Published on May 6th, 2024
Several popular Android applications on the Google Play Store are exposed to a vulnerability known as the Dirty Stream attack, which is associated with path traversal.
This vulnerability could be exploited by a malicious app to overwrite arbitrary files within the vulnerable app’s home directory.
Dimitrios Valsamaras from the Microsoft Threat Intelligence team highlighted the potential consequences of this vulnerability, including arbitrary code execution and token theft, depending on how the affected application is implemented.
Successful exploitation of this vulnerability could grant an attacker full control over the behavior of the application, allowing them to use stolen tokens to gain unauthorized access to the victim’s online accounts and other sensitive data.
Among the apps found vulnerable to this issue are Xiaomi File Manager (com.mi.Android.globalFileexplorer) with over 1 billion installs, and WPS Office (cn.wps.moffice_eng) with over 500 million installs.
Despite Android’s implementation of isolation, wherein each application is assigned its own dedicated data and memory space, the system provides a content provider to facilitate secure data and file sharing between apps.
However, oversight in implementation could lead to bypassing of read/write restrictions within an application’s home directory.
Valsamaras explained that while the content provider model offers a secure file-sharing mechanism, cases have been observed where the consuming application fails to validate the content of received files, and worse, uses the filename provided by the serving application to cache the file within its internal data directory.
You May Also Like: Document Sharing Sites Used For Phishing Attacks
This loophole can have severe consequences, especially when a serving app employs a malicious version of the FileProvider class to enable file sharing, resulting in the consuming application overwriting critical files in its private data space.
In essence, the vulnerability exploits the blind trust of the consuming app in the input it receives, allowing for the transmission of arbitrary payloads with specific filenames via custom, explicit intents without the user’s knowledge or consent, ultimately leading to code execution.
This could potentially allow an attacker to manipulate the target app’s shared preferences file and establish communication with a server under their control to extract sensitive information.
Following responsible disclosure, both Xiaomi and WPS Office addressed the issue by February 2024. However, Microsoft suggests that similar vulnerabilities might exist in other applications, urging developers to conduct thorough checks for such issues.
Google has also issued guidance on the matter, advising developers to handle filenames provided by server applications properly.
They recommend that client applications ignore the filenames provided by servers and instead use internally generated unique identifiers or sanitize provided filenames if generating unique identifiers is impractical.