Path Traversal Vulnerability In Popular Android Apps Let Attackers Overwrite Files
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Hackers aim at well-known Android applications because many people use them, which means that when they attack, it can impact many users.
All these apps are rich in user data, which makes them even more lucrative for threat actors who may be looking forward to stealing personal details or spreading malware.
Recently, Microsoft identified a common path traversal vulnerability design in widely used Android apps. This vulnerability lets a malicious app overwrite files in the vulnerable apps’ home directories, leading to arbitrary code execution and token theft.
On Google Play Store, many vulnerable apps with more than four billion installs were found, and it is also expected to be present in other applications.
Microsoft has informed developers who were affected by this issue, helped them fix it, and partnered with Google to release recommendations for preventing such vulnerabilities.
Technical Analysis
The Android operating system enforces app isolation but provides the FileProvider component for secure file sharing between apps.
📁🄳🄾🄲🅄🄼🄴🄽🅃
However, improper FileProvider implementation can introduce vulnerabilities, enabling the bypassing of read and write restrictions within an app’s home directory.
Share targets are Android apps that declare themselves to handle data and files sent by other apps, such as mail clients, social networking apps, messaging apps, file editors, browsers, etc.
When a user clicks on a file, Android triggers a share-sheet dialog to select the receiving component.
.webp)
The Android share sheet dialog (Source – Microsoft)
Suppose the sending app implements a malicious FileProvider version. In that case, it may cause the receiving app to overwrite critical files by exploiting the lack of validation on the received file’s content and using the provided filename to cache the file within the receiving app’s internal data directory.
Share targets can be exploited by a malicious Android app that creates a custom explicit intent to send a file directly to the share target’s file processing component without user approval.
The malicious app swaps in its own FileProvider implementation and gives the receiving share target app a filename it wrongly trusts.
Almost all reviewed share targets follow this flow:-
.webp)
Getting remote access to local shares (Source – Microsoft)
Because the rogue app controls both the filename and file content, sharing may lead to overwriting critical files in its private data space if this input is blindly trusted, which has serious consequences.
Microsoft found many well-known Android applications on the Google Play Store to contain a path traversal vulnerability, including Xiaomi’s File Manager and WPS Office, which have over 500 million installations each.
Recommendations
Here below we have mentioned all the recommendations:-
#Android #Cyber_Security #Vulnerability #Android_Security #Microsoft_Research #Path_Traversal_Vulnerability
Оригинальная версия на сайте:
Path Traversal Vulnerability In Popular Android Apps Let Attackers Overwrite Files
Author: Tushar Subhra DuttaHackers aim at well-known Android applications because many people use them, which means that when they attack, it can impact many users.
All these apps are rich in user data, which makes them even more lucrative for threat actors who may be looking forward to stealing personal details or spreading malware.
Recently, Microsoft identified a common path traversal vulnerability design in widely used Android apps. This vulnerability lets a malicious app overwrite files in the vulnerable apps’ home directories, leading to arbitrary code execution and token theft.
On Google Play Store, many vulnerable apps with more than four billion installs were found, and it is also expected to be present in other applications.
Microsoft has informed developers who were affected by this issue, helped them fix it, and partnered with Google to release recommendations for preventing such vulnerabilities.
Technical Analysis
The Android operating system enforces app isolation but provides the FileProvider component for secure file sharing between apps.
📁🄳🄾🄲🅄🄼🄴🄽🅃
However, improper FileProvider implementation can introduce vulnerabilities, enabling the bypassing of read and write restrictions within an app’s home directory.
Share targets are Android apps that declare themselves to handle data and files sent by other apps, such as mail clients, social networking apps, messaging apps, file editors, browsers, etc.
When a user clicks on a file, Android triggers a share-sheet dialog to select the receiving component.
The Android share sheet dialog (Source – Microsoft)Suppose the sending app implements a malicious FileProvider version. In that case, it may cause the receiving app to overwrite critical files by exploiting the lack of validation on the received file’s content and using the provided filename to cache the file within the receiving app’s internal data directory.
Share targets can be exploited by a malicious Android app that creates a custom explicit intent to send a file directly to the share target’s file processing component without user approval.
The malicious app swaps in its own FileProvider implementation and gives the receiving share target app a filename it wrongly trusts.
Almost all reviewed share targets follow this flow:-
- Request the filename from the remote FileProvider
- Use it to initialize a file and output stream
- Create an input stream from the received content URI
- Copy input to the output stream
Getting remote access to local shares (Source – Microsoft)Because the rogue app controls both the filename and file content, sharing may lead to overwriting critical files in its private data space if this input is blindly trusted, which has serious consequences.
Microsoft found many well-known Android applications on the Google Play Store to contain a path traversal vulnerability, including Xiaomi’s File Manager and WPS Office, which have over 500 million installations each.
Recommendations
Here below we have mentioned all the recommendations:-
- Microsoft and Google offer guidance to Android developers on avoiding path traversal vulnerabilities.
- Developers should handle filenames from remote sources carefully, using random names or strict validation.
- Techniques like File.getCanonicalPath() and Uri.getLastPathSegment() should be used cautiously.
- Keep mobile apps updated from trusted sources to receive vulnerability fixes.
- For users who accessed shares through vulnerable Xiaomi app versions, reset credentials and monitor for irregularities.
- Microsoft Defender for Endpoint on Android detects malicious apps, while Defender Vulnerability Management identifies apps with known vulnerabilities.
#Android #Cyber_Security #Vulnerability #Android_Security #Microsoft_Research #Path_Traversal_Vulnerability
Оригинальная версия на сайте:
