Original post: https://labs.f-secure.com/advisories/samsung-s20-access-external-storage-files/

Product Samsung phones with Samsung Notes (prior to version )
Severity Low
CVE Reference CVE-2021-25367
Type Storage Security Bypass

Description

F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An issue was discovered that would have allowed a rogue application to access any file on the external storage partition without the “External Storage” Android permissions.

Technical Details

Samsung Notes (com.samsung.android.app.notes) has an exported content provider called clipdatacontentprovider that can be used by other applications to download files from the external storage. The issue is due to the class com.samsung.android.support.senl.nt.base.framework.provider.ClipDataContentProvider having two methods onCreate and addRoot:

public boolean onCreate() {
    Context context = getContext();
    addRoot("external_files", new File(Environment.getExternalStorageDirectory(), "."));
    File[] externalFilesDirs = ContextCompat.getExternalFilesDirs(context, null);
    if (externalFilesDirs.length <= 0) {
        return true;
    }
    addRoot("external-files-path", new File(externalFilesDirs[0], ShareCacheHelper.CACHE_PATH));
    return true;
}
private void addRoot(String str, File file) {
    if (!TextUtils.isEmpty(str)) {
        try {
            mRoots.put(str, file.getCanonicalFile());
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to resolve canonical path for " + file, e);
        }
    } else {
        throw new IllegalArgumentException("Name must not be empty");
    }
}

The class relies on the hashMap mRoots to keep track of what the content provider’s root directories are. In the onCreate method, the external storage folder is added as an authorized root directory.

A rouge application installed on the same device can call this content provider to browse and download files from the External Storage area, bypassing the need to add EXTERNAL_STORAGE_READ or EXTERNAL_STORAGE_WRITE to the rouge application’s manifest. As an example, F-Secure utilized its Android testing application, Drozer, to exploit this issue. The screenshot below shows that Drozer did not have any additional Android permisions (right) and it could not read the file /storage/emulated/0/yay.jpg (top left). Meanwhile, the ADB user could read the file /storage/emulated/0/yay.jpg (bottom left):

Drozer’s app.provider.download module can be used to dynamically craft a proper content provider call and communicate with the vulnerable content provider. The below output shows Drozer downloading the file /storage/emulated/0/yay.jpg from the external storage using the vulnerable content provider:

dz> run app.provider.download content://com.samsung.android.app.notes.clipdatacontentprovider/external_files/yay.jpg /tmp/yay.jpg
Written 1932151 bytes

dz> exit
root@324bda543ccd:/# sha1sum /tmp/yay.jpg
1e29865dc1b592b06f87cd7d569f93170daa74ed /tmp/yay.jpg

Remedial Action

Samsung has released Samsung Notes version 4.2.00.22 which fixes the issue outlined in this advisory. F-Secure recommends that users upgrade Samsung Notes to at least version 4.2.00.22.

Credits

This issue was discovered by Ken Gannon.

Timeline

Date Summary
02/11/2020 Issue disclosed to Samsung Mobile Security
02/11/2020 Issue assigned to a Samsung Security Analyst
16/12/2020 Samsung confirms the vulnerability and rates it as a low risk issue
12/01/2021 Follow up sent to Samsung
13/01/2021 Samsung responded to follow up saying a patch is still being worked on
09/02/2021 Patch released, Samsung initiates process for bug bounty reward
25/03/2021 CVE Assigned
26/03/2021 Advisory Published