CVE-2016-3749
HIGHAndroid 6.x - Unauthenticated Screen-Lock Password Modification via Crafted Application
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2016-3749. PoCs published by nirdev.
AI-analyzed exploit summary This PoC exploits CVE-2016-3749, a vulnerability in Android's LockSettingsService that allows changing the device password without proper authentication. The app uses the 'service call' command to interact with the ILockSettings interface, bypassing the need for the correct old password.
Description
server/LockSettingsService.java in LockSettingsService in Android 6.x before 2016-07-01 allows attackers to modify the screen-lock password or pattern via a crafted application, aka internal bug 28163930.
Exploits (1)
This PoC exploits CVE-2016-3749, a vulnerability in Android's LockSettingsService that allows changing the device password without proper authentication. The app uses the 'service call' command to interact with the ILockSettings interface, bypassing the need for the correct old password.
References (2)
Scores
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H