{"id": "SECURITYVULNS:VULN:14403", "bulletinFamily": "software", "title": "Android multiple security vulnerabilities", "description": "Restrictions bypass, code execution.", "published": "2015-04-19T00:00:00", "modified": "2015-04-19T00:00:00", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14403", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31933", "https://vulners.com/securityvulns/securityvulns:doc:31931", "https://vulners.com/securityvulns/securityvulns:doc:31932"], "cvelist": ["CVE-2014-7951", "CVE-2014-7954"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:00", "edition": 1, "viewCount": 9, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2018-08-31T11:10:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-7951", "CVE-2014-7954"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31931", "SECURITYVULNS:DOC:31933", "SECURITYVULNS:DOC:31932"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1E50D73191B92BFEACEBDF18A5476774"]}, {"type": "zdt", "idList": ["1337DAY-ID-23533"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131510", "PACKETSTORM:131511"]}, {"type": "exploitdb", "idList": ["EDB-ID:36813"]}], "modified": "2018-08-31T11:10:00", "rev": 2}, "vulnersScore": 6.3}, "affectedSoftware": [{"name": "Android", "operator": "eq", "version": "4.4"}]}

{"cve": [{"lastseen": "2021-02-02T06:14:34", "description": "Directory traversal vulnerability in the doSendObjectInfo method in frameworks/av/media/mtp/MtpServer.cpp in Android 4.4.4 allows physically proximate attackers with a direct connection to the target Android device to upload files outside of the sdcard via a .. (dot dot) in a name parameter of an MTP request.", "edition": 4, "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-07-07T17:29:00", "title": "CVE-2014-7954", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7954"], "modified": "2018-10-09T19:53:00", "cpe": ["cpe:/o:google:android:4.4.4"], "id": "CVE-2014-7954", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7954", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:google:android:4.4.4:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:14:34", "description": "Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.", "edition": 6, "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-02-20T16:15:00", "title": "CVE-2014-7951", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7951"], "modified": "2020-02-25T19:11:00", "cpe": ["cpe:/o:google:android:4.0.4"], "id": "CVE-2014-7951", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7951", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-7954"], "description": "\r\n\r\nMTP path traversal vulnerability in Android 4.4\r\n-----------------------------------------------\r\n\r\ndoSendObjectInfo() method of the MtpServer class implemented in\r\nframeworks/av/media/mtp/MtpServer.cpp does not validate the name\r\nparameter of the incoming MTP packet at all.\r\n\r\nIt is possible to upload files outside of the sdcard using a specially\r\ncrafted MTP request:\r\n\r\nroot@testpc:~/mtp-test# ./mtp-mysend sdf.txt \\r\n ../../../.././../data/data/com.android.providers.media/sdf.txt\r\nlibmtp version: 1.1.3\r\n\r\nDevice 0 (VID=18d1 and PID=4e42) is UNKNOWN.\r\nPlease report this VID/PID and the device model to the libmtp\r\ndevelopment team\r\nAndroid device detected, assigning default bug flags\r\nSending sdf.txt as\r\n../../../../../../data/data/com.android.providers.media/sdf.txt\r\nSending file...\r\nProgress: 25 of 25 (100%)\r\nNew file ID: 203\r\n\r\n\r\n\r\nThe file is written by the process com.android.providers.media:\r\n\r\nroot@grouper:/data/data/com.android.providers.media # ls -la\r\nls -la\r\ndrwxrwx--x u0_a6 u0_a6 2014-07-22 01:06 cache\r\ndrwxrwx--x u0_a6 u0_a6 2014-07-22 01:07 databases\r\nlrwxrwxrwx install install 2014-07-22 01:05 lib ->\r\n/data/app-lib/com.android.providers.media\r\n-rw-rw-r-- u0_a6 media_rw 13 2014-09-24 01:36 sdf.txt\r\ndrwxrwx--x u0_a6 u0_a6 2014-07-22 01:06 shared_prefs\r\n\r\n\r\nTested on: Android 4.4.4\r\nReported on: 2014-09-26\r\nAssigned CVE: CVE-2014-7954\r\nDiscovered by: Imre Rad / Search-Lab Ltd.