A number of widespread Android purposes out there in Google Play Retailer are prone to a path traversal-affiliated vulnerability that might be exploited by a malicious app to overwrite arbitrary information within the susceptible app’s dwelling listing.
“The implications of this vulnerability sample embrace arbitrary code execution and token theft, relying on an software’s implementation,” Dimitrios Valsamaras of the Microsoft Menace Intelligence staff stated in a report printed Wednesday.
Profitable exploitation may permit an attacker to take full management of the applying’s habits and leverage the stolen tokens to realize unauthorized entry to the sufferer’s on-line accounts and different knowledge.
Two of the apps that had been discovered susceptible to the issue are as follows –
- Xiaomi File Supervisor (com.mi. Android.globalFileexplorer) – Over 1 billion installs
- WPS Workplace (cn.wps.moffice_eng) – Over 500 million installs
Whereas Android implements isolation by assigning every software its personal devoted knowledge and reminiscence house, it gives what’s referred to as a content material supplier to facilitate knowledge and file sharing between apps in a safe method. However implementation oversights may allow bypassing of learn/write restrictions inside an software’s dwelling listing.
“This content material provider-based mannequin offers a well-defined file-sharing mechanism, enabling a serving software to share its information with different purposes in a safe method with fine-grained management,” Valsamaras stated.
“Nonetheless, we now have regularly encountered circumstances the place the consuming software does not validate the content material of the file that it receives and, most regarding, it makes use of the filename offered by the serving software to cache the acquired file inside the consuming software’s inner knowledge listing.”
This pitfall can have severe penalties when a serving app declares a malicious model of the FileProvider class as a way to allow file sharing between apps, and in the end trigger the consuming software to overwrite important information in its non-public knowledge house.
Put otherwise, the mechanism takes benefit of the truth that the consuming app blindly trusts the enter to ship arbitrary payloads with a selected filename by the use of a customized, specific intent and with out the person’s data or consent, resulting in code execution.
In consequence, this might allow an attacker to overwrite the goal app’s shared preferences file and make it talk with a server underneath their management to exfiltrate delicate info.
One other state of affairs includes apps that load native libraries from its personal knowledge listing (as an alternative of “/knowledge/app-lib”), during which case a rogue app may exploit the aforementioned weak point to overwrite a local library with malicious code that will get executed when the library is loaded.
Following accountable disclosure, each Xiaomi and WPS Workplace have rectified the problem as of February 2024. Microsoft, nonetheless, stated the problem might be extra prevalent, requiring that builders take steps to verify their apps for comparable points.
Google has additionally printed its personal steering on the matter, urging builders to correctly deal with the filename offered by the server software.
“When the shopper software writes the acquired file to storage, it ought to ignore the filename offered by the server software and as an alternative use its personal internally generated distinctive identifier because the filename,” Google stated. “If producing a singular filename isn’t sensible, the shopper software ought to sanitize the offered filename.”
