by Tan Chew Keong
Release Date: 2013-05-31
[en] [jp]
Summary
Two directory traversal vulnerabilities have been found in Rhythm Software File Manager and File Manager HD. When exploited, these vulnerabilities allow an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses two directory traversal vulnerabilities in Rhythm Software File Manager and File Manager HD. When exploited, these vulnerabilities allow an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Vulnerability 1 - Directory Traversal in FTP Client
The FTP client does not properly sanitise filenames containing directory traversal sequences (forward-slash ../) that are received from an FTP server in response to the LIST command.
An example of such a response from a malicious FTP server is shown below.
Response to LIST (forward-slash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
By tricking a user to download a directory from a malicious FTP server that contains files with fowward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations within the SD card of the user's Android device.
Vulnerability 2 - Directory Traversal in ZIP Extraction
When extacting compressed files from a ZIP archive, the ZIP extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted ZIP archiving containing files with directory traversal sequences in their filenames, an attacker can potentially write files to arbitrary locations within the SD card of the user's Android device.
For example, a malicious ZIP archive can contain a compressed file with the following filename:
/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
An attacker can potentially leverage either of these vulnerabilities to overwrite files in known locations within the SD card in the user's Android device.
POC / Test Code
Please download the POC here and follow the instructions below.
The instructions below illustrates how this vulnerability can be reproduced using File Manager HD. The steps for reproducing the vulnerability on File Manager are very similar, and hence, will not be repeated.
Instructions for testing FTP client (Vulnerability 1):
- On a Windows system, unzip the POC file into a directory. This gives FileManagerHDPOC.exe.
- FileManagerHDPOC-forward.exe is a POC FTP server that will send filenames with forward-slash directory traversal characters in response to LIST commands.
- Go to the Windows command prompt and run FileManagerHDPOC.exe on a system. It will listen on FTP Port 2121.
- IMPORTANT: Ensure that the FTP-client in File Manager HD is configured to use Passive mode. The POC FTP server only supports Passive mode.
- IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
- Configure the FTP-client in File Manager HD on an Android device and use it to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile2.txt) with directory traversal characters in its filename (see below).
- Now, proceed to copy the entire /testdir directory from the POC FTP server into the Download folder of the Android device. i.e. /mnt/sdcard/Downloads.
- When the download completes you'll notice that testfile2.txt will be written into /mnt/sdcard/DCIM/testfile2.txt instead of into /mnt/sdcard/Download/testdir/testfile2.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Instructions for testing ZIP extraction (Vulnerability 2):
- Follow the steps above and make sure that you have copied the entire /testdir directory from the POC FTP server into the Download folder of the Android device.
- Navigate into the testdir directory under the Download folder and that there is a file that is named testzip.zip
- Extract testzip.zip and choose "Extract To This Directory"
- When the extraction completes you'll notice that zipPOC.txt will be extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/testdir/zipPOC.txt.
Patch / Workaround
Avoid downloading files/directories from untrusted FTP servers or extracting untrusted archives.
Disclosure Timeline
2013-05-18 - Vulnerability Discovered.
2013-05-19 - Initial Vendor Notification.
2013-05-20 - Vulnerability Details Sent to Vendor.
2013-05-22 - Asked Vendor for Release Date of Fixed Version.
2013-05-26 - Vendor replied that vulnerability will be fixed in future releases.
2013-05-31 - Public Release.