\r\n http://www.search-lab.hu\r\n http://www.securecodingacademy.com/\r\n\r\n", "edition": 1, "modified": "2015-04-19T00:00:00", "published": "2015-04-19T00:00:00", "id": "SECURITYVULNS:DOC:31931", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31931", "title": "CVE-2014-7954 MTP path traversal vulnerability in Android", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-7951"], "description": "\r\n\r\nADB backup archive path traversal file overwrite \t\r\n------------------------------------------------\r\n\r\nUsing adb one can create a backup of his/her Android device and store it\r\non the PC. The backup archive is based on the tar file format.\r\n\r\nBy modifying tar headers to contain ../../ like patterns it is possible\r\nto overwrite files owned by the system user on writeable partitions.\r\n\r\n\r\nAn example pathname in the tar header:\r\napps/com.android.settings/sp/../../../../data/system/evil.txt\r\nTar header checksum must be corrected of course.\r\n\r\nWhen restoring the modified archive the BackupManagerService overwrites\r\nthe resolved file name, since file name is not sanitized.\r\n\r\nBugfix in the version control:\r\nhttps://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0\r\n\r\n\r\nAndroid 5 (Lollipop) and newer versions are not affected (due to the\r\nofficial bugfix linked above).\r\n\r\n\r\nAdditional conditions for exploiting on pre-Lollipop systems:\r\n\r\n- Partition of the desination file must be mounted as writeable (eg.\r\n/system won't work, but /data does)\r\n\r\n- It is not possible to overwrite files owned by root, since the process\r\ndoing the restore is running as the same user as the package itself and\r\nAndroid packages cannot run.\r\n\r\n- It is not possible to overwrite files owned by system user since AOSP\r\n4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening\r\nwas introduced "... ignoring non-agent system package ".\r\n(If the operating system is custom and there is a system package\r\navailable with a full backup agent specified explicitly, then that\r\ncustom Android 4.3 and 4.4 might be affected too.)\r\n\r\nPre 4.3 AOSP systems are affected without further conditions: it is\r\npossible to overwrite files owned by the system user or any other\r\npackages installed on the system.\r\n\r\n\r\n\r\nTested on: Android 4.0.4:\r\nReported on: 2014-07-14\r\nAssigned CVE: CVE-2014-7951\r\nAndroid bug id: 16298491\r\nDiscovered by: Imre Rad / Search-Lab Ltd.\r\n http://www.search-lab.hu\r\n http://www.securecodingacademy.com/\r\n\r\n\r\n", "edition": 1, "modified": "2015-04-19T00:00:00", "published": "2015-04-19T00:00:00", "id": "SECURITYVULNS:DOC:31932", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31932", "title": "CVE-2014-7951 adb backup archive path traversal file overwrite", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-7951"], "description": "\r\n\r\nAndroid backup agent arbitrary code execution\r\n---------------------------------------------\r\n\r\nThe Android backup agent implementation was vulnerable to privilege\r\nescalation and race condition. An attacker with adb shell access could\r\nrun arbitrary code as the system (1000) user (or any other valid\r\npackage). The attack is tested on Android OS 4.4.4.\r\n\r\n\r\nThe main problem is inside bindBackupAgent method in the\r\nActivityManagerService.\r\nThis method is exported through Binder and is available to call by the\r\nshell user, since android.permission.BACKUP is granted for it.\r\n\r\nThe method has an ApplicationInfo parameter, which is unsecured (not\r\ncross validated through the PackageManager), so the uid member could be\r\nmanipulated. The supplied ApplicationInfo object will be direct\r\nparameter for startProcessLocked().\r\n\r\nBefore invoking startProcessLocked, bindBackupAgent also tries to set\r\nstopped state for the package.\r\nThis call is bound to an additional permission\r\n(CHANGE_COMPONENT_ENABLED_STATE), which is a system permission, not even\r\nshell user got it.\r\n\r\nHowever, there is a race condition between PackageManager and\r\nActivityManagerService, so this security check can by bypassed.