[vuln.sg] PKWARE SecureZIP Reader for Android Content Handling Directory Traversal

A directory traversal vulnerability has been found in PKWARE SecureZIP Reader for Android. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.

This advisory discloses a directory traversal vulnerability in PKWARE SecureZIP Reader for Android. When exploited, this vulnerability allow an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.

When SecureZIP is installed on an Android device, it is registered as the handler for the URI type content:// with mime-type application/x-zip-compressed. This allows it to be used by email clients to open ZIP file attachments in emails. When the user, clicks a ZIP file attachment in an email, he will be given a choice to choose from list of handlers that are able to open the ZIP attachment.

When SecureZip is choosen, it will query the email client (content provider) for the display name and the content of the ZIP attachment. SecureZIP does not properly sanitize the value of the returned display name before using it create a temporary filename to store the ZIP attachment. If the display name contains directory traversal sequences, the resulting temporary file will be written by SecureZip outside of SecureZip's temp directory.

This can potentially be exploited in conjunction with an email client to overwrite files in arbitrary locations within the SD card of the user's Android device. More specifically, an attacker can send a user an email containing a ZIP file attachment with directory traversal sequences in the attachment filename and tricking the user to open the attachment from the email client using SecureZIP. Without disclosing too much details, it has been confirmed that there are indeed email clients that allow this to be exploited. A screenshot from one such email client is shown below.

To make matter worse, SecureZIP will recursively delete the entire temp directory when it exits. This potentially allows an attacker to exploit this vulnerability to delete entire directories from the user's SD card.

An example of a display name with directory traversal sequences returned by an email client is shown below.

/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip

As can seen in the log trace from SecureZip below, it is clear that directory traversal exists,
the entire "temp" directory will be recursively deleted after use:

05-24 01:29:49.550: I/ArchiveExplorerActivity(2556): Saving a copy of mail attachment to: 
/mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip
05-24 01:29:49.550: I/ArchiveExplorerActivity(2556): (DELETEME) Archive Path: 
/mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip
05-24 01:29:49.550: D/ArchiveUtils(2556): Opening zip archive 
/mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip
05-24 01:29:49.560: I/ArchiveUtils(2556): No cached ZipFile instance found for: 
/mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip

05-24 01:29:50.560: I/CleanupService(2556): 
Deleted /mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip
05-24 01:29:50.570: I/CleanupService(2556): 
Deleted /mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx/test.txt
05-24 01:29:50.580: I/CleanupService(2556): 
Deleted /mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM/xxx
05-24 01:29:50.580: I/CleanupService(2556):
Deleted /mnt/sdcard/pkTemp/pk13693301895540/../../../../../../../../../../../mnt/sdcard/DCIM

Please download the POC here and follow the instructions below. The POC runs on Android device and simulates an email client that delivers a Zip attachment to SecureZip with directory traversal sequences in its display name.

Instructions for Testing the Vulnerability:

Install the POC app on an Android device that has SecureZip installed.
IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
VERY IMPORTANT: If /mnt/sdcard/DCIM/ is an existing directory on your Android device please backup all files within the directory as the POC will cause the entire directory to be deleted by SecureZIP!!!
Run the POC app and click on the Click to open ZIP attachment button and select SecureZip to complete the action.

After SecureZip has opened the ZIP attachment, it can be confirmed that xxx.zip has been written into /mnt/sdcard/DCIM/.

2013-05-24 - Vulnerability Discovered.
2013-05-24 - Initial Vendor Notification.
2013-05-24 - Vulnerability Details Sent to Vendor.
2013-05-24 - Vendor Requested for Information of Affected Email Clients.
2013-05-24 - Provided an Example of Affected Email Client to Vendor.
2013-05-29 - Asked vendor when the fixed version will be released.
2013-05-30 - Vendor provided fixed version for testing.
2013-05-31 - Vendor released fixed version on Play Store.
2013-06-01 - Public Release.