In this blog post, we are going to talk about a security vulnerability dubbed as "CVE-2018-9375" that was identified in multiple functions of UserDictionaryProvider.java in Android devices. This vulnerability allows an attacker to add or delete words in the user dictionary due to a confused deputy, leading to a local escalation of privilege. The best part? No additional execution privileges are needed and user interaction is not necessary for exploitation!
Exploit details, original references, and code snippets are provided throughout this post, as well as steps to mitigate this vulnerability. So, buckle up, this is going to be an interesting ride!
CVE-2018-9375 Details
Before we dive into the details, let's first understand what a "confused deputy" is. A confused deputy is a term used in computer security to describe a situation where a legitimate program (in this case, UserDictionaryProvider) inadvertently misuses its authority, allowing unintended actions to be performed. This is exactly what's happening in our vulnerability CVE-2018-9375.
The vulnerability resides in several methods of the UserDictionaryProvider class, which is part of the Android Open Source Project (AOSP). AOSP is an open-source project to build Android with mostly usage of Google services.
Here is a code snippet showcasing the issue in the UserDictionaryProvider.java file
public class UserDictionaryProvider extends ContentProvider {
// ...
@Override
public int delete(Uri url, String where, String[] whereArgs) {
// ...
count = db.delete(TABLE_USERDICT, where, whereArgs);
// ...
}
@Override
public Uri insert(Uri url, ContentValues initialValues) {
// ...
rowID = db.insert(TABLE_USERDICT, UserDictionary.Words.WORD, initialValues);
// ...
}
// ...
}
As you can see above, the delete and insert methods provide easy access to manipulate the user dictionary. Furthermore, no permission checks or proper validation are being performed, which allows an attacker to exploit this confused deputy and sneak in unauthorized actions.
For an attacker to exploit this vulnerability, all they need is physical access or an installed malicious app on the target device.
Original References
This vulnerability has been well-documented and acknowledged by the Android Security Team. Below are the references to original research and patch releases:
- Android Security Bulletin: https://source.android.com/security/bulletin/2018-06-01
- AOSP Source Code: https://android.googlesource.com/platform/frameworks/base/+/android-9.._r6/providers/UserDictionaryProvider/src/com/android/providers/userdictionary/UserDictionaryProvider.java
- AOSP Patch: https://android.googlesource.com/platform/frameworks/base/+/342263d308bda62e92f9546a286d2aff2429011f
Exploiting CVE-2018-9375
As mentioned earlier, exploiting this vulnerability requires no user interaction. An attacker with physical access or a malicious app installed can call the vulnerable methods, e.g., invoking the delete() or insert() methods.
In the case of a malicious app, the attacker would simply need to insert malicious code in their app, that, when executed, utilizes the vulnerable methods and manipulates the user dictionary.
While the vulnerability is not considered highly critical as it doesn't allow remote code execution, it can still pose a significant risk as attackers can manipulate the user dictionary, causing unexpected behavior or screen lockout.
Mitigation and Conclusion
Google has already released a patch for this vulnerability, and the best way to protect yourself is to keep your devices updated with the latest security updates provided by your device manufacturer.
To conclude, CVE-2018-9375 is a local escalation of privilege vulnerability that allows attackers to manipulate the user dictionary. The most effective protection is ensuring your device is up-to-date with the latest security patches. Stay safe out there, and keep your devices updated!
Timeline
Published on: 01/17/2025 23:15:11 UTC
Last modified on: 03/13/2025 15:15:36 UTC