\r\n\r\nExistence of the specified package happens first in\r\nmSettings.setPackageStoppedStateLPw(). If the package does not exists\r\nthan IllegalArguemntException is thrown. (Permission would have been\r\nvalidated as next step only resulting in a SecurityException)\r\n\r\nSo, if the package does not exists, IllegalArguemntException is thrown,\r\nwhich is catched by bindBackupAgent, but the execution wont stop (only a\r\nwarning is being logged):\r\n\r\n // Backup agent is now in use, its package can't be stopped.\r\n try {\r\n AppGlobals.getPackageManager().setPackageStoppedState(\r\n app.packageName, false,\r\nUserHandle.getUserId(app.uid));\r\n } catch (RemoteException e) {\r\n } catch (IllegalArgumentException e) {\r\n Slog.w(TAG, "Failed trying to unstop package "\r\n + app.packageName + ": " + e);\r\n }\r\n\r\n\r\nIt was possible to perform the following steps in order to exploit:\r\n\r\n1. execute "pm install helloworld.apk" (with package name\r\ncom.example.helloworld)\r\n\r\n2. with another script process logcat's output and look for\r\nthe dexopt line (DexOpt: load 3ms, verify+opt 5ms, 161068 bytes)\r\n\r\n3. trigger execution of the bindBackupAgent system call (with uid\r\nspoofed to 1000 in ApplicationInfo) as soon as the dexopt line was seen\r\n\r\n\r\nSince this is a race condition and timing is important, it might not\r\nwork at first. I was lucky at 3rd attempt.\r\n\r\nIn this lucky scenario the package did not exists while\r\nsetPackageStoppedStateLPw tried to find it, but then it became available\r\nfor startPackageLocked.\r\n\r\nAt this point a new process was forked by the Zygote:\r\n\r\n\r\nshell@grouper:/ $ ps |grep hello\r\nps |grep hello\r\nsystem 6826 141 692340 17312 ffffffff 00000000 S\r\ncom.example.helloworld\r\n\r\n\r\nNo code was executed however, since there exists an additional security\r\ncheck in handleCreateBackupAgent in the ActivityThread:\r\n\r\n PackageInfo requestedPackage =\r\ngetPackageManager().getPackageInfo(\r\n data.appInfo.packageName, 0, UserHandle.myUserId());\r\n if (requestedPackage.applicationInfo.uid != Process.myUid()) {\r\n Slog.w(TAG, "Asked to instantiate non-matching package "\r\n + data.appInfo.packageName);\r\n return;\r\n }\r\n\r\n\r\nBut the process com.example.helloserver was executed with debug flags\r\n(due to the simple fact that it was built by us and we built it as\r\ndebug) so DDMS could be attached to it.\r\n\r\nTo verify actual code execution, I added\r\nRuntime.getRuntime().exec("touch /data/app/testSystem")\r\nas an expression in the debugger to be evaluated by the process.\r\n\r\nThe command was executed successfully:\r\n\r\nshell@grouper:/data/app $ ls -la testSystem\r\nls -la testSystem\r\n-rw------- system system 0 2014-08-06 01:52 testSystem\r\n\r\n\r\n13 byte bugfix for all the above in the version control:\r\nhttps://android.googlesource.com/platform/frameworks/base/+/a8f6d1b%5E!/\r\n\r\nLollipop is not affected, earlier Android versions are.\r\n\r\n\r\nTested on: Android 4.4.4:\r\nReported on: 2014-08-15\r\nAssigned CVE: CVE-2014-7951\r\nAndroid bug id: 15829193\r\nDiscovered by: Imre Rad / Search-Lab Ltd.\r\n http://www.search-lab.hu\r\n http://www.securecodingacademy.com/\r\n\r\n", "edition": 1, "modified": "2015-04-19T00:00:00", "published": "2015-04-19T00:00:00", "id": "SECURITYVULNS:DOC:31933", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31933", "title": "CVE-2014-7953 Android backup agent code execution", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:55", "description": "", "published": "2015-04-19T00:00:00", "type": "packetstorm", "title": "Android Backup Agent Arbitrary Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7951"], "modified": "2015-04-19T00:00:00", "id": "PACKETSTORM:131511", "href": "https://packetstormsecurity.com/files/131511/Android-Backup-Agent-Arbitrary-Code-Execution.html", "sourceData": "`Android backup agent arbitrary code execution \n--------------------------------------------- \n \nThe Android backup agent implementation was vulnerable to privilege \nescalation and race condition. An attacker with adb shell access could \nrun arbitrary code as the system (1000) user (or any other valid \npackage). The attack is tested on Android OS 4.4.4. \n \n \nThe main problem is inside bindBackupAgent method in the \nActivityManagerService. \nThis method is exported through Binder and is available to call by the \nshell user, since android.permission.BACKUP is