Samsung WifiHs20UtilityService path traversal

[GoogleCodeExporter]

A path traversal vulnerability was found in the WifiHs20UtilityService. This 
service is running on a Samsung S6 Edge device, and may be present on other 
Samsung device models.

WifiHs20UtilityService reads any files placed in /sdcard/Download/cred.zip,
and unzips this file into /data/bundle. Directory traversal  in the path of the 
zipped contents allows an attacker to write a controlled file to an arbitrary 
path as the system user. 

We have triggered this issue via automatic downloads in Chrome, i.e. the file 
write vulnerability can be triggered by browsing to a website without any user 
interaction (a drive by attack model).

This issue was tested on a SM-G925V device running build number 
LRX22G.G925VVRU1AOE2. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 29 Jul 2015 at 10:05

[GoogleCodeExporter]

Original comment by scvi...@google.com on 30 Jul 2015 at 2:11

• Added labels: Reported-2015-Jul-29
• Removed labels: Reported-2015-July-29

[GoogleCodeExporter]

Original comment by natashe...@google.com on 22 Oct 2015 at 1:25

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by natashe...@google.com on 23 Oct 2015 at 6:12

• Added labels: CVE-2015-7888

[GoogleCodeExporter]

Fixed in October MR.

Original comment by natashe...@google.com on 27 Oct 2015 at 6:37

• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

where is facepalm smile ? )

Original comment by s1l...@gmail.com on 29 Oct 2015 at 7:11