Vulners
Lucene search
ADB - Backup Archive File Overwrite Directory Traversal
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Android OS 4.4.4 Backup Agent Arbitrary Code Execution Vulnerability | 19 Apr 201500:00 | – | zdt |
 | Google Android Operating System < 4.3.0 Multiple Vulnerabilities | 26 Jun 201500:00 | – | nessus |
 | Google Android adb backup 'server/BackupManagerService.java' directory traversal vulnerability | 11 May 201500:00 | – | cnvd |
 | CVE-2014-7951 | 20 Feb 202015:34 | – | cve |
 | CVE-2014-7951 | 20 Feb 202015:34 | – | cvelist |
 | EUVD-2014-7801 | 7 Oct 202500:30 | – | euvd |
 | ADB - Backup Archive File Overwrite Directory Traversal | 21 Apr 201500:00 | – | exploitpack |
 | CVE-2014-7951 | 20 Feb 202016:15 | – | nvd |
 | ADB Backup Traversal / File Overwrite | 19 Apr 201500:00 | – | packetstorm |
| Android Backup Agent Arbitrary Code Execution | 19 Apr 201500:00 | – | packetstorm |
10
ADB backup archive path traversal file overwrite
------------------------------------------------
Using adb one can create a backup of his/her Android device and store it
on the PC. The backup archive is based on the tar file format.
By modifying tar headers to contain ../../ like patterns it is possible
to overwrite files owned by the system user on writeable partitions.
An example pathname in the tar header:
apps/com.android.settings/sp/../../../../data/system/evil.txt
Tar header checksum must be corrected of course.
When restoring the modified archive the BackupManagerService overwrites
the resolved file name, since file name is not sanitized.
Bugfix in the version control:
https://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0
Android 5 (Lollipop) and newer versions are not affected (due to the
official bugfix linked above).
Additional conditions for exploiting on pre-Lollipop systems:
- Partition of the desination file must be mounted as writeable (eg.
/system won't work, but /data does)
- It is not possible to overwrite files owned by root, since the process
doing the restore is running as the same user as the package itself and
Android packages cannot run.
- It is not possible to overwrite files owned by system user since AOSP
4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening
was introduced "... ignoring non-agent system package ".
(If the operating system is custom and there is a system package
available with a full backup agent specified explicitly, then that
custom Android 4.3 and 4.4 might be affected too.)
Pre 4.3 AOSP systems are affected without further conditions: it is
possible to overwrite files owned by the system user or any other
packages installed on the system.
Tested on: Android 4.0.4:
Reported on: 2014-07-14
Assigned CVE: CVE-2014-7951
Android bug id: 16298491
Discovered by: Imre Rad / Search-Lab Ltd.
http://www.search-lab.hu
http://www.securecodingacademy.com/Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Apr 2015 00:00Current
5.1Medium risk
Vulners AI Score5.1
CVSS 22.1
CVSS 3.14.6
EPSS0.01965