Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormImre RadPACKETSTORM:131510
HistoryApr 19, 2015 - 12:00 a.m.

ADB Backup Traversal / File Overwrite

2015-04-1900:00:00
Imre Rad
packetstormsecurity.com
34

0.005 Low

EPSS

Percentile

72.8%

JSON
`ADB backup archive path traversal file overwrite   
------------------------------------------------  
  
Using adb one can create a backup of his/her Android device and store it  
on the PC. The backup archive is based on the tar file format.  
  
By modifying tar headers to contain ../../ like patterns it is possible  
to overwrite files owned by the system user on writeable partitions.  
  
  
An example pathname in the tar header:  
apps/com.android.settings/sp/../../../../data/system/evil.txt  
Tar header checksum must be corrected of course.  
  
When restoring the modified archive the BackupManagerService overwrites  
the resolved file name, since file name is not sanitized.  
  
Bugfix in the version control:  
https://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0  
  
  
Android 5 (Lollipop) and newer versions are not affected (due to the  
official bugfix linked above).  
  
  
Additional conditions for exploiting on pre-Lollipop systems:  
  
- Partition of the desination file must be mounted as writeable (eg.  
/system won't work, but /data does)  
  
- It is not possible to overwrite files owned by root, since the process  
doing the restore is running as the same user as the package itself and  
Android packages cannot run.  
  
- It is not possible to overwrite files owned by system user since AOSP  
4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening  
was introduced "... ignoring non-agent system package ".  
(If the operating system is custom and there is a system package  
available with a full backup agent specified explicitly, then that  
custom Android 4.3 and 4.4 might be affected too.)  
  
Pre 4.3 AOSP systems are affected without further conditions: it is  
possible to overwrite files owned by the system user or any other  
packages installed on the system.  
  
  
  
Tested on: Android 4.0.4:  
Reported on: 2014-07-14  
Assigned CVE: CVE-2014-7951  
Android bug id: 16298491  
Discovered by: Imre Rad / Search-Lab Ltd.  
http://www.search-lab.hu  
http://www.securecodingacademy.com/  
  
`

Related

packetstorm 1
securityvulns 3
ubuntucve 1
cve 1
exploitpack 1
prion 1
nessus 1
zdt 1
exploitdb 1
packetstorm
packetstorm
Android Backup Agent Arbitrary Code Execution
2015-04-19 00:00:00
securityvulns
securityvulns
CVE-2014-7953 Android backup agent code execution
2015-04-19 00:00:00
CVE-2014-7951 adb backup archive path traversal file overwrite
2015-04-19 00:00:00
Android multiple security vulnerabilities
2015-04-19 00:00:00
ubuntucve
ubuntucve
CVE-2014-7951
2020-02-20 00:00:00
cve
cve
CVE-2014-7951
2020-02-20 16:15:00
exploitpack
exploitpack
ADB - Backup Archive File Overwrite Directory Traversal
2015-04-21 00:00:00
prion
prion
Directory traversal
2020-02-20 16:15:00
nessus
nessus
Google Android Operating System < 4.3.0 Multiple Vulnerabilities
2015-06-26 00:00:00
zdt
zdt
Android OS 4.4.4 Backup Agent Arbitrary Code Execution Vulnerability
2015-04-19 00:00:00
exploitdb
exploitdb
ADB - Backup Archive File Overwrite Directory Traversal
2015-04-21 00:00:00

0.005 Low

EPSS

Percentile

72.8%

JSON
Related for PACKETSTORM:131510
packetstorm1securityvulns3ubuntucve1cve1exploitpack1prion1nessus1zdt1exploitdb1