Original post: https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulnerabilities-in-the-galaxy-app-store-cve-2023-21433-cve-2023-21434/

Product Galaxy Store 4.5.48.3, other versions affected
Severity Moderate
CVE Reference CVE-2023-21434
Type URL Filter Bypass

Summary

It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker controlled domain.

Impact

Either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung’s URL filter and launch a webview to an attacker controlled domain.

Proof of Concept (PoC)

While using the Chrome web browser on a Samsung device, the following hyperlink can be tapped to exploit this issue:

<h1>
  <a id="yayidyay" rel="noreferrer" href="intent://cloudgame/monitor?monitoringHost=<host>#Intent;action=android.intent.action.VIEW;package=com.sec.android.app.samsungapps;scheme=normalbetasamsungapps;S.android%2eintent%2eextra%2eREFERRER_NAME=http://com.sec.android.app.samsungapps;end">
YAYPOCYAY</a>
</h1>

In the above PoC, “" needs to be replaced with an attacker controlled domain, and a malicious website must be hosted on the domain over HTTPS. The domain name must have "player.glb.samsung-gamelauncher.com" in it. For example, the domain "player.glb.samsung-gamelauncher.com.nccgroup.com" would be a valid domain.

Technical Walkthrough

After launching the above PoC, the class com.sec.android.app.samsungapps.deeplink.CloudGameDeepLink is loaded, and the method e(context) is executed. This method determines if the Cloud Game deeplink should be executed, and the requirements to return “True” are:

  • The “sender” of the intent must be “com.sec.android.app.samsungapps”
    • This can be achieved by adding the string intent extra android.intent.extra.REFERRER_NAME in a browsable intent, and launched from the Google Chrome browser
    • Using the Samsung Browser will not meet this requirement due to how the browser handles browsable intents
  • The “monitoringHost” parameter must contain the string “player.glb.samsung-gamelauncher.com”
private boolean e(Context context) {
    if (context.getPackageName().equals(getSender())) {
        return this.L.getMonitoringHost().contains("player.glb.samsung-gamelauncher.com");
    }
    Loger.w(String.format("[%s] Unauthorized access from %s", M, getSender()));
    return false;
    }

An attacker can register an arbitrary domain and add “player.glb.samsung-gamelauncher.com” as a subdomain. For example, the domain “player.glb.samsung-gamelauncher.com.nccgroup.com” would force the method e(context) to return “True”

Recommendation

Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8). Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version.

Timeline

Date Summary
03/12/2022 Samsung notified of vulnerability
03/12/2022 Samsung acknowledge receipt of report and a security analyst was assigned to analyze the report
18/12/2022 Samsung confirmed the vulnerability and rated it as a Moderate risk
01/01/2023 Samsung has released Galaxy App Store version 4.5.49.8 and has publicly disclosed the issue