8.4 CVE-2025-48579
In multiple functions of MediaProvider.java, there is a possible external storage write permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
https://nvd.nist.gov/vuln/detail/CVE-2025-48579
Categories
CWE-441 : Unintended Proxy or Intermediary ('Confused Deputy')
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. This weakness is sometimes referred to as the "Confused deputy" problem, in which an attacker misuses the authority of one victim (the "confused deputy") to use that victim's legitimate (restricted) capabilities to target another victim. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Enforce the use of strong mutual authentication mechanism between the two parties. Whenever a product is an intermediary or proxy fortransactions between two other components, the proxy coreshould not drop the identity of the initiator of thetransaction. The immutability of the identity of theinitiator must be maintained and should be forwarded all theway to the target. FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's. RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper. FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy. Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. CGI script accepts and retrieves incoming URLs. Bounce attack allows access to TFTP from trusted side. Web-based mail program allows internal network scanning using a modified POP3 port number. URL-downloading library automatically follows redirects to file:// and scp:// URLs
References
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| Google |
Android |
- 16 [affected]
- 15 [affected]
- 14 [affected]
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* |
|
|
| cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* |
|
|
| cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:* |
|
|
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 219 |
XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information. [Survey the target] Using command line or an automated tool, an attacker records all instances of web services to process XML requests. [Identify SOAP messages that have multiple state processing.] Inspect instance to see whether the XML processing has multiple stages or not. [Launch an XML routing detour attack] The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents). |
Medium |
| 465 |
Transparent Proxy Abuse
A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client. |
Medium |
MITRE
Techniques
| id |
description |
| T1090.001 |
Proxy: Internal Proxy |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1031 |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
