Nov. 10, 2021, 10:20 a.m. (40 minutes).

PendingIntent, the advanced version of normal Android Intent, provides powerful inter-component communication on Android. A PendingIntent holds a base Intent that can be executed by another app under the creator app's identity (UID) and permissions as if the target app was the creator. To securely deliver a PendingIntent and prevent hijacking, developers should set their PendingIntents explicitly with the target component name. However, this is not the case in many real-world apps.

Previous research showed a few examples attacking a PendingIntent with the empty base Intent (i.e., no component and action), but they did not know how to exploit a PendingIntent with the implicit base Intent (i.e., no component yet with action) and commonly believed that it is also unexploitable like an explicit PendingIntent. Moreover, previous research did not identify common attack surfaces of retrieving PendingIntents. To address these two fundamental problems, we first discovered new surfaces of retrieving PendingIntents, including the widely-used Notifications, the SliceProvider commonly in the AOSP Settings app, and the rare MediaBrowserService. We then proposed a novel method of exploiting implicit PendingIntents for various privilege escalation, including information disclosure, data stealing, and even arbitrary code execution.

We further developed a static analysis tool based on control and data flows to identify potentially vulnerable PendingIntents at scale. We then manually inspected them and identified vulnerabilities in many high-profile and system apps, including the popular Twitter, Airbnb, Google Play Service apps, and SystemUI (CVE-2020-0114 and CVE-2021-0304), SettingsSliceProvider (CVE-2020-0188), BluetoothMediaBrowserService. Our vulnerability reporting triggered Google to introduce significant security changes about PendingIntents in Android 12 and assign new lint security rules in Android Studio.

Presenters:

• En He - Senior Security Researcher, OPPO ZIWU Security Lab
  En He is a security researcher with more than a decade of working experience in the field of information security. He has found many interesting vulnerabilities in Android AOSP and popular Google Play APPs. He was also a speaker at CNCERT2016 (China), POC2018 (Korea), and an author of DIMVA 2020.
• Wenbo Chen - Security Researcher,  
  Wenbo Chen is an Android security researcher who has worked in Keen Lab of Tencent and ZIWU Lab of OPPO. His research mainly focuses on technologies such as program automation analysis, vulnerability mining and exploitation. He has also reported many vulnerabilities to Google, Samsung and many application vendors in China.
• Daoyuan Wu - Research Assistant Professor, The Chinese University of Hong Kong
  Dr. Daoyuan Wu is currently a Research Assistant Professor (RAP) at the Department of Information Engineering, The Chinese University of Hong Kong. He received his PhD degree from Singapore Management University in 2019, M.Phil from The Hong Kong Polytechnic University in 2015, and B.E. from Nanjing University of Posts and Telecommunications in 2011, all in Cybersecurity. His research interests include mobile system security, blockchain security, mining for code security, and web privacy. He is leading the Vulnerability and Privacy Research (VPR) Lab at CUHK.

Links:

• https://www.blackhat.com/eu-21/briefings/schedule/#re-route-your-intent-for-privilege-escalation-a-universal-way-to-exploit-android-pendingintents-in-high-profile-and-system-apps-24340

Similar Presentations:

• A New HOPE (2022) / Tracking Android Malware and Auditing App Privacy for Fun and Non-Profit
• Black Hat Asia 2021 Virtual / (Un)protected Broadcasts in Android 9 and 10
• CanSecWest 2022 / Mystique Hits: Vulnerability Chain that breaks the Android Application Sandbox