CVE-2019-15347 in Camon iClick 2info

Summary

by MITRE

The Tecno Camon iClick 2 Android device with a build fingerprint of TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands via shell script to be executed as the system user that are triggered by writing an attacker-selected message to the logcat log. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/14/2024

The vulnerability identified as CVE-2019-15347 represents a critical privilege escalation flaw in the Tecno Camon iClick 2 Android device running Android 8.1.0. This security weakness stems from a pre-installed platform application named com.lovelyfont.defcontainer which contains an exported service called com.lovelyfont.manager.FontCoverService. The service operates as a security gateway that allows any application co-located on the device to execute arbitrary shell commands with system-level privileges through a logcat-based trigger mechanism. The vulnerability manifests through a fundamental design flaw where the service accepts attacker-selected messages written to logcat logs, which then execute as the system user. This represents a classic example of improper privilege management and insecure service exposure that aligns with CWE-276, which addresses incorrect permissions for critical resources.

The operational impact of this vulnerability extends far beyond simple command execution, creating a comprehensive attack surface that enables sophisticated malicious activities. Attackers can leverage the system user privileges to perform screen recording, factory reset operations, notification interception, logcat log reading, GUI event injection, and SMS message access. The ability to change the default Input Method Editor (IME) presents a particularly dangerous vector for persistent keylogging attacks, where the attacker's keyboard implementation can capture all user input. Additionally, the vulnerability allows for complete device control through factory reset capabilities and persistent access to user notifications, which can contain sensitive information. This flaw directly maps to several ATT&CK techniques including privilege escalation through service manipulation, credential access via notification interception, and persistence through IME modification, making it a highly dangerous vulnerability in the context of mobile security.

The root cause of this vulnerability lies in the improper implementation of Android service exposure and privilege management within the pre-installed application framework. The exported service lacks proper authentication mechanisms, access controls, or input validation, allowing any application on the device to trigger command execution. This represents a failure in the Android security model where applications should not be able to execute commands as system users without proper authorization. The fact that this application cannot be disabled by users further compounds the risk, as it creates a persistent attack vector that cannot be eliminated through normal device management procedures. The vulnerability demonstrates a clear violation of the principle of least privilege, where the service operates with excessive permissions that should be restricted to system-level components only. The attack requires zero permissions from the malicious application, making it particularly dangerous as it bypasses standard Android permission models and security boundaries. This flaw requires immediate remediation through system-level updates or patching of the vulnerable application, as user-level interventions cannot resolve the underlying security issue. The vulnerability highlights the importance of proper Android application sandboxing and service security implementation, particularly for pre-installed system applications that have elevated privileges.

Reservation

08/22/2019

Moderation

accepted

CPE

ready

EPSS

0.00387

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!