Vulnerability CVE-2013-6272

Vulnerability Name:

CVE-2013-6272 (CCN-94423)

Assigned:

2013-10-24

Published:

2014-07-05

Updated:

2018-06-12

Summary:

The NotificationBroadcastReceiver class in the com.android.phone process in Google Android 4.1.1 through 4.4.2 allows attackers to bypass intended access restrictions and consequently make phone calls to arbitrary numbers, send mmi or ussd codes, or hangup ongoing calls via a crafted application.

CVSS v3 Severity:

7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-284

Vulnerability Consequences:

Bypass Security

References:

Source: CCN
Type: Google Web site
Android

Source: MITRE
Type: CNA
CVE-2013-6272

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/127359/Android-OS-Authorization-Missing.html

Source: FULLDISC
Type: Exploit, Mailing List, Third Party Advisory
20140706 Conduct phonecalls on Android without the necessary permission, advisory+testapplication+exploits for testing (CVE-2013-6272 and CVE-2014-N/A)

Source: CCN
Type: OSVDB ID: 108770
Google Android com.android.phone.Phone NotificationBroadcastReceiver Class Search Suggestion Arbitrary Number Dialing

Source: BID
Type: Third Party Advisory, VDB Entry
68415

Source: CCN
Type: BID-68415
Google Android CVE-2013-6272 Remote Security Bypass Vulnerability

Source: MISC
Type: Exploit, Third Party Advisory
https://curesec.com/blog/article/blog/35.html

Source: XF
Type: Third Party Advisory, VDB Entry
google-android-cve20136272-sec-bypass(94423)

Source: XF
Type: UNKNOWN
google-android-cve20136272-sec-bypass(94423)

Source: CCN
Type: Packet Storm Security [07-05-2014]
Android OS Authorization Missing

Vulnerable Configuration:

Configuration 1:

cpe:/o:google:android:*:*:*:*:*:*:*:* (Version >= 4.1.1 and <= 4.4.2)

Configuration CCN 1:

cpe:/o:google:android:4.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK