SIK-2017-017


Title:

Privilege Escalation in KidControl GPS Tracker App

Report ID

SIK-2017-017

Summary:

  • Vendor: KidControl Dev.
  • Product: Family GPS tracker Kid Control
  • Affected Version: 3.4.3
  • Severity: Medium
  • Short summary:
    Users in the app can either only see the map (normal user) or perform administrative tasks such as inviting other users or changing the settings (administrators / parent mode). Normal users can, however, easily obtain administrator privileges because of lacking validation.

Details:

The app supports two types of users: Normal users and administrators. When inviting new users to join the tracker, the person sending the inivitation can chose whether this shall be an invitation for a normal user or for an administrator. Among others, the feature for inviting new users on their own is limited to administrators. However, a privilege escalation vulnerability in the app allows non-administratrators to still invite new users.

We assume that the attacker receives an invitation to join the tracker as a normal user, but has no inivitation with administrator access and does not know the password of the KidControl account. He, however, has the ability to modify the app’s shared preferences file of the app on his device. This can either be achieved through adb backup/restore (the app allows backups) or through a rooted phone. The attacker first starts the app and joins the tracker with his low-privilege invitation code. He then terminates the app and places the following lines in the app’s shared preferences file:

    <boolean name="isLogin" value="true" />
    <boolean name="isParent" value="true" />

Afterwards, he restarts the app. Instead of the map, the app will show a WebView-based login form, that the user can just ignore. He can still click on the „Invite“ button on the top and create perfectly valid invitation codes for new users. There is no need to actually log in.

Even worse, the normal user can create an invitation code for an administrative user. He can then simply install a new instance of the app, type in his new invitation code, and receive full administrator rights to the tracking group. In other words, through his admin-invite, he gets a proper annd fully-fledged administrator account.

Workaround

None.

Suggested Mitigation

Always validate any data that comes from the client. The client must be assumed to be under the control of the attacker. If a low privilege user modifies his local data, the server should never just trust this data. The server needs to check who can actually send invitations and implement security independently from the client app.

Timeline

  • 2017-04-15 Vulnerability discovered.
  • 2017-05-18 Reported
  • 2018-08-11 Published