A number of widespread Android functions obtainable in Google Play Retailer are inclined to a path traversal-affiliated vulnerability that may very well be exploited by a malicious app to overwrite arbitrary information within the weak app’s residence listing.
“The implications of this vulnerability sample embody arbitrary code execution and token theft, relying on an software’s implementation,” Dimitrios Valsamaras of the Microsoft Menace Intelligence staff stated in a report revealed Wednesday.
Profitable exploitation might permit an attacker to take full management of the appliance’s habits and leverage the stolen tokens to achieve unauthorized entry to the sufferer’s on-line accounts and different information.
Two of the apps that have been discovered weak to the issue are as follows –
- Xiaomi File Supervisor (com.mi. Android.globalFileexplorer) – Over 1 billion installs
- WPS Workplace (cn.wps.moffice_eng) – Over 500 million installs
Whereas Android implements isolation by assigning every software its personal devoted information and reminiscence area, it presents what’s known as a content material supplier to facilitate information and file sharing between apps in a safe method. However implementation oversights might allow bypassing of learn/write restrictions inside an software’s residence listing.
“This content material provider-based mannequin offers a well-defined file-sharing mechanism, enabling a serving software to share its information with different functions in a safe method with fine-grained management,” Valsamaras stated.
“Nonetheless, we now have regularly encountered circumstances the place the consuming software does not validate the content material of the file that it receives and, most regarding, it makes use of the filename offered by the serving software to cache the acquired file throughout the consuming software’s inner information listing.”
This pitfall can have severe penalties when a serving app declares a malicious model of the FileProvider class with a purpose to allow file sharing between apps, and finally trigger the consuming software to overwrite crucial information in its personal information area.
Put in another way, the mechanism takes benefit of the truth that the consuming app blindly trusts the enter to ship arbitrary payloads with a selected filename via a customized, specific intent and with out the consumer’s information or consent, resulting in code execution.
Because of this, this might allow an attacker to overwrite the goal app’s shared preferences file and make it talk with a server beneath their management to exfiltrate delicate info.
One other situation entails apps that load native libraries from its personal information listing (as a substitute of “/information/app-lib”), wherein case a rogue app might exploit the aforementioned weak point to overwrite a local library with malicious code that will get executed when the library is loaded.
Following accountable disclosure, each Xiaomi and WPS Workplace have rectified the difficulty as of February 2024. Microsoft, nevertheless, stated the difficulty may very well be extra prevalent, requiring that builders take steps to test their apps for related points.
Google has additionally revealed its personal steerage on the matter, urging builders to correctly deal with the filename offered by the server software.
“When the consumer software writes the acquired file to storage, it ought to ignore the filename offered by the server software and as a substitute use its personal internally generated distinctive identifier because the filename,” Google stated. “If producing a singular filename will not be sensible, the consumer software ought to sanitize the offered filename.”