Issue metadata
Sign in to add a comment
|
Services declared without permissions
Reported by
smitt8...@gmail.com,
Feb 22 2017
|
||||||||||||||||||||||
Issue descriptionHello chromium security team i find vulnerability in google chrome browser Platform: android version chrome browser :55.0.2883.91 android version : 4.1+ and x86 Description vulnerability : service is an application component that can take care of actions to be done in the background, without user interaction. service can also be used to expose functionalities to other applications. This corresponds to calls to Context.bindService() to establish a connection to the service and interact with it. Unprotected services can be invoked by other applications and potentially access sensitive information or perform privileged actions Technical details : Services definition in AndroidManifest.xml: <service android:exported="true" android:name="org.chromium.chrome.browser.prerender.ChromePrerenderService"> </service> <service android:exported="true" android:name="org.chromium.chrome.browser.customtabs.CustomTabsConnectionService"> <intent-filter> <action android:name="android.support.customtabs.action.CustomTabsService"> </action> </intent-filter> </service> for patch this vulnerability Recommendation use : service can expose several methods to external componenets. It is possible to define arbitrary permissions for each method using the method checkPermission. It is also possible to seperate services and restrict access by enforcing permissions in the manifest's <service> tag The service can enforce permissions on individual IPC calls by calling the method checkCallingPermission before executing the implementation of that call Reference vulnerability : http://cwe.mitre.org/data/definitions/280.html Reference vulnerability : https://developer.android.com/reference/android/app/Service.html
,
Feb 22 2017
for patch this vulnerability use :
<permission android:name="org.chromium.chrome.browser.prerender.ChromePrerenderService.custom_permission" android:label="custom_permission" android:protectionLevel="dangerous"></permission>
<service android:name="org.chromium.chrome.browser.prerender.ChromePrerenderService.custom_service" android:permission="org.chromium.chrome.browser.prerender.ChromePrerenderService.custom_permission">
<intent-filter>
<action android:name="org.chromium.chrome.browser.prerender.ChromePrerenderService.ACTION" />
</intent-filter>
</service>
,
Mar 1 2017
I'm sorry but it is still not clear what the security vulnerability here is. Can you please create a proof of concept (PoC) to illustrate your point? That would help us evaluate this better. Thanks.
,
Mar 1 2017
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 1 2017
,
Mar 8 2017
We haven't received any actionable information in this bug; thus far, it simply consists of text copied from the Android documentation. That documentation concerns how a service may manifest itself to declare custom permissions which must be in turn declared by any callers. If you can share specific information about the vulnerability you believe you have found, please reactivate this issue.
,
Mar 8 2017
,
Jun 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Feb 22 2017