granted for it. \n \nThe method has an ApplicationInfo parameter, which is unsecured (not \ncross validated through the PackageManager), so the uid member could be \nmanipulated. The supplied ApplicationInfo object will be direct \nparameter for startProcessLocked(). \n \nBefore invoking startProcessLocked, bindBackupAgent also tries to set \nstopped state for the package. \nThis call is bound to an additional permission \n(CHANGE_COMPONENT_ENABLED_STATE), which is a system permission, not even \nshell user got it. \n \nHowever, there is a race condition between PackageManager and \nActivityManagerService, so this security check can by bypassed. \n \nExistence of the specified package happens first in \nmSettings.setPackageStoppedStateLPw(). If the package does not exists \nthan IllegalArguemntException is thrown. (Permission would have been \nvalidated as next step only resulting in a SecurityException) \n \nSo, if the package does not exists, IllegalArguemntException is thrown, \nwhich is catched by bindBackupAgent, but the execution wont stop (only a \nwarning is being logged): \n \n// Backup agent is now in use, its package can't be stopped. \ntry { \nAppGlobals.getPackageManager().setPackageStoppedState( \napp.packageName, false, \nUserHandle.getUserId(app.uid)); \n} catch (RemoteException e) { \n} catch (IllegalArgumentException e) { \nSlog.w(TAG, \"Failed trying to unstop package \" \n+ app.packageName + \": \" + e); \n} \n \n \nIt was possible to perform the following steps in order to exploit: \n \n1. execute \"pm install helloworld.apk\" (with package name \ncom.example.helloworld) \n \n2. with another script process logcat's output and look for \nthe dexopt line (DexOpt: load 3ms, verify+opt 5ms, 161068 bytes) \n \n3. trigger execution of the bindBackupAgent system call (with uid \nspoofed to 1000 in ApplicationInfo) as soon as the dexopt line was seen \n \n \nSince this is a race condition and timing is important, it might not \nwork at first. I was lucky at 3rd attempt. \n \nIn this lucky scenario the package did not exists while \nsetPackageStoppedStateLPw tried to find it, but then it became available \nfor startPackageLocked. \n \nAt this point a new process was forked by the Zygote: \n \n \nshell@grouper:/ $ ps |grep hello \nps |grep hello \nsystem 6826 141 692340 17312 ffffffff 00000000 S \ncom.example.helloworld \n \n \nNo code was executed however, since there exists an additional security \ncheck in handleCreateBackupAgent in the ActivityThread: \n \nPackageInfo requestedPackage = \ngetPackageManager().getPackageInfo( \ndata.appInfo.packageName, 0, UserHandle.myUserId()); \nif (requestedPackage.applicationInfo.uid != Process.myUid()) { \nSlog.w(TAG, \"Asked to instantiate non-matching package \" \n+ data.appInfo.packageName); \nreturn; \n} \n \n \nBut the process com.example.helloserver was executed with debug flags \n(due to the simple fact that it was built by us and we built it as \ndebug) so DDMS could be attached to it. \n \nTo verify actual code execution, I added \nRuntime.getRuntime().exec(\"touch /data/app/testSystem\") \nas an expression in the debugger to be evaluated by the process. \n \nThe command was executed successfully: \n \nshell@grouper:/data/app $ ls -la testSystem \nls -la testSystem \n-rw------- system system 0 2014-08-06 01:52 testSystem \n \n \n13 byte bugfix for all the above in the version control: \nhttps://android.googlesource.com/platform/frameworks/base/+/a8f6d1b%5E!/ \n \nLollipop is not affected, earlier Android versions are. \n \n \nTested on: Android 4.4.4: \nReported on: 2014-08-15 \nAssigned CVE: CVE-2014-7951 \nAndroid bug id: 15829193 \nDiscovered by: Imre Rad / Search-Lab Ltd. \nhttp://www.search-lab.hu \nhttp://www.securecodingacademy.com/ \n`\n", "cvss": {"score": 1.6, "vector": "AV:LOCAL/AC:LOW/Au:UNKNOWN/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131511/androidbackupagent-exec.txt"}, {"lastseen": "2016-12-05T22:13:32", "description": "", "published": "2015-04-19T00:00:00", "type": "packetstorm", "title": "ADB Backup Traversal / File Overwrite", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7951"], "modified": "2015-04-19T00:00:00", "id": "PACKETSTORM:131510", "href": "https://packetstormsecurity.com/files/131510/ADB-Backup-Traversal-File-Overwrite.html", "sourceData": "`ADB