Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2014-8609

Published: 15/12/2014 Updated: 16/12/2014
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 642
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Google

Vulnerability Summary

The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android prior to 5.0.0 does not properly create a PendingIntent, which allows malicious users to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.

Vulnerable Product Search on Vulmon Subscribe to Product

google android 4.4

google android 4.4.1

google android 4.4.2

google android 4.4.3

google android 4.0

google android 4.0.2

google android 4.2.2

google android 4.3.1

google android

google android 4.0.4

google android 4.1

google android 4.1.2

google android 4.2

google android 4.0.1

google android 4.0.3

google android 4.2.1

google android 4.3

Exploits

Exploit DB: Android Settings Pendingintent Leak
In Android versions prior to 50 and possibly greater than and equal to 40, Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party applications Due to this, a malicious app can use this to broadcast intent with the same permissions and identity of the Settings appl ...

Github Repositories

https://github.com/ratiros01/CVE-2014-8609-exploit

CVE-2014-8609-exploit During the study of pending intent exploitation, I created my PoC application of CVE-2014-8609 Reference: seclistsorg/fulldisclosure/2014/Nov/81 githubcom/locisvv/Vulnerable-CVE-2014-8609

https://github.com/retme7/broadAnyWhere_poc_by_retme_bug_17356824

a poc of Android bug 17356824

broadAnyWhere_poc_by_retme_bug_17356824 PoC source code of Android Bug: 17356824 diff of bug:androidgooglesourcecom/platform/packages/apps/Settings/+/37b58a4%5E%21/#F0 You can send broadcast to almost ANY reciever you want,even if it's a protect-broadcast or the reciever is a unexported/permission-limited one All the devices prior to Android 50 are affected

https://github.com/MazX0p/CVE-2014-8609-POC

pendingintent vulnerability

CVE-2014-8609-POC -pendingintent vulnerability شرح لكيفية عمل الثغره مع طريقة الاستغلال, وهي من الثغرات الاكثر شيوعا في تطبيقات الاندرويد، ويمكنك من خلالها الوصول لثغرات اكثر بطريقه احترافيه POC POCmp4

https://github.com/VERFLY/SecurityScanner

SecurityScanner 概述 本软件为一款手机安全漏洞与安全风险检测软件,目前可检测CVE-2014-7911、CVE-2014-8609、CVE-2015-1474等安全漏洞,以及Android四大组件导出带来的安全风险。 特别提示:本软件目前为beta版本,后续将不断完善。

References

CWE-264https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.htmlhttp://seclists.org/fulldisclosure/2014/Nov/81http://xteam.baidu.com/?p=158https://nvd.nist.govhttps://github.com/ratiros01/CVE-2014-8609-exploithttps://github.com/retme7/broadAnyWhere_poc_by_retme_bug_17356824https://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32744privilege escalationCVE-2024-30253CVE-2024-3914cross-site scriptingCVE-2024-31497CVE-2024-3400CVE-2024-32341hardcoded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook