In ApptentiveAttachmentFileProvider, it was observed that the code uses getLastPathSegment method to retrieve the last portion of the URL path.
public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
String str = CLASS_NAME + " - openFile";
Log.v(str, "Called with uri: '" + uri + "'." + uri.getLastPathSegment());
if (this.uriMatcher.match(uri) == 1) {
return ParcelFileDescriptor.open(new File(ApptentiveLog.getLogsDirectory(getContext()) + File.separator + uri.getLastPathSegment()), 268435456); // <--- ACCESS THE FILE***
}
}
In essence, if the URI is https://example.com/pathA/pathB , getLastPathSegment would extract pathB as the last segment in the path. However, if the URI is constructed with encoded / - https://example.com/pathA%2fpathB, getLastPathSegment wound extract pathA/pathB as the last segment in the path.
Honed with this knowledge, an attacker is able to create a traversal exploit by writing the content scheme URL as such:
content://com.test.ApptentiveAttachmentFileProvider/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fdata%2fdata%2fcom.test%2fapp_webview%2fDefault%2fCookies
to steal the internal cookie from the victim user.
In ApptentiveAttachmentFileProvider, it was observed that the code uses getLastPathSegment method to retrieve the last portion of the URL path.
In essence, if the URI is https://example.com/pathA/pathB , getLastPathSegment would extract pathB as the last segment in the path. However, if the URI is constructed with encoded / - https://example.com/pathA%2fpathB, getLastPathSegment wound extract pathA/pathB as the last segment in the path. Honed with this knowledge, an attacker is able to create a traversal exploit by writing the content scheme URL as such:
content://com.test.ApptentiveAttachmentFileProvider/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fdata%2fdata%2fcom.test%2fapp_webview%2fDefault%2fCookies to steal the internal cookie from the victim user.
You can read more about this exploit here: https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/