backup archive path traversal file overwrite \n------------------------------------------------ \n \nUsing adb one can create a backup of his/her Android device and store it \non the PC. The backup archive is based on the tar file format. \n \nBy modifying tar headers to contain ../../ like patterns it is possible \nto overwrite files owned by the system user on writeable partitions. \n \n \nAn example pathname in the tar header: \napps/com.android.settings/sp/../../../../data/system/evil.txt \nTar header checksum must be corrected of course. \n \nWhen restoring the modified archive the BackupManagerService overwrites \nthe resolved file name, since file name is not sanitized. \n \nBugfix in the version control: \nhttps://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0 \n \n \nAndroid 5 (Lollipop) and newer versions are not affected (due to the \nofficial bugfix linked above). \n \n \nAdditional conditions for exploiting on pre-Lollipop systems: \n \n- Partition of the desination file must be mounted as writeable (eg. \n/system won't work, but /data does) \n \n- It is not possible to overwrite files owned by root, since the process \ndoing the restore is running as the same user as the package itself and \nAndroid packages cannot run. \n \n- It is not possible to overwrite files owned by system user since AOSP \n4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening \nwas introduced \"... ignoring non-agent system package \". \n(If the operating system is custom and there is a system package \navailable with a full backup agent specified explicitly, then that \ncustom Android 4.3 and 4.4 might be affected too.) \n \nPre 4.3 AOSP systems are affected without further conditions: it is \npossible to overwrite files owned by the system user or any other \npackages installed on the system. \n \n \n \nTested on: Android 4.0.4: \nReported on: 2014-07-14 \nAssigned CVE: CVE-2014-7951 \nAndroid bug id: 16298491 \nDiscovered by: Imre Rad / Search-Lab Ltd. \nhttp://www.search-lab.hu \nhttp://www.securecodingacademy.com/ \n \n`\n", "cvss": {"score": 1.6, "vector": "AV:LOCAL/AC:LOW/Au:UNKNOWN/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131510/adbbackup-traversal.txt"}], "exploitdb": [{"lastseen": "2016-02-04T04:24:38", "description": "ADB Backup Archive Path Traversal File Overwrite. CVE-2014-7951. Local exploit for hardware platform", "published": "2015-04-21T00:00:00", "type": "exploitdb", "title": "ADB Backup Archive Path Traversal File Overwrite", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7951"], "modified": "2015-04-21T00:00:00", "id": "EDB-ID:36813", "href": "https://www.exploit-db.com/exploits/36813/", "sourceData": "ADB backup archive path traversal file overwrite \r\n------------------------------------------------\r\n\r\nUsing adb one can create a backup of his/her Android device and store it\r\non the PC. The backup archive is based on the tar file format.\r\n\r\nBy modifying tar headers to contain ../../ like patterns it is possible\r\nto overwrite files owned by the system user on writeable partitions.\r\n\r\n\r\nAn example pathname in the tar header:\r\napps/com.android.settings/sp/../../../../data/system/evil.txt\r\nTar header checksum must be corrected of course.\r\n\r\nWhen restoring the modified archive the BackupManagerService overwrites\r\nthe resolved file name, since file name is not sanitized.\r\n\r\nBugfix in the version control:\r\nhttps://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0\r\n\r\n\r\nAndroid 5 (Lollipop) and newer versions are not affected (due to the\r\nofficial bugfix linked above).\r\n\r\n\r\nAdditional conditions for exploiting on pre-Lollipop systems:\r\n\r\n- Partition of the desination file must be mounted as writeable (eg.\r\n/system won't work, but /data does)\r\n\r\n- It is not possible to overwrite files owned by root, since the process\r\ndoing the restore is running as the same user as the package itself and\r\nAndroid packages cannot run.\r\n\r\n- It is not possible to overwrite files owned by system user since AOSP\r\n4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening\r\nwas introduced \"... ignoring non-agent system package \".