CVE-2019-15341 in Camon iAir 2 Plusinfo

Summary

by MITRE

The Tecno Camon iAir 2 Plus Android device with a build fingerprint of TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user's Wi-Fi passwords, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/14/2024

This vulnerability exists in the Tecno Camon iAir 2 Plus Android device where a pre-installed platform application named com.lovelyfont.defcontainer contains an exported service that enables arbitrary code execution with system-level privileges. The specific service com.lovelyfont.manager.service.FunctionService accepts file paths to Dalvik Executable files and dynamically loads them within its own process, executing with the system user's privileges. This represents a critical privilege escalation vulnerability that bypasses normal Android security controls and allows malicious applications to operate with elevated permissions. The vulnerability is particularly concerning because the application cannot be disabled by users and requires no special permissions for exploitation, making it accessible to any app installed on the device.

The technical flaw stems from improper Android security configuration where a system-level service is exported without adequate permission checks or authentication mechanisms. This service allows any application to specify a DEX file path for execution, effectively creating a remote code execution vector that operates at the system level. The vulnerability is classified as a privilege escalation issue under CWE-269, specifically involving inadequate privileges for system-level services. The attack can be performed by zero-permission applications, which means that even malicious apps with minimal permissions can exploit this weakness to gain system-level control.

The operational impact of this vulnerability is extensive and encompasses multiple attack vectors that can compromise user privacy and device integrity. Third-party applications can leverage this vulnerability to perform screen recording, factory reset operations, access notifications, read system logs, inject GUI events, and extract text messages. Additionally, the system-level execution capability allows attackers to obtain Wi-Fi passwords, modify the default input method editor to include keylogging functionality, and execute various malicious operations that would normally require system-level permissions. These capabilities align with multiple ATT&CK techniques including privilege escalation, credential access, and collection phases, making this vulnerability particularly dangerous for user data protection and device security.

Mitigation strategies for this vulnerability should focus on immediate device updates and system-level security hardening. Users should ensure their devices receive the latest security patches from the manufacturer, though in this case the vulnerability exists in a pre-installed application that may not be easily updateable. System administrators and security professionals should implement network-level monitoring to detect suspicious DEX file loading activities and consider device lockdown policies that prevent installation of untrusted applications. The vulnerability highlights the importance of proper Android application security practices and the need for manufacturers to properly configure exported services with appropriate permission controls. Organizations should also implement mobile device management solutions to monitor and control applications installed on devices, particularly focusing on pre-installed applications that may contain security flaws.

Reservation

08/22/2019

Moderation

accepted

CPE

ready

EPSS

0.00332

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!