CVE-2018-6599 in Wonder RC555L
Summary
by MITRE
An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/19/2020
This vulnerability represents a critical information disclosure flaw in the Orbic Wonder device running Android 7.1.2, where sensitive data from the Android logging system can be accessed through improper log handling practices. The issue stems from insecure coding practices where pre-installed system applications fail to sanitize log messages before writing them to system logs, creating a pathway for attackers to extract confidential information. The vulnerability specifically affects the com.ckt.mmitest.MmiMainActivity component which when invoked via intent can write complete Android logs to external storage, making the information accessible to any application with READ_EXTERNAL_STORAGE permission. This represents a fundamental breakdown in Android's security model where system-wide logging mechanisms should remain protected from unauthorized access but are instead exposed through poorly implemented application components.
The technical exploitation of this vulnerability relies on the Android logging system's architecture where applications can only directly access logs they themselves have generated, but system applications signed with framework keys can access comprehensive system logs. The malicious pre-installed application acts as a conduit, allowing local applications to trigger log dumping functionality that writes complete system logs to the SD card. This creates a persistent threat vector where any application with appropriate permissions can continuously monitor and extract sensitive data from the log files. The vulnerability demonstrates a classic weakness in Android's permission model and application sandboxing where the distinction between application-specific logs and system-wide logs becomes blurred due to insecure implementation practices.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass comprehensive privacy violations and potential data breaches. Text message contents, recipient and sender phone numbers, call logs, and potentially other sensitive data elements are all at risk due to the logging practices of default messaging applications. The com.android.mms application specifically writes detailed message contents and communication metadata to the system log, creating a treasure trove of personal information accessible through the vulnerable logging mechanism. This vulnerability can be exploited by any local application that gains the READ_EXTERNAL_STORAGE permission, making it particularly dangerous as it requires minimal privileges to execute and can operate continuously in the background. The threat is exacerbated by the fact that the log files are written to persistent external storage, making the data accessible even after device reboots.
This vulnerability aligns with CWE-200 (Information Exposure) and CWE-532 (Information Exposure Through Log Files) categories, representing a fundamental failure in secure logging practices and proper data sanitization. From an ATT&CK perspective, this vulnerability maps to T1070.004 (Indicator Removal on Host: File Deletion) and T1005 (Data from Local System) as attackers can access and potentially manipulate log data to extract sensitive information. The exploitation pathway demonstrates a privilege escalation through improper application design rather than direct system compromise, making it particularly concerning for mobile device security. Mitigation strategies should focus on proper log sanitization practices, implementation of proper access controls for system logging mechanisms, and ensuring that pre-installed applications do not expose functionality that could be leveraged for information disclosure attacks. The vulnerability highlights the importance of secure coding practices and proper input validation in mobile application development, particularly for system-level applications that handle sensitive user data.