\r\n(If the operating system is custom and there is a system package\r\navailable with a full backup agent specified explicitly, then that\r\ncustom Android 4.3 and 4.4 might be affected too.)\r\n\r\nPre 4.3 AOSP systems are affected without further conditions: it is\r\npossible to overwrite files owned by the system user or any other\r\npackages installed on the system.\r\n\r\n\r\n\r\nTested on: Android 4.0.4:\r\nReported on: 2014-07-14\r\nAssigned CVE: CVE-2014-7951\r\nAndroid bug id: 16298491\r\nDiscovered by: Imre Rad / Search-Lab Ltd.\r\n http://www.search-lab.hu\r\n http://www.securecodingacademy.com/", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/36813/"}], "zdt": [{"lastseen": "2018-01-10T07:07:09", "edition": 2, "description": "The Android backup agent implementation was vulnerable to privilege escalation and race condition. An attacker with adb shell access could run arbitrary code as the system (1000) user (or any other valid package). The attack is tested on Android OS 4.4.4.", "published": "2015-04-19T00:00:00", "type": "zdt", "title": "Android OS 4.4.4 Backup Agent Arbitrary Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7951"], "modified": "2015-04-19T00:00:00", "id": "1337DAY-ID-23533", "href": "https://0day.today/exploit/description/23533", "sourceData": "Android backup agent arbitrary code execution\r\n---------------------------------------------\r\n\r\nThe Android backup agent implementation was vulnerable to privilege\r\nescalation and race condition. An attacker with adb shell access could\r\nrun arbitrary code as the system (1000) user (or any other valid\r\npackage). The attack is tested on Android OS 4.4.4.\r\n\r\n\r\nThe main problem is inside bindBackupAgent method in the\r\nActivityManagerService.\r\nThis method is exported through Binder and is available to call by the\r\nshell user, since android.permission.BACKUP is granted for it.\r\n\r\nThe method has an ApplicationInfo parameter, which is unsecured (not\r\ncross validated through the PackageManager), so the uid member could be\r\nmanipulated. The supplied ApplicationInfo object will be direct\r\nparameter for startProcessLocked().\r\n\r\nBefore invoking startProcessLocked, bindBackupAgent also tries to set\r\nstopped state for the package.\r\nThis call is bound to an additional permission\r\n(CHANGE_COMPONENT_ENABLED_STATE), which is a system permission, not even\r\nshell user got it.\r\n\r\nHowever, there is a race condition between PackageManager and\r\nActivityManagerService, so this security check can by bypassed.\r\n\r\nExistence of the specified package happens first in\r\nmSettings.setPackageStoppedStateLPw(). If the package does not exists\r\nthan IllegalArguemntException is thrown. (Permission would have been\r\nvalidated as next step only resulting in a SecurityException)\r\n\r\nSo, if the package does not exists, IllegalArguemntException is thrown,\r\nwhich is catched by bindBackupAgent, but the execution wont stop (only a\r\nwarning is being logged):\r\n\r\n // Backup agent is now in use, its package can't be stopped.\r\n try {\r\n AppGlobals.getPackageManager().setPackageStoppedState(\r\n app.packageName, false,\r\nUserHandle.getUserId(app.uid));\r\n } catch (RemoteException e) {\r\n } catch (IllegalArgumentException e) {\r\n Slog.w(TAG, \"Failed trying to unstop package \"\r\n + app.packageName + \": \" + e);\r\n }\r\n\r\n\r\nIt was possible to perform the following steps in order to exploit:\r\n\r\n1. execute \"pm install helloworld.apk\" (with package name\r\ncom.example.helloworld)\r\n\r\n2. with another script process logcat's output and look for\r\nthe dexopt line (DexOpt: load 3ms, verify+opt 5ms, 161068 bytes)\r\n\r\n3. trigger execution of the bindBackupAgent system call (with uid\r\nspoofed to 1000 in ApplicationInfo) as soon as the dexopt line was seen\r\n\r\n\r\nSince this is a race condition and timing is important, it might not\r\nwork at first. I was lucky at 3rd attempt.\r\n\r\nIn this lucky scenario the package did not exists while\r\nsetPackageStoppedStateLPw tried to find it, but then it became available\r\nfor startPackageLocked.