Sign-up

ID

VAR-201912-1597


CVE

CVE-2013-4764


TITLE

Samsung Galaxy S3/S4 Inadequate default permissions vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-007052

DESCRIPTION

Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission. Samsung Galaxy S3/S4 Contains an improper default permissions vulnerability.Information may be altered. The Samsung Galaxy S3 and S4 are prone to a local security-bypass vulnerability. An attacker with local physical access to a device can exploit this issue to bypass certain security restriction and perform unauthorized actions. Hi list, I would like to inform you that the details of the vulnerability in built-in system app of Samsung Galaxy S3/S4 (assigned as CVE-2013-4763 and CVE-2013-4764) are now disclosed to public. By exploiting these unprotected components, an unprivileged app can trigger a so-called \x93restore\x94 operation to write SMS messages back to the standard SMS database file (mmssms.db) used by the system messaging app, i.e., SecMms.apk. As a result, a smishing attack can effectively create and inject arbitrary (fake) SMS text messages. Similarly, fake MMS messages and call logs are also possible. This vulnerability has been disclosed in CVE-2013-4763. Also, these components can be sequentially triggered in a specific order to create arbitrary SMS content, inject to system-wide SMS database, and then trigger the built-in SMS-sending behavior (to arbitrary destination). This vulnerability has been disclosed in CVE-2013-4764. QIHU Inc. discovered these vulnerability and informed Samsung Corp. in June 10, 2013. Samsung confirmed the vulerability and is now preparing an OTA update. As a temporary workaround, disable the sCloudBackupProvider.apk app would help block known attack vectors. Details of CVE-2013-4763 and CVE-2013-4764 can be also found in QIHU Inc.'s official site: http://shouji.360.cn/securityReportlist/CVE-2013-4763.html http://shouji.360.cn/securityReportlist/CVE-2013-4764.html Regards, Z.X. from QIHU Inc

Trust: 1.98

sources: NVD: CVE-2013-4764 // JVNDB: JVNDB-2013-007052 // BID: 61281 // PACKETSTORM: 122428

AFFECTED PRODUCTS

vendor:samsungmodel:galaxy s3scope:eqversion:1.0

Trust: 1.6

vendor:samsungmodel:galaxy s4scope:eqversion:1.4

Trust: 1.6

vendor:samsungmodel:galaxy s3scope: - version: -

Trust: 0.8

vendor:samsungmodel:galaxy s4scope: - version: -

Trust: 0.8

vendor:samsungmodel:galaxy s4scope:eqversion: -

Trust: 0.6

vendor:samsungmodel:galaxy s3scope:eqversion: -

Trust: 0.6

vendor:samsungmodel:galaxy s4scope:eqversion:0

Trust: 0.3

vendor:samsungmodel:galaxy s iiiscope:eqversion:0

Trust: 0.3

vendor:jdsingle76model:scloudbackupprovider.apkscope:eqversion:1.4

Trust: 0.3

vendor:jdsingle76model:scloudbackupprovider.apkscope:eqversion:1.0

Trust: 0.3

sources: BID: 61281 // JVNDB: JVNDB-2013-007052 // CNNVD: CNNVD-201912-1172 // NVD: CVE-2013-4764

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4764
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-4764
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201912-1172
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-4764
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2013-4764
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.7
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2013-4764
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2013-007052 // CNNVD: CNNVD-201912-1172 // NVD: CVE-2013-4764

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.8

sources: JVNDB: JVNDB-2013-007052 // NVD: CVE-2013-4764

THREAT TYPE

local

Trust: 0.3

sources: BID: 61281

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201912-1172

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-007052

PATCH
title:Top Pageurl:https://www.samsung.com/global/galaxy/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-007052

EXTERNAL IDS
db:NVDid:CVE-2013-4764
Trust: 2.8
db:JVNDBid:JVNDB-2013-007052
Trust: 0.8
db:CNNVDid:CNNVD-201912-1172
Trust: 0.6
db:BIDid:61281
Trust: 0.3
db:PACKETSTORMid:122428
Trust: 0.1
sources:
            
            
            BID: 61281 // 
            
            
            
            JVNDB: JVNDB-2013-007052 // 
            
            
            
            PACKETSTORM: 122428 // 
            
            
            
            CNNVD: CNNVD-201912-1172 // 
            
            
            
            NVD: CVE-2013-4764

REFERENCES
url:https://seclists.org/bugtraq/2013/jul/107
Trust: 2.7
url:http://shouji.360.cn/securityreportlist/cve-2013-4764.html
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2013-4764
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4764
Trust: 0.8
url:http://www.samsung.com/
Trust: 0.3
url:http://www.androidfilehost.com/?fid=13858035414129967185
Trust: 0.3
url:http://shouji.360.cn/securityreportlist/cve-2013-4763.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-4763
Trust: 0.1
sources:
            
            
            BID: 61281 // 
            
            
            
            JVNDB: JVNDB-2013-007052 // 
            
            
            
            PACKETSTORM: 122428 // 
            
            
            
            CNNVD: CNNVD-201912-1172 // 
            
            
            
            NVD: CVE-2013-4764

CREDITS
Z.X. of QIHU Inc.
Trust: 0.3
sources:
            
            
            BID: 61281

SOURCES
db:BIDid:61281
db:JVNDBid:JVNDB-2013-007052
db:PACKETSTORMid:122428
db:CNNVDid:CNNVD-201912-1172
db:NVDid:CVE-2013-4764

LAST UPDATE DATE
2024-11-23T21:51:47.966000+00:00

SOURCES UPDATE DATE
db:BIDid:61281date:2013-06-17T00:00:00
db:JVNDBid:JVNDB-2013-007052date:2020-01-24T00:00:00
db:CNNVDid:CNNVD-201912-1172date:2020-01-17T00:00:00
db:NVDid:CVE-2013-4764date:2024-11-21T01:56:21.520

SOURCES RELEASE DATE
db:BIDid:61281date:2013-06-17T00:00:00
db:JVNDBid:JVNDB-2013-007052date:2020-01-24T00:00:00
db:PACKETSTORMid:122428date:2013-07-17T00:10:22
db:CNNVDid:CNNVD-201912-1172date:2019-12-27T00:00:00
db:NVDid:CVE-2013-4764date:2019-12-27T17:15:15.357