[Unpatched Vulnerability] CVE-2019-11015: Lock Screen Auth Bypass leading to Sensitive Information Disclosure and an Improper Access Control issue in Xiaomi MIUI OS (latest stable releases affected) - Andmp | A blog about infosec, bug hunting and more!

Andmp | A blog about infosec, bug hunting and more!

"Good artists copy; great artists steal."

Just another web hacking and vulnerability research blog that details how I use existing knowledge and old ways to discover new vulns ;)

Breaking

ad

Post Top Ad

Wednesday, 10 April 2019

[Unpatched Vulnerability] CVE-2019-11015: Lock Screen Auth Bypass leading to Sensitive Information Disclosure and an Improper Access Control issue in Xiaomi MIUI OS (latest stable releases affected)

So, as promised on Twitter, the wait ends, new security vulnerability full disclosure in Xiaomi!


MiSRC team accepted and confirmed this bug for their bug bounty program. I submitted it sometime back. But, this hasn't been fixed yet. Also, I have no idea of when they 're going to patch it, no ETA was provided as usual. So, what about a FULL DISCLOSURE, like I did before, sounds all good right? Alright, IIRC they don't bring fixes in time, so here I 'm spilling the beans about it, before they silently patch it after (n+3) months of reporting the issue.

Disclaimer: I will make a lot of assumptions ahead. Some may not be correct or, feasible in your opinion, use your discretion and change my mind, I would love to know your opinions on it!

Some Assumptions

  • Attacker has physical access to your device. 
  • Victim needs to be an INDIAN
  • This issue only affects people who have their Region in Additional Settings set to India (although I haven't checked other regions for this issue, maybe more are affected try it out yourself?)
  • So, are assumptions a bar? judge yourself

Versions affected

Strikingly, yet again those in Indian region are affected by this bug. 

Latest stable release 10.1.3.0 (personally tested on), as well as 10.2.3.0 (as per an external source)
Thanks to a friend, Ritam, for helping me confirm this issue on the latest stable release of Pocofone OS as well.

For testing purposes Region can be changed here, in Additional Settings, 




Cause

Wallpaper Carousel feature, that can be turned on by attacker himself upto version 10.*.3.0 (latest stable release) from the Lockscreen itself despite Lockscreen based pass/pin/pattern protection.

This feature is the root cause of this sensitive information disclosure. 

The issue actually lies in Glance, a content provider in the Wallpaper Carousel application, I believe.


Whats interesting? Plus, the Proof-of-Concept

There seems to be 2 issues.

1. Missing access control check while Enabling Wallpaper Carousel via Lockscreen: Though,    this might not actually be a problem, just more of what I feel - Wallpaper Carousel, that appears on the lockscreen can be disabled on your device, there is an option to do that in the Settings. But, how effective is that? Enabling it isn't password protected on your lockscreen! Can it be an issue, if so in what way?

Follow these steps,
  • Go to Settings
  • Search for Wallpaper Carousel/Lockscreen
  • Turns out you can disable or, enable Wallpaper Carousel through settings.
  • Is it really an issue? Don't know, just my opinion. Feel free to try to change my mind!
  • On the version 10.1.3.0 turns out, even after you disable Wallpaper Carousel, there's an option to enable it directly from the Lockscreen, without authentication, also interestingly, Xiaomi makes you agree to some Terms & Conditions (of a 3rd party provider) while Turning on this feature.
  • So far I said, you can turn on Wallpaper Carousel from lockscreen, but you also have to  agree to some T&C to Turn On this feature. You can do that without authentication, even after having disabled it through Settings. Possibly an ACCESS CONTROL issue? Because, an unauthenticated user can Turn On this feature by agreeing to these T&C (possibly of 3rd party content provider) on your behalf. 



2. Sensitive Information Disclosure: With the help of Wallpaper Carousel feature, more specifically glance, one can actually get read access as well as write access to user's (current) Clipboard data, and apart from that the attacker can also partially access user's stored social media credentials by abusing Autofill feature.

 Follow these Steps to reproduce this issue (PoC)

1. Swipe Lockscreen to right




2. Next, tap on Wallpaper Carousel

                                                  3. (Access Control Issue) Enable Wallpaper Carousel from   Lockscreen itself

4. Swipe right after enabling Wallpaper Carousel, tap on Wallpaper Carousel again to view this screen. Tap on Read More.

5. This opens a web page something like this. Click on any social buttons that appear on those web pages.


6.  From here on, you can expose user's Clipboard Data and partially, user's stored Autofill data for that particular social network.

7. Exposing Autofill data. (example)




Severity

As per Mi Security team, it was marked low, I have to disagree here, and would call it a Medium-risk issue. I have already stated the reasons above for that.



So, what's up with the Clipboard and Autofill (privacy)?

Clipboard shouldn't be accessible to an unauthenticated user via Lockscreen. But as it turns out, in this case, we can access the clipboard and disclose what was there in it. We can EVEN modify it.

  • Attacker can read what was there in the Clipboard with this vulnerability by abusing the PASTE feature.
  • Attacker can modify your clipboard content with the COPY/CUT feature as well
  • Both of the above scenarios have an impact





Autofill

Abusing Autofill feature on Social Login pages, an attacker can successfully expose user's stored email addresses, phone numbers and usernames linked with that social site.




Read more about Android clipboard privacy here, and in fact on one hand Google is working more towards resolving and fixing Clipboard privacy issues in Android Q while on the other we have MIUI OS increasing the potential attack surface. In case of MIUI OS (Indian region/version), even an unauthorised user can bypass Lockscreen based authentication to read and modify your Clipboard data.



Should this data be exposed to an external attacker without authorisation just in case you have enabled Lockscreen based protection/auth?


Reward and Resolution?

For all this, Xiaomi offered me around 480 gold, or, around 45 bucks (in USD), for a bug that affects millions of devices in the Indian region!

They haven't yet paid for this. I won't accept this unfair reward either.

As for resolution, they haven't fixed it yet, nor, given any ETA for fix.


Not just that

There appears to be some issue with Glance of Wallpaper Carousel as well. An access control issue perhaps? That lets an unauthorised person to follow different Trends/Topics for WC. Harmless?



--------------------------------------------------------------------------------------------------------------------------

Update (17th April, 2019)

Right after some media coverage about this issue, Xiaomi silently released a patch for Wallpaper Carousel via Play Store, citing the vulnerability in the changelog of the update.

3 comments:

  1. On iOS you can read an entire message, email and even quickly reply. Any comment on that?

    ReplyDelete
    Replies
    1. With lock screen authentication turned on?

      Not that I am aware of (since I haven't tested iOS), but yeah, notification preferences seem like a security issue, which Google has addressed somewhat with a "Hide sensitive notification" feature/preference in Settings on Android.

      I don't own an iOS device so don't know, but there maybe some security preferences that can be set by user (specific to an iOS application like Mail app) as in android.

      If not, this maybe an access control issue. Also, I won't comment about anything without actually knowing it properly.

      Delete
  2. Hide your trash in your house or in your garage so you don't attract people looking for discarded mail, credit card offers, and other personal information that could compromise your identity.Locksmith Colorado Springs

    ReplyDelete

Let me know what you felt after reading the article!

Post Bottom Ad

Pages