CVE-2023-29767

Vulnerability

The CrossX application (com.startapps.crossx) version 1.15.3 for Android exposes a content provider at content://com.startapps.crossx.contentprovider/tb_user that allows any application to insert data into the app's database [1]. The app loads the entire database into memory upon startup. By injecting an excessive amount of data (e.g., large strings into the email column), the database grows large enough to cause an out-of-memory (OOM) error, crashing the app persistently [1].

Exploitation

A local attacker needs only an app on the same device that can call ContentResolver.insert() on the exposed content provider URI [1]. No additional permissions are required because the provider does not enforce access restrictions. The provided proof-of-concept demonstrates a loop that repeatedly inserts random 10 KB strings into the tb_user table [1]. The attack requires no user interaction with CrossX; once the injection begins, the data persists in the database, ensuring the crash recurs on every attempt to launch CrossX [1].

Impact

Successful exploitation results in a persistent denial of service: the CrossX app crashes immediately upon startup due to an OOM error [1]. The user cannot recover by simply restarting the app; the only remedies are clearing the app's data or uninstalling it, both of which delete the injected database files. The impact is limited to loss of availability of the CrossX application [1].

Mitigation

As of the publication date (2023-06-09), no patch or updated version has been released by the vendor (CROSSX SOLUÇÕES MOBILE LTDA) [1]. Users can uninstall the app or restrict access to the content provider using third-party tools or a custom Android ROM with permission management. The vulnerability is not known to be listed on CISA's Known Exploited Vulnerabilities catalog [1].