Disclosing wifi password via content provider injection in Xiaomi

Summary:

The saved Wi-Fi passwords in Android are stored in the data\misc\wifi directory which can only be accessed if you have root access. So in general you cannot list or access the /data directory until and unless you have root access or the files are world readable writable .

Device used:

(Xiaomi Redmi note 7 pro 9)

➜ appreview adb shell getprop | grep -E "ro.miui.region|ro.build.fingerprint"
[ro.build.fingerprint]: [xiaomi/violet/violet:9/PKQ1.181203.001/V10.3.13.0.PFHINXM:user/release-keys]
[ro.miui.region]: [IN]

Poc steps:

Connect the device and run the below drozer command it will dump the wifi passwords along with other details in cleartext

run app.provider.query content://wifi/wifi

Fix:

Don’t export the content provider containing user information.
Protect it via custom permissions.

Or store it in encrypted format.

Impact

Any app within the system can query and fetch wifi credentials which is not permitted by default by the system because to access the stored password the device need to be rooted but here it is easily available using which malicious app can login into victims router and can also alter the dns settings which will disclose user browsing activites to the attacker

Disclosure Timeline

Reported on Jul 18th 2019
Triaged on Jul 18th 2019
Fix reviewed and ticket closure on Sep 11th 2019

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s