Path Traversal Vulnerability in OI File Manager for Android


# Disclosure Date: 12/02/2014
# Author: Keith Makan
# Vendor or Software Link: org.openintents.filemanager 
# Version: 2.0.5
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash












Description

OI File Manager (version 2.0.5) for Android suffers from a Path Traversal vulnerability.  The vulnerability stems from inadequate protection of the org.openintents.filemanager.FileManager Content Provider and associated URIs.

Here's the content provider causing the issue:

In the above screenshot one can see that the mentioned content provider is marked as exported but does not contain any write or read permission enforcement.

The following screenshot details the actual implementation of the vulnerable content provider:


Impact

This vulnerability allows unauthorized applications to abuse the external storage related permission granted to this application and leak information about any world readable files on the files system, as well as brute-force valid path-names.

Currently an estimated 5,000,000 - 10,000,000 installs affected.

Proof Of Concept


Timeline

  1. Vulnerability Discovered  10/02/201 -- No vendor contact available
  2. Public Disclosure 24/02/2014
*please note this application may suffer from more vulnerabilities, especially those stemming from startActivityForResult calls to the org.openintents.filemanager.SaveAsActivity.
As their could be abused to read or even save/write arbitrary files on the filesystem.