A number of in style Android functions out there in Google Play Retailer are prone to a path traversal-affiliated vulnerability that may very well be exploited by a malicious app to overwrite arbitrary recordsdata within the weak app’s dwelling listing.
“The implications of this vulnerability sample embrace arbitrary code execution and token theft, relying on an software’s implementation,” Dimitrios Valsamaras of the Microsoft Risk Intelligence group stated in a report revealed Wednesday.
Profitable exploitation might permit an attacker to take full management of the appliance’s habits and leverage the stolen tokens to achieve unauthorized entry to the sufferer’s on-line accounts and different information.
Two of the apps that have been discovered weak to the issue are as follows –
- Xiaomi File Supervisor (com.mi. Android.globalFileexplorer) – Over 1 billion installs
- WPS Workplace (cn.wps.moffice_eng) – Over 500 million installs
Whereas Android implements isolation by assigning every software its personal devoted information and reminiscence house, it gives what’s referred to as a content material supplier to facilitate information and file sharing between apps in a safe method. However implementation oversights might allow bypassing of learn/write restrictions inside an software’s dwelling listing.
“This content material provider-based mannequin offers a well-defined file-sharing mechanism, enabling a serving software to share its recordsdata with different functions in a safe method with fine-grained management,” Valsamaras stated.
“Nonetheless, we now have often encountered circumstances the place the consuming software would not validate the content material of the file that it receives and, most regarding, it makes use of the filename supplied by the serving software to cache the acquired file inside the consuming software’s inner information listing.”
This pitfall can have severe penalties when a serving app declares a malicious model of the FileProvider class to be able to allow file sharing between apps, and finally trigger the consuming software to overwrite vital recordsdata in its personal information house.
Put in a different way, the mechanism takes benefit of the truth that the consuming app blindly trusts the enter to ship arbitrary payloads with a particular filename by the use of a customized, specific intent and with out the person’s data or consent, resulting in code execution.
Because of this, this might allow an attacker to overwrite the goal app’s shared preferences file and make it talk with a server underneath their management to exfiltrate delicate data.
One other state of affairs entails apps that load native libraries from its personal information listing (as a substitute of “/information/app-lib”), by which case a rogue app might exploit the aforementioned weak point to overwrite a local library with malicious code that will get executed when the library is loaded.
Following accountable disclosure, each Xiaomi and WPS Workplace have rectified the problem as of February 2024. Microsoft, nonetheless, stated the problem may very well be extra prevalent, requiring that builders take steps to examine their apps for comparable points.
Google has additionally revealed its personal steerage on the matter, urging builders to correctly deal with the filename supplied by the server software.
“When the shopper software writes the acquired file to storage, it ought to ignore the filename supplied by the server software and as a substitute use its personal internally generated distinctive identifier because the filename,” Google stated. “If producing a novel filename is just not sensible, the shopper software ought to sanitize the supplied filename.”
