Xiaomi MIUI vulnerabilities cause leakage and repair of a large number of systems, software and user data

Successful exploitation of this vulnerability requires no conditions.
With this vulnerability, any application can obtain the following information:
-Hardware data, including: System Version, system compilation information, memory and CPU information, battery information, IMEI, baseband version, and device production sequence number
-Current status data, including: basic information of the current process, trace results of all processes, partition mounting information, route table and ARP cache table, operator, current system service status, system maintenance Content Provider and Broadcast data structure and permission management information, software running time
-Log data, including: system logs, System Event Logs, kernel Event Logs, kernel messages,
-Software data, including the package name, version, signature certificate, permission, installation time, and last use time of the installed software
-User sensitive data, including connected Wi-Fi networks (MAC address, SSID, type, IP address, DNS, gateway, and DHCP), The SSID/BSSID and type of the nearby Wi-Fi network, and historical records processed by Broadcast (user behavior statistics can be made), current geographic location, historical geographic location, User Name of the current user account, user data synchronization account user name and time, software usage statistics
 

The current MIUI system has two problems:
1. Run the/system/bin/bugreport program with the normal shell Permission. This program is used to collect and output various system information.
2. A software/system/app/Cit.apk is installed, which is used for factory hardware testing. In this software, com. miui. cit. the CitBroadcastReceiver component has the permission re-delegation type vulnerability. By exploiting this vulnerability, any software can remotely trigger the receiver through specific parameters and trigger the software to automatically call the bugreport, and save the results to the specific directory/sdcard/MIUI/debug_log/of the SD card. As mentioned above, the SD card files can be read and written by any software.
Any of the above two problems can lead to the exploitation of this vulnerability. Any application software parses the output result of the bugreport to obtain the above information.
Proof of vulnerability: three methods of exploits:
1. Add the adb shell without permission. directly use bugreport>/sdcard/dump.txt ,:
 
 
 
2. For the application software, run the bug report using the runtime.getruntime(cmd.exe c () function in the source code. There are two methods to obtain the output result. One is the redirection shown above, and the other is to call the getOutputStream () method for the returned Process object. 
3. permission re-delegation attack on CitBroadcastReceiver. The code snippet is as follows:
Intent intent = new Intent ();
Intent. setAction ("android. provider. Telephony. SECRET_CODE ");
Intent. setData (Uri. parse ("android_secret_code: // 284 "));
SendBroadcast (intent );
Wait for 10 seconds to read files similar to bugreport-<date>-<time>. log from the/sdcard/MIUI/debug_log/directory of the SD card.
 
Some data that can be read is as follows:
IMEI
 
 
 
Installed Software Information
 
 
 
Signature of installed software
 
 
 
User Account
 
 
 
In use and the surrounding WiFi network information www.2cto.com
 
 
 
Geographic location information and history
 

 
Repair suggestions:
1. Change the execution permission of bugreport to root.
2. Delete the cit.apk software or add static or dynamic custom permission check code for calls to its CitBroadcastReceiver Receiver

 
Author: Claud