CVE-2023-29740

Vulnerability

The vulnerability exists in Alarm Clock for Heavy Sleepers version 5.3.2 for Android. The app exposes an exported ApiCalls component that can be invoked by other applications via implicit intents without requiring special permissions. By sending a crafted intent with a random long string as an extra parameter, an attacker can cause excessive database operations, leading to a denial of service [4].

Exploitation

An attacker needs only to have an app installed on the same device that can send intents. No additional permissions are required. The attack is carried out by repeatedly sending intents to the com.amdroidalarmclock.amdroid.ApiCalls class with malicious extras. The provided proof-of-concept continuously sends these intents, eventually crashing or rendering the app unresponsive [4].

Impact

Successful exploitation results in a denial of service, causing the alarm clock app to crash or become non-functional. This prevents the user from setting or managing alarms, potentially leading to missed alarms. The attack does not require user interaction beyond installing a malicious app.

Mitigation

As of the publication date (2023-05-30), no official patch is available. Users are advised to avoid installing untrusted apps and to watch for updates from the developer on Google Play or the official website [1][2]. The affected version is 5.3.2; future versions may address the issue.