*# Disclosure Date:* 31 Jan 2014
*# Author: *Keith Makan (http://blog.k3170makan.com)
*# Vendor or Software Link:*
https://play.google.com/store/apps/details?id=nextapp.fx&hl=en

*# Version:* 2.3.0.10
*# Tested on:* Android 3.2.1
*# Site : http://blog.k3170makan.com <http://blog.k3170makan.com>*
Description: File Explorer (FX) for Android Suffers from a Path Traversal
and android.permission.storage permission leakage vulnerability.

The nextapp.fx.FileProvider Content Provider URI does not require any
Read/Write permissions yet allows unauthorized applications to make use of
the android.permission.STORAGE permission by providing them with access to
the local filesystem.
 Impact: Malicious Android applications with no Permissions are capable of
leaking the contents of a victims local file system.

An estimated 500,000 - 1,000,000 installs are currently affected.
Fix:
Enforce android.permission.STORAGE Read/Write permission for the affected
content provider.

PoC available at:
>
http://blog.k3170makan.com/2014/02/path-traversal-vulnerability-in-file.html#more

*Timeline:*
31 Jan 2014  - Original Disclosure
06 February 2014 - Advisory Publication
-- 
<Keith k3170makan <http://about.me/k3170makan> Makan/>


-------------
Proof of concept:

dz> run app.provider.read content://nextapp.fx.FileProvider/
Is a directory
dz> run app.provider.read content://nextapp.fx.FileProvider/../../../system/etc/hosts
127.0.0.1           localhost