search

apptentive / apptentive-android

Apptentive Android SDK
http://www.apptentive.com
BSD 3-Clause "New" or "Revised" License
65 stars 64 forks source link

Insecure read of file in using ContentProvider in ApptentiveAttachmentFileProvider #245

Open ciprianlupu15 opened 1 year ago

ciprianlupu15 commented 1 year ago

In ApptentiveAttachmentFileProvider, it was observed that the code uses getLastPathSegment method to retrieve the last portion of the URL path.


public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
    String str = CLASS_NAME + " - openFile";
    Log.v(str, "Called with uri: '" + uri + "'." + uri.getLastPathSegment());
    if (this.uriMatcher.match(uri) == 1) {
        return ParcelFileDescriptor.open(new File(ApptentiveLog.getLogsDirectory(getContext()) + File.separator + uri.getLastPathSegment()), 268435456);  // <--- ACCESS THE FILE***
     }
}

In essence, if the URI is https://example.com/pathA/pathB , getLastPathSegment would extract pathB as the last segment in the path. However, if the URI is constructed with encoded / - https://example.com/pathA%2fpathB, getLastPathSegment wound extract pathA/pathB as the last segment in the path. Honed with this knowledge, an attacker is able to create a traversal exploit by writing the content scheme URL as such:

content://com.test.ApptentiveAttachmentFileProvider/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fdata%2fdata%2fcom.test%2fapp_webview%2fDefault%2fCookies to steal the internal cookie from the victim user.

You can read more about this exploit here: https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/