CVE-2019-15344 in Camon iClick
Summary
by MITRE
The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/14/2024
This vulnerability represents a critical privilege escalation flaw in the Tecno Camon iClick Android device that stems from a poorly configured system application. The affected device contains a pre-installed platform app with package name com.lovelyfont.defcontainer that exposes an exported service named FontCoverService. This service allows any application on the device to execute arbitrary commands with system-level privileges, fundamentally undermining the Android security model. The vulnerability is particularly concerning because the app cannot be disabled by users, making it an persistent threat that persists across device reboots and user sessions. The service operates without requiring any special permissions, enabling even basic applications to exploit this flaw and gain elevated access to the device's core functionalities.
The technical implementation of this vulnerability aligns with CWE-787, which describes out-of-bounds write vulnerabilities, though in this case the flaw manifests as an improper access control mechanism. The exported service creates an attack surface that allows command execution with system user privileges, enabling attackers to perform operations that should be restricted to system-level components only. This flaw operates at the system level and leverages the Android application sandbox bypass mechanism, where a malicious application can execute commands through the legitimate system service. The attack vector is particularly dangerous because it requires no user interaction or permission grants, making it a zero-click exploit that can be executed by any application present on the device. The service essentially acts as a backdoor that provides unauthorized access to system resources and capabilities.
The operational impact of this vulnerability is extensive and encompasses multiple attack surfaces that align with several ATT&CK techniques including T1059 for command and scripting interpreter, T1070 for indicator removal, T1083 for file and directory discovery, T1113 for screen capture, T1114 for email access, T1133 for external remote services, and T1217 for browser bookmarks. An attacker who successfully exploits this vulnerability can perform comprehensive surveillance operations including screen recording, accessing user notifications, reading system logs, injecting GUI events, and intercepting text messages. The ability to change the default input method editor presents a particularly dangerous vector for keylogging attacks, as it allows persistent monitoring of user keystrokes across all applications. Additionally, the attacker can perform factory resets, effectively destroying user data and device functionality, while maintaining persistence through the system-level privileges.
Mitigation strategies for this vulnerability must address both the immediate exploitation and the underlying architectural flaw. Device manufacturers should implement proper service access controls to prevent unauthorized applications from accessing system services through exported components. The Android security model requires that services with system-level privileges must be properly protected through permission checks and proper intent filtering. Users should be advised to avoid installing applications from untrusted sources, particularly those that might attempt to exploit this vulnerability. Network administrators should implement proper SSL/TLS certificate validation and monitor for suspicious network traffic patterns that might indicate MITM attacks. The vulnerability also highlights the importance of proper app vetting processes, as the pre-installed nature of the affected application means that users have no control over its removal or modification. Regular security audits of pre-installed applications should be conducted to identify similar privilege escalation flaws. The remediation process requires updating the affected application to properly configure the exported service with appropriate permission checks, ensuring that only authorized system components can access the service, and implementing proper network security controls to prevent MITM attacks on the associated network communications.