Android improper camera and audio permissionverification

2009.07.21
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-94


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#2009-011 Android improper camera and audio permission verification Description: Android, an open source mobile phone platform, improperly checks permissions when applications access the camera and audio resources. The permissions are Manifest.permission.CAMERA and Manifest.permission.AUDIO_RECORD respectively. Normally an Android application is allowed to access the camera and audio resources only if the user explicitly allows the application to do so. However if the user installs an application that does not request the permissions then the application is implicitly allowed to use the device camera and/or microphone. Affected version: Android all 1.5 CRBxx versions (where xx are digits) Fixed version: Android 1.5 CBDxx, CRCxx and COCxx (where xx are digits) Credit: Chris Palmer, iSEC Partners, under contract with Google. CVE: CVE-2009-2348 Timeline: 2009-07-06: Android Security Team requested assistance from oCERT 2009-07-07: assigned CVE 2009-07-07: Android requests embargo period 2009-07-16: advisory release References: http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h =7b7225c8fdbead25235c74811b30ff4ee690dc58 http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h =4d8adefd35efdea849611b8b02d61f9517e47760 http://android.git.kernel.org/?p=platform/packages/apps/Camera.git;a=com mit;h=e655d54160e5a56d4909f2459eeae9012e9f187f Permalink: http://www.ocert.org/advisories/ocert-2009-011.html -- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team <lcars (at) ocert (dot) org [email concealed]> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top