Skip to content

Insecure read of file in using ContentProvider in ApptentiveAttachmentFileProvider #245

Description

@ciprianlupu15

In ApptentiveAttachmentFileProvider, it was observed that the code uses getLastPathSegment method to retrieve the last portion of the URL path.


public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
    String str = CLASS_NAME + " - openFile";
    Log.v(str, "Called with uri: '" + uri + "'." + uri.getLastPathSegment());
    if (this.uriMatcher.match(uri) == 1) {
        return ParcelFileDescriptor.open(new File(ApptentiveLog.getLogsDirectory(getContext()) + File.separator + uri.getLastPathSegment()), 268435456);  // <--- ACCESS THE FILE***
     }
} 

In essence, if the URI is https://example.com/pathA/pathB , getLastPathSegment would extract pathB as the last segment in the path. However, if the URI is constructed with encoded / - https://example.com/pathA%2fpathB, getLastPathSegment wound extract pathA/pathB as the last segment in the path.
Honed with this knowledge, an attacker is able to create a traversal exploit by writing the content scheme URL as such:

content://com.test.ApptentiveAttachmentFileProvider/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fdata%2fdata%2fcom.test%2fapp_webview%2fDefault%2fCookies
to steal the internal cookie from the victim user.

You can read more about this exploit here: https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions