![]() For more detailed explanation read this articleĪdobe reader app also downloads an module name FASOpenCVDF.apk during runtime of app. Using path traversal bug i can write an arbitrary apk in /data/data//files/splitcompat/1921618197/verified-splits/ directory of the app.The classes from the attacker’s apk would automatically be added to the ClassLoader of the app and malicious code will be executed when called from the app. # Getting RCEĪdobe Acrobat Reader app was using Google play core library to provide additional feature on the go to its users.Ī simple way to know whether an app is using play core library for dynamic code loading is to check for spiltcompat directory in /data/data/:application_id/files/ directory. There was not any sanitization performed in downloadFile variable before passing it into File instance which resulted into path traversal vulnerability. %2F.%2Ffile.pdf as last segment of the url and will return. ![]() This method BBIntentUtils.getModifiedFileNameWithExtensionUsingIntentData takes () as argument and which returns the decoded last segment in the path of the url.įor example let take this url so when this url is passed to getLastPathSegment() method it will take. ![]() public void handleIntent() ).downloadFile(BBIntentUtils.getModifiedFileNameWithExtensionUsingIntentData(fileURI.getLastPathSegment(), (), null, fileURI), url) When an intent with data url for example is sent to adobe reader app,it downloads the file in /sdcard/Downloads/Adobe Acrobat folder with filename as LastPathSegment(i.e test.pdf) of the sent url.Īctivity receives the intent and starts ARFileURLDownloadActivity activity. There is this intent-filter in the app which shows it will accept http/https url scheme and mimeType should be application/pdf for this actiivity. using path traversal bug and dynamic code loading,i was able to acheive remote code execution. This feature was vulnerable to path traversal vulnerability.Ībode reader was also using Google play core library for dynamic code loading. While testing Adobe Acrobat reader app, the app has a feature which allows user to open pdfs directly from http/https url.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |