by Tan Chew Keong
Release Date: 2013-05-31
Updated: 2013-06-15
[en] [jp]
Summary
An archive extraction directory traversal vulnerability has been found in B1 Free Archiver for Android. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses an archive extaction directory traversal vulnerability in B1 Free Archiver for Android. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
When extacting compressed files from an archive, the extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted archive containing files with directory traversal sequences in their filenames, an attacker can write files to arbitrary locations within the SD card of the user's Android device, possibly overwriting the user's existing files.
For example, a malicious archive can contain a compressed file with the following filename:
/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
POC / Test Code
Please download the POC ZIP archive here and follow the instructions below. Note that other archive types are potentially also affected.
Instructions for testing Directory Traversal in Archive Extraction:
- Copy the POC ZIP archive into the Download directory of your Android device.
- IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
- Extract the POC ZIP archive into the Download directory. i.e. choose "Extract here"
- When the extraction completes, navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/zipPOC.txt.
Hence, by tricking a user to extract a specially-crafted archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Patch / Workaround
Update to version 0.7.2 via the Play Store.
Disclosure Timeline
2013-05-20 - Vulnerability Discovered.
2013-05-21 - Initiate Vendor Notification.
2013-05-21 - Vulnerability Details Sent to Vendor.
2013-05-21 - Vendor Provided Estimated Fix Release Date (May 29-31).
2013-05-30 - Check with vendor whether fixed version has beeen released.
2013-05-30 - Vendor replied that fixed version is undergoing staged rollout.
2013-05-31 - Public Release.
2013-06-08 - Received notification from vendor that rollout is complete and vulnerability is fixed in version 0.7.2. Updated advisory.