\r\n\r\nAt this point a new process was forked by the Zygote:\r\n\r\n\r\n[email\u00a0protected]:/ $ ps |grep hello\r\nps |grep hello\r\nsystem 6826 141 692340 17312 ffffffff 00000000 S\r\ncom.example.helloworld\r\n\r\n\r\nNo code was executed however, since there exists an additional security\r\ncheck in handleCreateBackupAgent in the ActivityThread:\r\n\r\n PackageInfo requestedPackage =\r\ngetPackageManager().getPackageInfo(\r\n data.appInfo.packageName, 0, UserHandle.myUserId());\r\n if (requestedPackage.applicationInfo.uid != Process.myUid()) {\r\n Slog.w(TAG, \"Asked to instantiate non-matching package \"\r\n + data.appInfo.packageName);\r\n return;\r\n }\r\n\r\n\r\nBut the process com.example.helloserver was executed with debug flags\r\n(due to the simple fact that it was built by us and we built it as\r\ndebug) so DDMS could be attached to it.\r\n\r\nTo verify actual code execution, I added\r\nRuntime.getRuntime().exec(\"touch /data/app/testSystem\")\r\nas an expression in the debugger to be evaluated by the process.\r\n\r\nThe command was executed successfully:\r\n\r\n[email\u00a0protected]:/data/app $ ls -la testSystem\r\nls -la testSystem\r\n-rw------- system system 0 2014-08-06 01:52 testSystem\r\n\r\n\r\n13 byte bugfix for all the above in the version control:\r\nhttps://android.googlesource.com/platform/frameworks/base/+/a8f6d1b%5E!/\r\n\r\nLollipop is not affected, earlier Android versions are.\r\n\r\n\r\nTested on: Android 4.4.4:\r\nReported on: 2014-08-15\r\nAssigned CVE: CVE-2014-7951\r\nAndroid bug id: 15829193\r\nDiscovered by: Imre Rad / Search-Lab Ltd.\r\n http://www.search-lab.hu\r\n http://www.securecodingacademy.com/\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 1.6, "vector": "AV:LOCAL/AC:LOW/Au:UNKNOWN/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/23533"}], "exploitpack": [{"lastseen": "2020-04-01T19:03:59", "description": "\nADB - Backup Archive File Overwrite Directory Traversal", "edition": 1, "published": "2015-04-21T00:00:00", "title": "ADB - Backup Archive File Overwrite Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-7951"], "modified": "2015-04-21T00:00:00", "id": "EXPLOITPACK:1E50D73191B92BFEACEBDF18A5476774", "href": "", "sourceData": "ADB backup archive path traversal file overwrite \n------------------------------------------------\n\nUsing adb one can create a backup of his/her Android device and store it\non the PC. The backup archive is based on the tar file format.\n\nBy modifying tar headers to contain ../../ like patterns it is possible\nto overwrite files owned by the system user on writeable partitions.\n\n\nAn example pathname in the tar header:\napps/com.android.settings/sp/../../../../data/system/evil.txt\nTar header checksum must be corrected of course.\n\nWhen restoring the modified archive the BackupManagerService overwrites\nthe resolved file name, since file name is not sanitized.\n\nBugfix in the version control:\nhttps://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0\n\n\nAndroid 5 (Lollipop) and newer versions are not affected (due to the\nofficial bugfix linked above).\n\n\nAdditional conditions for exploiting on pre-Lollipop systems:\n\n- Partition of the desination file must be mounted as writeable (eg.\n/system won't work, but /data does)\n\n- It is not possible to overwrite files owned by root, since the process\ndoing the restore is running as the same user as the package itself and\nAndroid packages cannot run.\n\n- It is not possible to overwrite files owned by system user since AOSP\n4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening\nwas introduced \"... ignoring non-agent system package \".\n(If the operating system is custom and there is a system package\navailable with a full backup agent specified explicitly, then that\ncustom Android 4.3 and 4.4 might be affected too.)\n\nPre 4.3 AOSP systems are affected without further conditions: it is\npossible to overwrite files owned by the system user or any other\npackages installed on the system.\n\n\n\nTested on: Android 4.0.4:\nReported on: 2014-07-14\nAssigned CVE: CVE-2014-7951\nAndroid bug id: 16298491\nDiscovered by: Imre Rad / Search-Lab Ltd.\n http://www.search-lab.hu\n http://www.securecodingacademy.com/", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}]}