CVE-2023-38294

Certain software builds for the Itel Vision 3 Turbo Android device contain a vulnerable pre-installed app with a package name of com.transsion.autotest.factory (versionCode=7, versionName=1.8.0(220310_1027)) that allows local third-party apps to execute arbitrary shell commands in its context (system user) due to inadequate access control. No permissions or special privileges are necessary to exploit the vulnerability in the com.transsion.autotest.factory app. No user interaction is required beyond installing and running a third-party app. The vulnerability allows local apps to access sensitive functionality that is generally restricted to pre-installed apps, such as programmatically performing the following actions: granting arbitrary permissions (which can be used to obtain sensitive user data), installing arbitrary apps, video recording the screen, wiping the device (removing the users apps and data), injecting arbitrary input events, calling emergency phone numbers, disabling apps, accessing notifications, and much more. The confirmed vulnerable software build fingerprints for the Itel Vision 3 Turbo device are as follows: Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V92-20230105:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V86-20221118:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V78-20221101:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V64-20220803:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V61-20220721:user/release-keys, Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V58-20220712:user/release-keys, and Itel/F6321/itel-S661LP:11/RP1A.201005.001/GL-V051-20220613:user/release-keys. This malicious app sends a broadcast Intent to the receiver component named com.transsion.autotest.factory/.broadcast.CommandReceiver with the path to a shell script that it creates in its scoped storage directory. Then the com.transsion.autotest.factory app will execute the shell script with system privileges.

Weakness

During installation, installed file permissions are set to allow anyone to modify those files.

Potential Mitigations

• Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
• Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/1.html
• https://cwe.mitre.org/data/definitions/127.html
• https://cwe.mitre.org/data/definitions/81.html

References

• https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
• https://security.tecno.com/SRC/blogdetail/99?lang=en_US
• https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
• https://security.tecno.com/SRC/blogdetail/99?lang=en_US