CVE-2022-20351 There is a SQL injection vulnerability in queryInternal of CallLogProvider. This could lead to local information disclosure with no additional execution privileges needed.

The following SQL query could be exploited by injecting malicious data to the database. Injecting data to the call_log table:

INSERT INTO `call_log` ( `type`, `data`, `timestamp`, `duration` ) VALUES ( 'V', 'inject data>;', CURRENT_TIMESTAMP, '5' )

The data argument can be anything, as SQL does not sanitize the data argument. If the injected data is a SQL query, it can be exploited by sending a malicious request to the database. This could lead to system information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. In the following example, the data argument is a malicious SQL query that receives the current timestamp and the length of the duration of the last call:

INSERT INTO `call_log` ( `type`, `data`, `timestamp`, `duration` ) VALUES ( 'V', 'SELECT CURRENT_TIMESTAMP, COUNT(duration) FROM call_log WHERE type = 'V'', '5' )

Statistics Parameter

The SQL injection vulnerability allows the execution of arbitrary SQL commands on the database without user interaction. The vulnerability exists in the "call_log" table and is caused by an untrusted data argument to an INSERT statement.

SQL Injection Cheat Sheet

SQL Injection (also known as SQL injection): A type of attack in which malicious code is inserted into an SQL query in order to affect the behavior of the database.

#1: SQL Injection Cheat Sheet

There are many ways to exploit a vulnerable application with a SQL injection. Typically, the attacker can use a simple query like "SELECT * FROM users WHERE username='%s'--" or "SELECT * FROM users WHERE username='%s'" and the target system will execute it. Other possible examples include: "SELECT * FROM tables WHERE id=1," "SELECT * FROM users WHERE password='password,'" and "SELECT * FROM users WHERE emailAddress='email@example.com.'."

#2: Data Types

Each data type has its own vulnerabilities. The following list contains some common data types and their associated vulnerabilities:     Numeric: Bigint/smallint/tinyint string: varchar/char text: nvarchar/varbinary date/time: DATE/TIMESTAMP boolean: bit binary(VARBINARY) user defined type (udt): udt

Timeline

Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/12/2022 17:33:00 UTC

References

• https://source.android.com/security/bulletin/2022-10-01
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20351