Sign-up

ID

VAR-201912-1596


CVE

CVE-2013-4763


TITLE

Samsung Galaxy S3/S4 Inadequate default permissions vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-007051

DESCRIPTION

Samsung Galaxy S3/S4 exposes an unprotected component allowing arbitrary SMS text messages without requesting permission. Samsung Galaxy S3/S4 Contains an improper default permissions vulnerability.Information may be altered. The Samsung Galaxy S3 and S4 are prone to a local security-bypass vulnerability. An attacker with local physical access to a device can exploit this issue to bypass certain security restriction and perform unauthorized actions. Hi list, I would like to inform you that the details of the vulnerability in built-in system app of Samsung Galaxy S3/S4 (assigned as CVE-2013-4763 and CVE-2013-4764) are now disclosed to public. By exploiting these unprotected components, an unprivileged app can trigger a so-called \x93restore\x94 operation to write SMS messages back to the standard SMS database file (mmssms.db) used by the system messaging app, i.e., SecMms.apk. Similarly, fake MMS messages and call logs are also possible. This vulnerability has been disclosed in CVE-2013-4763. Also, these components can be sequentially triggered in a specific order to create arbitrary SMS content, inject to system-wide SMS database, and then trigger the built-in SMS-sending behavior (to arbitrary destination). This vulnerability has been disclosed in CVE-2013-4764. QIHU Inc. discovered these vulnerability and informed Samsung Corp. in June 10, 2013. Samsung confirmed the vulerability and is now preparing an OTA update. As a temporary workaround, disable the sCloudBackupProvider.apk app would help block known attack vectors. Details of CVE-2013-4763 and CVE-2013-4764 can be also found in QIHU Inc.'s official site: http://shouji.360.cn/securityReportlist/CVE-2013-4763.html http://shouji.360.cn/securityReportlist/CVE-2013-4764.html Regards, Z.X. from QIHU Inc

Trust: 1.98

sources: NVD: CVE-2013-4763 // JVNDB: JVNDB-2013-007051 // BID: 61280 // PACKETSTORM: 122428

AFFECTED PRODUCTS

vendor:samsungmodel:galaxy s3scope:eqversion: -

Trust: 2.2

vendor:samsungmodel:galaxy s4scope:eqversion: -

Trust: 2.2

vendor:samsungmodel:galaxy s3scope: - version: -

Trust: 0.8

vendor:samsungmodel:galaxy s4scope: - version: -

Trust: 0.8

vendor:samsungmodel:galaxy s4scope:eqversion:0

Trust: 0.3

vendor:samsungmodel:galaxy s iiiscope:eqversion:0

Trust: 0.3

vendor:jdsingle76model:scloudbackupprovider.apkscope:eqversion:1.4

Trust: 0.3

vendor:jdsingle76model:scloudbackupprovider.apkscope:eqversion:1.0

Trust: 0.3

sources: BID: 61280 // JVNDB: JVNDB-2013-007051 // CNNVD: CNNVD-201912-1173 // NVD: CVE-2013-4763

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4763
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-4763
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201912-1173
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-4763
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2013-4763
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2013-4763
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2013-007051 // CNNVD: CNNVD-201912-1173 // NVD: CVE-2013-4763

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.8

sources: JVNDB: JVNDB-2013-007051 // NVD: CVE-2013-4763

THREAT TYPE

local

Trust: 0.3

sources: BID: 61280

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201912-1173

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-007051

PATCH
title:Top Pageurl:https://www.samsung.com/global/galaxy/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-007051

EXTERNAL IDS
db:NVDid:CVE-2013-4763
Trust: 2.8
db:BIDid:61280
Trust: 2.7
db:JVNDBid:JVNDB-2013-007051
Trust: 0.8
db:CNNVDid:CNNVD-201912-1173
Trust: 0.6
db:PACKETSTORMid:122428
Trust: 0.1
sources:
            
            
            BID: 61280 // 
            
            
            
            JVNDB: JVNDB-2013-007051 // 
            
            
            
            PACKETSTORM: 122428 // 
            
            
            
            CNNVD: CNNVD-201912-1173 // 
            
            
            
            NVD: CVE-2013-4763

REFERENCES
url:https://www.securityfocus.com/bid/61280
Trust: 2.4
url:http://archives.neohapsis.com/archives/bugtraq/2013-07/0108.html
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2013-4763
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4763
Trust: 0.8
url:http://www.samsung.com/
Trust: 0.3
url:http://www.androidfilehost.com/?fid=13858035414129967185
Trust: 0.3
url:http://seclists.org/bugtraq/2013/jul/107
Trust: 0.3
url:http://shouji.360.cn/securityreportlist/cve-2013-4764.html
Trust: 0.1
url:http://shouji.360.cn/securityreportlist/cve-2013-4763.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-4764
Trust: 0.1
sources:
            
            
            BID: 61280 // 
            
            
            
            JVNDB: JVNDB-2013-007051 // 
            
            
            
            PACKETSTORM: 122428 // 
            
            
            
            CNNVD: CNNVD-201912-1173 // 
            
            
            
            NVD: CVE-2013-4763

CREDITS
Z.X. of QIHU Inc.
Trust: 0.3
sources:
            
            
            BID: 61280

SOURCES
db:BIDid:61280
db:JVNDBid:JVNDB-2013-007051
db:PACKETSTORMid:122428
db:CNNVDid:CNNVD-201912-1173
db:NVDid:CVE-2013-4763

LAST UPDATE DATE
2024-11-23T21:51:47.937000+00:00

SOURCES UPDATE DATE
db:BIDid:61280date:2013-06-17T00:00:00
db:JVNDBid:JVNDB-2013-007051date:2020-01-24T00:00:00
db:CNNVDid:CNNVD-201912-1173date:2020-01-17T00:00:00
db:NVDid:CVE-2013-4763date:2024-11-21T01:56:20.417

SOURCES RELEASE DATE
db:BIDid:61280date:2013-06-17T00:00:00
db:JVNDBid:JVNDB-2013-007051date:2020-01-24T00:00:00
db:PACKETSTORMid:122428date:2013-07-17T00:10:22
db:CNNVDid:CNNVD-201912-1173date:2019-12-27T00:00:00
db:NVDid:CVE-2013-4763date:2019-12-27T17:15:15.297