Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneImnotyouaa_testH1:1161401
HistoryApr 12, 2021 - 12:20 p.m.

Nextcloud: Notification implicit PendingIntent in com.nextcloud.client allows to access contacts

2021-04-1212:20:36
imnotyouaa_test
hackerone.com
$250
51
nextcloud
notification vulnerability
contact access
file access
implicit pendingintent
malicious app
permission
bindnotificationlistener service
security vulnerability
android 10
exploit
bug bounty program

EPSS

0.001

Percentile

17.2%

JSON

When the victim downloads files in nextcloud.A notification will be triggered. The content of the notification is “Downloaded”.This notification is used to remind the user that the download is complete.The pendingintent in this notification is an implicit intent.

At this time a malicious app with “BINDNOTIFICATIONLISTENER_SERVICE” permission can get the pendintent of this notification, because it is an implicit pendintent. Therefore, the malicious app can set the “packageName” and “clipdata” of this pendintent. At this time, the malicious application will inherit the permissions of “com.nextcloud.client”.Because nextcloud has contacts permissions. Therefore, malicious applications can read the contacts without applying for the contacts permission.
{F1262742}
At the same time, because of the path configuration of fileprovider, the log file in the nextcloud app directory can also be read
{F1262743}

The code of this implicit pendingintent is in
“com.owncloud.android.files.services.FileDownloader.notifyDownloadResult(com.owncloud.android.operations.DownloadFileOperation, com.owncloud.android.lib.common.operations.RemoteOperationResult) : void”
{F1262747}

Steps To Reproduce:
packageName:com.nextcloud.client
versionName:3.15.1
phone:pixel3
AndroidVersion:10

1.install and run “poc.apk”
2.click the button to give the “BINDNOTIFICATIONLISTENER_SERVICE” permission to poc
3.install “com.nextcloud.client.apk” and give contacts permission to nextcloud.
4.Download a file as shown in the video.At this time, the victim’s app will trigger a notification
5.run “adb logcat | grep sbn”. now you can see the contact stolen by the attacker

Supporting Material/References:
1.read contacts poc video
{F1262750}

2.poc.apk
{F1262748}

3.“com.nextcloud.client.apk”
{F1262746}

Impact

Any application with notification permission can steal contacts without apply for the contacts permission
To fix this vulnerability, please set the flag of pengingintent to FLAG_IMMUTABLE

Related

nvd 1
nextcloud 1
cnvd 1
cvelist 1
prion 1
cve 1
osv 1
nvd
nvd
CVE-2022-24886
2022-04-27 14:15:09
nextcloud
nextcloud
Notification implicit PendingIntent in com.nextcloud.client allows to access contacts
2022-04-27 07:21:32
cnvd
cnvd
Nextcloud Android app information leakage vulnerability
2022-04-29 00:00:00
cvelist
cvelist
CVE-2022-24886 Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client
2022-04-27 13:30:14
prion
prion
Code injection
2022-04-27 14:15:00
cve
cve
CVE-2022-24886
2022-04-27 14:15:09
osv
osv
CVE-2022-24886
2022-04-27 14:15:09

EPSS

0.001

Percentile

17.2%

JSON
Related for H1:1161401
nvd1nextcloud1cnvd1cvelist1prion1cve1osv1