by Tan Chew Keong
Release Date: 2013-05-31
[en] [jp]
Summary
An archive extraction directory traversal vulnerability has been found in AndroZip File Manager. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses an archive extaction directory traversal vulnerability in AndroZip File Manager. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
When extacting compressed files from an archive, the extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user's Android device, possibly overwriting the user's existing files.
For example, a malicious archive can contain a compressed file with the following filename:
/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
POC / Test Code
Please download the POC ZIP archive here and follow the instructions below. Note that other archive types are potentially also affected.
Instructions for testing Directory Traversal in Archive Extraction:
- Copy the POC ZIP archive into the Download directory of your Android device.
- IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
- Extract the POC ZIP archive into the Download directory. i.e. choose "Extract file here"
- When the extraction completes, navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/zipPOC.txt.
Hence, by tricking a user to extract a specially-crafted archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Patch / Workaround
Update to version 4.5.6 via the Play Store.
Disclosure Timeline
2013-05-20 - Vulnerability Discovered.
2013-05-21 - Initial Vendor Notification By Email (no reply).
2013-05-22 - Second Vendor Notification By Web Form.
2013-05-22 - Vulnerability Details Sent to Vendor.
2013-05-24 - Asked Vendor for Release Date of Fixed Version (vendor replied with estimated date).
2013-05-28 - Vendor Released Fixed Version.
2013-05-31 - Public Release.