Samsung Mobile Android FotaAgent Arbitrary File Creation

2019.09.26
Credit: flanker
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

[CVE-2019-14783] Arbitrary file create with system-app privilege in Samsung Mobile Android FotaAgent Component Software: -------- Samsung Mobile Android FotaAgent Component Description: ---------- A vulnerability in FotaAgent allows creating privileged files without proper permission from unprivileged process. The patch adds proper permission check on FotaAgent to address the vulnerability. This issue is reported to & confirmed and patched by Samsung Mobile Security Rewards Program under case ID 101825. Patched version: ------------ - Samsung Mobile Android N(7.x), O(8.x), P(9.0) with SMR-AUG-2019 patch level and after Impact: ------- A successful local attack can create arbitrary file with system privilege. Solution: --------- Update the device to at lease SMR-AUG-2019 patch level. Credit: ------- Discovered by Qidan He (a.k.a Edward Flanker, @flanker_hqd). Detailed about this vulnerability will be released shortly after confirmation from Samsung Mobile for responsible disclosure. ------------------ Sincerely Qidan (a.k.a Flanker) Website: https://blog.flanker017.me


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top