CVE-2023-35671
MEDIUMAndroid - Local Information Disclosure via NFC Host Emulation
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2023-35671. PoCs published by MrTiz.
AI-analyzed exploit summary This repository documents CVE-2023-35671, an Android vulnerability in Google Wallet where NFC data (card number and expiry) can be read via an NFC reader while the device is locked, bypassing the 'Require device unlock for NFC' setting. The PoC involves using a Flipper Zero to exploit this logic error in `HostEmulationManager.java`.
Description
In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Exploits (1)
This repository documents CVE-2023-35671, an Android vulnerability in Google Wallet where NFC data (card number and expiry) can be read via an NFC reader while the device is locked, bypassing the 'Require device unlock for NFC' setting. The PoC involves using a Flipper Zero to exploit this logic error in `HostEmulationManager.java`.
References (2)
Scores
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N