CVE-2014-8609

Google Android < 4.4.4 - Access Control

Title source: rule

Description

The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.

Exploits (3)

nomisec WORKING POC

by ratiros01 · poc

https://github.com/ratiros01/CVE-2014-8609-exploit

View Code ZIP pw:eip

nomisec WRITEUP

by MazX0p · poc

https://github.com/MazX0p/CVE-2014-8609-POC

View Code ZIP pw:eip

nomisec WORKING POC

by locisvv · poc

https://github.com/locisvv/Vulnerable-CVE-2014-8609

View Code ZIP pw:eip

References (4)

Core 4

Core References

Exploit x_refsource_misc

http://packetstormsecurity.com/files/129281/Android-Settings-Pendingintent-Leak.html

Exploit x_refsource_misc

http://xteam.baidu.com/?p=158

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Nov/81

Vendor Advisory x_refsource_confirm

https://android.googlesource.com/platform/packages/apps/Settings/+/f5d3e74ecc2b973941d8adbe40c6b23094b5abb7

Scores

EPSS 0.0047

EPSS Percentile 64.7%

Details

CWE

CWE-264

Status published

Products (17)

google/android 4.0

google/android 4.0.1

google/android 4.0.2

google/android 4.0.3

google/android 4.0.4

google/android 4.1

google/android 4.1.2

google/android 4.2

google/android 4.2.1

google/android 4.2.2

... and 7 more

Published Dec 15, 2014

Tracked Since Feb 18, 2026