Android o2 Business 1.2.0 Open Redirect

2020.07.05
Credit: Julien Ahrens
Risk: Low
Local: No
Remote: Yes
CWE: CWE-601


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: o2 Business for Android Vendor URL: https://play.google.com/store/apps/details?id=telefonica.de.o2business Type: Open Redirect [CWE-601] Date found: 2020-04-16 Date published: 2020-07-01 CVSSv3 Score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVE: CVE-2020-11882 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== o2 Business App for Android 1.2.0 4. INTRODUCTION =============== Kommunikation ist Ihr tgliches Sprungbrett in die Geschftswelt. Und mit der neuen O2 Business App haben Sie alle wichtigen Details stets vor Augen. Verfolgen Sie investierte Gesprchszeiten zurck und sehen Sie verfgbare Kommunikations-Kapazitten vorher. Vom aktuellen Stand des Inklusiv-Volumens, ber Einzelverbindungen und Tarifdetails, bis zur lokalen Netz-Qualitt behalten Sie mit der O2 Business App immer und berall den Durchblick. Erfahren Sie jetzt mehr ber Ihren informativen Begleiter! (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The "O2 Business App" for Android exposes an activity to other apps called "canvasm.myo2.SplashActivity". The purpose of this activity is to handle deeplinks which can be delivered to the app either via links or by directly calling the activity. However, the app does not properly validate the format of deeplinks by just using str.contains() to verify the allowed host: private boolean isVanityLink(String str) { return str.contains("https://o2.de") || str.contains("https://blau.de") || str.contains("https://e2e2.o2.de") || str.contains("https://e2e2.blau.de"); } private boolean isDeepLink(String str) { return str.contains("https://www.o2online.de") || str.contains("https://www.blau.de") || str.contains("https://e2e2.o2online.de") || str.contains("https://e2e2.blau.de") || str.contains(BuildConfig.PIRANHA_BASE_E2E2_URL) || str.contains("https://login.o2online.de") || str.contains("https://login-e2e2.blau.de") || str.contains("https://login.blau.de"); } This can be abused by an attacker (malicious app) to redirect a user to any page and deliver any content to the user. An exemplary exploit could look like the following: Intent i = new Intent(); i.setComponent(new ComponentName("telefonica.de.o2business", "canvasm.myo2.SplashActivity")); Uri uri = Uri.parse("https://www.rcesecurity.com?dummy=https://o2.de"); i.setData(uri); startActivity(i); 6. RISK ======= A malicious app on the same device is able to exploit this vulnerability to lead the user to any webpage/content. The specific problem here is the assumed trust boundary between the user having the o2 Business app installed and what the app is actually doing/displaying to the user. So if the user sees the app being loaded and automatically redirecting to another page, it can be assumed that the loaded page is also trusted by the user. 7. SOLUTION =========== Update the app to version 1.3.0 8. REPORT TIMELINE ================== 2020-04-16: Discovery of the vulnerability 2020-04-16: Although Telefonica runs a VDP on Bugcrowd (https://bugcrowd.com/telefonicavdp), I did not want to accept their non- disclosure terms, which is why I have tried to contact them directly via their official CERT contact. 2020-04-16: Telefonica responds and asks for full vulnerability details 2020-04-16: Send over the full advisory including a full PoC exploit. 2020-04-16: Telefonica acknowledges the issue 2020-04-16: CVE requested from MITRE 2020-04-17: MITRE assigns CVE-2020-11882 2020-06-03: No further communication from Telefonica. Mailed them again about the status of the fix. 2020-06-03: Telefonica is still working on this issue and the fix is scheduled to be included in the next release. 2020-06-04: Version 1.3.0 is released 2020-07-01: Public disclosure. 9. REFERENCES ============= -


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top