Share
## https://sploitus.com/exploit?id=PACKETSTORM:158302
RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: o2 Business for Android  
Vendor URL: https://play.google.com/store/apps/details?id=telefonica.de.o2business  
Type: Open Redirect [CWE-601]  
Date found: 2020-04-16  
Date published: 2020-07-01  
CVSSv3 Score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)  
CVE: CVE-2020-11882  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
o2 Business App for Android 1.2.0  
  
  
4. INTRODUCTION  
===============  
Kommunikation ist Ihr tägliches Sprungbrett in die Geschäftswelt. Und mit der  
neuen O2 Business App haben Sie alle wichtigen Details stets vor Augen.  
Verfolgen Sie investierte Gesprächszeiten zurßck und sehen Sie verfßgbare  
Kommunikations-Kapazitäten vorher. Vom aktuellen Stand des Inklusiv-Volumens,  
ßber Einzelverbindungen und Tarifdetails, bis zur lokalen Netz-Qualität behalten  
Sie mit der O2 Business App immer und Ăźberall den Durchblick. Erfahren Sie jetzt  
mehr Ăźber Ihren informativen Begleiter!  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The "O2 Business App" for Android exposes an activity to other apps called  
"canvasm.myo2.SplashActivity". The purpose of this activity is to handle  
deeplinks which can be delivered to the app either via links or by directly  
calling the activity.  
  
However, the app does not properly validate the format of deeplinks by just  
using str.contains() to verify the allowed host:  
  
private boolean isVanityLink(String str) {  
return str.contains("https://o2.de") || str.contains("https://blau.de")  
|| str.contains("https://e2e2.o2.de") ||  
str.contains("https://e2e2.blau.de");  
}  
  
private boolean isDeepLink(String str) {  
return str.contains("https://www.o2online.de")  
|| str.contains("https://www.blau.de")  
|| str.contains("https://e2e2.o2online.de")  
|| str.contains("https://e2e2.blau.de")  
|| str.contains(BuildConfig.PIRANHA_BASE_E2E2_URL)  
|| str.contains("https://login.o2online.de")  
|| str.contains("https://login-e2e2.blau.de")  
|| str.contains("https://login.blau.de");  
}  
  
This can be abused by an attacker (malicious app) to redirect a user to any page  
and deliver any content to the user. An exemplary exploit could look like the  
following:  
  
Intent i = new Intent();  
i.setComponent(new ComponentName("telefonica.de.o2business", "canvasm.myo2.SplashActivity"));  
Uri uri = Uri.parse("https://www.rcesecurity.com?dummy=https://o2.de");  
i.setData(uri);  
startActivity(i);  
  
  
6. RISK  
=======  
A malicious app on the same device is able to exploit this vulnerability to lead  
the user to any webpage/content. The specific problem here is the assumed trust  
boundary between the user having the o2 Business app installed and what the app  
is actually doing/displaying to the user. So if the user sees the app being  
loaded and automatically redirecting to another page, it can be assumed that the  
loaded page is also trusted by the user.  
  
  
7. SOLUTION  
===========  
Update the app to version 1.3.0  
  
  
8. REPORT TIMELINE  
==================  
2020-04-16: Discovery of the vulnerability  
2020-04-16: Although Telefonica runs a VDP on Bugcrowd  
(https://bugcrowd.com/telefonicavdp), I did not want to accept their non-  
disclosure terms, which is why I have tried to contact them directly via their  
official CERT contact.  
2020-04-16: Telefonica responds and asks for full vulnerability details  
2020-04-16: Send over the full advisory including a full PoC exploit.  
2020-04-16: Telefonica acknowledges the issue  
2020-04-16: CVE requested from MITRE  
2020-04-17: MITRE assigns CVE-2020-11882  
2020-06-03: No further communication from Telefonica. Mailed them again about  
the status of the fix.  
2020-06-03: Telefonica is still working on this issue and the fix is scheduled  
to be included in the next release.  
2020-06-04: Version 1.3.0 is released  
2020-07-01: Public disclosure.  
  
  
9. REFERENCES  
=============  
-