CVE-2023-42534

Vulnerability

An improper input validation vulnerability exists in ChooserActivity in Samsung mobile devices prior to the SMR Nov-2023 Release 1. This flaw allows a local attacker to bypass file access restrictions by supplying crafted input to the activity, leading to the ability to read arbitrary files on the device with system privilege.

Exploitation

To exploit this vulnerability, an attacker must have local access to the device (e.g., through a malicious app installed on the device). No special permissions are required beyond the default privileges of a third-party application. By sending a crafted intent to ChooserActivity, the attacker can trigger the improper validation and cause the activity to open or read files that would normally be inaccessible.

Impact

Successful exploitation results in unauthorized reading of arbitrary files on the device, performed with system privilege. This can lead to disclosure of sensitive data such as user credentials, personal information, application data, or system configuration files.

Mitigation

The issue is fixed in the Samsung Mobile Security SMR Nov-2023 Release 1, released on 2023-11-07 [1]. Users should ensure their device is updated to the latest security patch level. No workaround is provided for unpatched devices.