Microsoft found a path traversal vulnerability in popular Android apps that could allow malicious apps to overwrite files in the vulnerable app’s directory, leading to arbitrary code execution and token theft.
Patches have been deployed for some apps (e.g., Xiaomi, WPS Office), and Google published an article to help developers avoid this vulnerability.
Android’s file system isolates applications but allows controlled sharing through content providers. The FileProvider subclass enables an app to share specific directories with other apps, where each provider has a unique authority that acts like an address.
The URIs include the provider’s authority, a sub-path, and the filename, and the data owner grants temporary access using flags within an intent.
Upon receiving a request, the provider validates the URI and grants read/write access to the corresponding file.
When consuming applications blindly trust the filename that the serving application provides, a vulnerability in Android’s content provider-based file sharing results. A malicious app can exploit this by creating a custom intent with a content URI pointing to its own malicious FileProvider and a crafted filename.
Consuming applications trusting the filename would then overwrite critical files in their private data directory with malicious content, leading to serious consequences.
Researchers at Microsoft discovered a vulnerability pattern in popular Android apps that allows malicious apps to overwrite files in the vulnerable app’s directory, which could lead to attackers stealing user credentials or even achieving arbitrary code execution on the device.
By exploiting how some apps load libraries from their data directory, attackers could replace legitimate libraries with malicious code.
A vulnerability in Xiaomi’s File Manager app allows other installed apps to gain unauthorized access to the File Manager’s internal storage because the app improperly validates incoming file copy requests.
Specifically, the app fails to check the scheme of content URIs used to specify the destination directory, allowing malicious apps to craft requests that write data to the File Manager’s internal storage instead of the intended location, allowing attackers to steal sensitive data stored by the File Manager app.
A vulnerability in a file manager app allows attackers to achieve code execution with the file manager’s user ID. By exploiting a path traversal vulnerability, they can save a malicious library in the app’s home directory.
Then, they trick the app into using the malicious library by manipulating a hash value stored in a backup preferences file, where the app loads the attacker’s code instead of the legitimate library.
A vulnerability in a mobile file browser app allows attackers to steal login credentials for SMB and FTP remote shares stored in clear text on the device. By exploiting the app’s interaction with a junk cleaner app, attackers can gain code execution and steal these credentials.
With stolen credentials, attackers can directly access SMB and FTP shares on the local network or access files downloaded from those shares stored on the device’s external storage.
Stay updated on Cybersecurity news, whitepapers, and Infographics. Follow us on LinkedIn & Twitter.