[vuln.sg] WinZip for Android Content Handling Directory Traversal Vulnerability

A directory traversal vulnerability has been found in WinZip for Android. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.

This advisory discloses a directory traversal vulnerability in WinZip for Android. When exploited, this vulnerability allow an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.

When WinZip is installed on an Android device, it is registered as the handler for the URI type content:// with mime-type application/x-zip-compressed. This allows it to be used by email clients to open ZIP file attachments in emails. When the user, clicks a ZIP file attachment in an email, he will be given a choice to choose from list of handlers that are able to open the ZIP attachment.

When WinZip is choosen, it will query the email client (content provider) for the display name and the content of the ZIP attachment. WinZIP does not properly sanitize the value of the returned display name before using it create a temporary filename to store the ZIP attachment. If the display name contains directory traversal sequences, the resulting temporary file will be written by WinZip outside of WinZip's temp directory.

This can potentially be exploited in conjunction with an email client to overwrite files in arbitrary locations within the SD card of the user's Android device. More specifically, an attacker can send a user an email containing a ZIP file attachment with directory traversal sequences in the attachment filename and tricking the user to open the attachment from the email client using WinZip. Without disclosing too much details, it has been confirmed that there are indeed email clients that allow this to be exploited.A screenshot from one such email client is shown below.

An example of a display name with directory traversal sequences returned by an email client is shown below.

/../../../../../../../../../../../mnt/sdcard/DCIM/xxx.zip

As can seen in the log trace from WinZip below, it is clear that directory traversal exists:

05-23 23:35:42.000: I/ActivityManager(465): 
START {act=android.intent.action.VIEW dat=content://com.winzip.android.localfile/mnt/sdcard/.WinZip/
files/../../../../../../../../../../../mnt/sdcard/DCIM/xxx/xxxxx.exe} from pid 29615

Please download the POC here and follow the instructions below. The POC runs on Android device and simulates an email client that delivers a Zip attachment to WinZip with directory traversal sequences in its display name.

Instructions for Testing the Vulnerability:

Install the POC app on an Android device that has WinZip installed.
IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
Run the POC app and click on the Click to open ZIP attachment button and select WinZip to complete the action.

After WinZip has opened the ZIP attachment, use a file manager app to confirm that xxx.zip has been written into /mnt/sdcard/DCIM/ and its content have also been extracted into that directory.

2013-05-24 - Vulnerability Discovered.
2013-05-24 - Initial Vendor Notification.
2013-05-24 - Vulnerability Details Sent to Vendor.
2013-05-24 - Vendor provided estimated release date of fixed version.
2013-06-05 - Asked vendor when fixed version will be released.
2013-06-06 - Vendor provided estimated release date of fixed version.
2013-06-13 - Vendor released fixed version on Play Store.
2013-06-13 - Public Release.