File Explorer (FX) for Android suffers from a path traversal vulnerability. version 2.3.0.10 is affected.
75beb06492c1bfac918f41afcd575cbf682aab74a42496ff864096601db8e3da
*# Disclosure Date:* 31 Jan 2014
*# Author: *Keith Makan (http://blog.k3170makan.com)
*# Vendor or Software Link:*
https://play.google.com/store/apps/details?id=nextapp.fx&hl=en
*# Version:* 2.3.0.10
*# Tested on:* Android 3.2.1
*# Site : http://blog.k3170makan.com <http://blog.k3170makan.com>*
Description: File Explorer (FX) for Android Suffers from a Path Traversal
and android.permission.storage permission leakage vulnerability.
The nextapp.fx.FileProvider Content Provider URI does not require any
Read/Write permissions yet allows unauthorized applications to make use of
the android.permission.STORAGE permission by providing them with access to
the local filesystem.
Impact: Malicious Android applications with no Permissions are capable of
leaking the contents of a victims local file system.
An estimated 500,000 - 1,000,000 installs are currently affected.
Fix:
Enforce android.permission.STORAGE Read/Write permission for the affected
content provider.
PoC available at:
>
http://blog.k3170makan.com/2014/02/path-traversal-vulnerability-in-file.html#more
*Timeline:*
31 Jan 2014 - Original Disclosure
06 February 2014 - Advisory Publication
--
<Keith k3170makan <http://about.me/k3170makan> Makan/>
-------------
Proof of concept:
dz> run app.provider.read content://nextapp.fx.FileProvider/
Is a directory
dz> run app.provider.read content://nextapp.fx.FileProvider/../../../system/etc/hosts
127.0.0.1 localhost