Skip to content

CVE-2025-10184 OnePlus OxygenOS Telephony provider permissio... #1554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CVE-2025-10184 OnePlus OxygenOS Telephony provider permissio... #1554

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 5, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What’s vulnerable

CVE-2025-10184 is a high-severity flaw (CWE-89 SQL Injection + CWE-862 Missing Authorization) in OnePlus’s OEM-modified Telephony provider (package: com.android.providers.telephony) on OxygenOS 12–15. Three extra exported content providers added by OnePlus expose write operations without a writePermission and contain a blind SQL injection in update(), letting any installed app (no Android permissions at all) infer and dump SMS/M...

🔧 Technical Details

Abusing exported Android ContentProviders with missing write permissions: If an OEM adds exported providers that specify only readPermission (e.g., android.permission.READ_SMS) and omit writePermission, any app can call implemented write operations (insert/update/delete). This enables unauthorized DB writes and, if combined with SQLi sinks, read-equivalent data theft.

Blind SQLi via ContentProvider.update(where) as a Boolean oracle: When update() forwards the caller-controlled WHERE clause to SQLite without sanitization, use unicode(substr((<SUBQUERY>), i, 1)) BETWEEN lo AND hi to infer characters. Treat rows_updated > 0 or UNIQUE constraint failed errors as “true”; shrink the range until a single code point is found, iterating over characters/rows to reconstruct secrets (e.g., SELECT body FROM sms ORDER BY rowid DESC LI...

🤖 Agent Actions

No changes made.

Reason: The techniques from the blog (permission bypass via missing writePermission on exported ContentProviders and blind SQL injection through update()’s WHERE clause, including seeding via insert() and sqlite_master probing) are already thoroughly covered in HackTricks.

Where it’s already documented:

  • src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

    • Section: “writePermission omission + blind SQLi via update()”
    • Includes:
      • Explanation of readPermission-only + missing writePermission leading to insert/update/delete abuse
      • Boolean oracle via update() > 0 and UNIQUE constraint errors
      • sqlite_master probe to verify target table in same DB
      • Seeding row via insert() when table empty
      • Concrete ADB cmd content examples and pseudocode for the binary search extraction
      • Real-world URIs (content://service-number/service_number, content://push-mms/push, content://push-shop/push_shop)
      • References already include the Rapid7 write-up on CVE-2025-10184

  • Additional supportive coverage:

    • src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
      • “Permission semantics and pitfalls (Content Providers)” explicitly warns that omitting writePermission allows insert/update/delete
    • src/mobile-pentesting/android-app-pentesting/README.md links to the content provider exploitation material

Given the existing page already encapsulates the attack pattern, methodology, example URIs, ADB workflows, and Boolean inference logic, no update is necessary.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 907
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 5, 2025

🔗 Additional Context

Original Blog Post: https://x.com/androidmalware2/status/1986022672472359017

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Mobile/Android Pentesting > Android ContentProvider Abuse & SQLi (permission bypass via update()/insert())".

Repository Maintenance:

  • MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop