Fashionable Android Apps Like Xiaomi, WPS Workplace Susceptible to File Overwrite Flaw
A number of common Android functions obtainable in Google Play Retailer are prone to a path traversal-affiliated vulnerability that might be exploited by a malicious app to overwrite arbitrary recordsdata within the susceptible app’s dwelling listing.
“The implications of this vulnerability sample embody arbitrary code execution and token theft, relying on an utility’s implementation,” Dimitrios Valsamaras of the Microsoft Risk Intelligence workforce said in a report revealed Wednesday.
Profitable exploitation might permit an attacker to take full management of the applying’s conduct and leverage the stolen tokens to achieve unauthorized entry to the sufferer’s on-line accounts and different information.
Two of the apps that had been discovered susceptible to the issue are as follows –
- Xiaomi File Supervisor (com.mi. Android.globalFileexplorer) – Over 1 billion installs
- WPS Workplace (cn.wps.moffice_eng) – Over 500 million installs
Whereas Android implements isolation by assigning every utility its personal devoted information and reminiscence house, it presents what’s referred to as a content material supplier to facilitate information and file sharing between apps in a safe method. However implementation oversights might allow bypassing of learn/write restrictions inside an utility’s dwelling listing.
“This content material provider-based mannequin offers a well-defined file-sharing mechanism, enabling a serving utility to share its recordsdata with different functions in a safe method with fine-grained management,” Valsamaras mentioned.
“Nevertheless, now we have regularly encountered circumstances the place the consuming utility would not validate the content material of the file that it receives and, most regarding, it makes use of the filename supplied by the serving utility to cache the acquired file inside the consuming utility’s inside information listing.”
This pitfall can have critical penalties when a serving app declares a malicious model of the FileProvider class with the intention to allow file sharing between apps, and in the end trigger the consuming utility to overwrite crucial recordsdata in its non-public information house.
Put otherwise, the mechanism takes benefit of the truth that the consuming app blindly trusts the enter to ship arbitrary payloads with a selected filename via a customized, specific intent and with out the consumer’s information or consent, resulting in code execution.
Because of this, this might allow an attacker to overwrite the goal app’s shared preferences file and make it talk with a server beneath their management to exfiltrate delicate info.
One other state of affairs entails apps that load native libraries from its personal information listing (as an alternative of “/information/app-lib”), through which case a rogue app might exploit the aforementioned weak point to overwrite a local library with malicious code that will get executed when the library is loaded.
Following accountable disclosure, each Xiaomi and WPS Workplace have rectified the difficulty as of February 2024. Microsoft, nevertheless, mentioned the difficulty might be extra prevalent, requiring that builders take steps to test their apps for related points.
Google has additionally revealed its personal steering on the matter, urging builders to correctly deal with the filename supplied by the server utility.
“When the consumer utility writes the acquired file to storage, it ought to ignore the filename supplied by the server utility and as an alternative use its personal internally generated distinctive identifier because the filename,” Google said. “If producing a singular filename will not be sensible, the consumer utility ought to sanitize the supplied filename.”
