Numerous prominent Android applications accessible in the Google Play Store are vulnerable to a path traversal-linked flaw that could be manipulated by a malevolent application to overwrite arbitrary files in the vulnerable application’s root directory.
“The ramifications of this flaw pattern encompass arbitrary code execution and token theft, contingent on how an application implements it,” remarked Dimitrios Valsamaras of the Microsoft Threat Intelligence team in a report released on Wednesday.
Successful exploitation could grant an attacker complete control over the application’s actions and exploit the pilfered tokens to attain unauthorized entry to the victim’s online accounts and other information.
Two of the applications discovered vulnerable to this issue are:
Xiaomi File Manager (com.mi. Android.globalFileexplorer) – With over 1 billion installations WPS Office (cn.wps.moffice_eng) – With over 500 million installations Despite Android’s adoption of isolation through allocating each application its distinct dedicated data and memory space, it provides what is known as a content provider to facilitate secure data and file exchange between applications. Nonetheless, missteps in implementation could permit bypassing of read/write constraints within an application’s root directory.
“This content provider-driven model furnishes a well-defined file-sharing mechanism, enabling a serving application to distribute its files with other applications securely and with precise control,” Valsamaras expounded.
“However, we have frequently encountered scenarios where the receiving application fails to validate the content of the file it receives and, more disconcerting, it employs the filename provided by the serving application to cache the received file within its own internal data directory.”
This pitfall could result in severe repercussions when a serving app declares a malicious version of the FileProvider class to facilitate file sharing among apps, ultimately leading the receiving application to overwrite crucial files in its private data area.
In simpler terms, this mechanism exploits the fact that the receiving app blindly trusts the input to dispatch arbitrary payloads with a specified filename through a custom, explicit intent and without the user’s awareness or consent, culminating in code execution.
Consequently, this could authorize an attacker to overwrite the target app’s shared preferences file and compel it to communicate with a server under their jurisdiction to extract sensitive data.
Another scenario entails applications that load native libraries from their personal data directory (as opposed to “/data/app-lib”). In such cases, a malicious app could leverage the aforementioned vulnerability to overwrite a native library with malevolent code, which is executed upon loading the library.
Subsequent to responsible disclosure, both Xiaomi and WPS Office have remedied the issue as of February 2024. However, Microsoft indicated that the problem could be more widespread, necessitating developers to scrutinize their applications for similar vulnerabilities.
Google has also issued its own recommendations on the matter, urging developers to adequately manage the filename provided by the server application.
“When the client application writes the received file to storage, it should disregard the filename provided by the server application and instead employ its internally generated unique identifier as the filename,” Google advised. “If generating a unique filename is impractical, the client application should sanitize the provided filename.”