The Microsoft 365 Defender Research Team has discovered four vulnerabilities trackd as CVE-2021-42598, CVE-2021-42599- Comnand injection Vulnerability, CVE-2021-42600, and CVE-2021-42601- Privilege Escalation vulnerability, in a mobile framework, owned by mce Systems, that is used by several mobile carriers in pre-installed Android System apps.
These flaws are discovered in September 2021 and reported them to mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
Threat actors could have abused these pre-installed apps to access system configuration and sensitive information. some of the affected apps cannot be fully uninstalled or disabled without root access to the device.
Researchers discovered that the framework had a “BROWSABLE” service activity that can be remotely invoked to exploit several vulnerabilities. Threat actors could exploit these issues to implant a persistent backdoor or take substantial control over the device.
The framework was designed to implement self-diagnostic mechanisms, for this reason it runs with permissions to valuable resources. Microsoft experts highlight that affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.
Services offered by the mce framework
The services offered by this framework per the app manifest, gives the WebView complete control over the device. The most notable services include:
- Audio: access and manipulate volume levels, as well as play a tone with a given duration and frequency
- Camera: take a silent snapshot
- Connectivity: control and obtain valuable information from NFC, Wi-Fi, and Bluetooth
- Device: includes various device controlling mechanisms like battery drainage, performing a factory reset, and obtaining information on apps, addresses, sensor data, and much more
- Discovery: set the device to discoverable
- Location: obtain the location in various modes and set the location state
- PackageManager: acquire package info and silently install a new app
- Power: obtain charging state
- Sensor: acquire sensor data such as barometer data, light data, proximity data, and whether fingerprinting is working
- Storage: obtain content such as documents, media, images, and videos
mce Systems has fixed the issues and provided framework update to the impacted providers. Also researchers are not aware of attacks in the wild exploring these vulnerabilities.
Detailed Report can be viewed in the link