vuln.sg  

vuln.sg Vulnerability Research Advisory

Documents To Go for Android Content Handling Directory Traversal Vulnerability

by Tan Chew Keong
Release Date: 2013-06-15

   [en] [jp]

Summary

A directory traversal vulnerability has been found in Documents To Go for Android. When exploited, this vulnerability allows an anonymous attacker to overwrite files in arbitrary locations within the SD card of the user's Android device.


Tested Versions


Details

This advisory discloses a directory traversal vulnerability in Documents To Go for Android. When exploited, this vulnerability allows an anonymous attacker to overwrite files in arbitrary locations within the SD card of the user's Android device.

When Documents To Go is installed on an Android device, it is registered as the handler for the URI type content:// with mime-types application/pdf, application/msword, and other Office file types. This allows it to be used by email clients to open PDF, DOC, and other Office file attachments in emails. When the user clicks a file attachment in an email, he will be given a choice to choose from list of handlers that are able to open the attachment file type.

When PDF To Go, Word To Go, etc is choosen to display the attachment, it will query the email client (content provider) for the display name and the content of the attachment file. Documents To Go does not properly sanitize the value of the returned display name before using it create a temporary filename to store the attachment file. If the display name contains directory traversal sequences, the resulting temporary file will be written by Documents To Go outside of the designated temp directory of /mnt/sdcard/.dataviz/temp/attachments/.

This can potentially be exploited in conjunction with an email client to overwrite files in arbitrary locations within the SD card of the user's Android device. More specifically, an attacker can send the user an email containing a PDF, DOC, or other Office file attachment with directory traversal sequences in the attachment filename, and tricking the user to open the attachment from the email client using Documents To Go. Without disclosing too much details, it has been confirmed that there are indeed email clients that allow this to be exploited. A screenshot from one such email client is shown below.


Example of a malicious attachment name that can be sent to the user via email:
/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.pdf

As can seen in the log trace from Documents To Go below, it is clear that directory traversal exists
when Documents To Go writes the file into its "temp" directory:

06-02 19:57:20.900: I/ActivityManager(461): START {act=android.intent.action.VIEW
dat=file:///mnt/sdcard/.dataviz/temp/attachments//../../../../../../../../../../mnt/sdcard/DCIM/xxx.pdf
typ=application/pdf cmp=com.dataviz.docstogo/com.dataviz.dxtg.ptg.android.PDFToGoActivity$DVZRenderScreen
(has extras)} from pid 31633
 


POC / Test Code

Please download the POC app here and follow the instructions below. The POC runs on Android device and simulates an email client that delivers a PDF and DOC attachment to Documents To Go with directory traversal sequences in its display name.


Instructions for Testing the Vulnerability:

  1. Install the POC app on an Android device that has Documents To Go installed.

  2. IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.

  3. Run the POC app and click on the Click to open PDF attachment button and select PDF To Go to complete the action.

  4. After PDF To Go has opened the PDF attachment, use a file manager app to confirm that xxx.pdf has been written into /mnt/sdcard/DCIM/.
  5. DOC file types can also be tested using the POC app. Other Office file types supported by Documents To Go are potentially also affected.
 


Patch / Workaround

Do not open files with directory traversal sequences in their filenames.


Disclosure Timeline

2013-06-02 - Vulnerability Discovered.
2013-06-02 - Initial Vendor Notification.
2013-06-04 - Vulnerability Details Sent to Vendor.
2013-06-06 - Asked Vendor for Release Date of Fixed Version.
2013-06-06 - Vendor replied that a bug report has been filed, but they do not have any timetable for when a fix will be available.
2013-06-14 - Asked vendor whether a release date for the fix has been determined.
2013-06-14 - Vendor replied that the fix release date have not been determined, and no further information regarding future updates will be released until the update is posted to Google Play and the Amazon App store. When released, the description of the update can be used to determine whether a fix for this issue is included.
2013-06-15 - Public Release.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to