Path Traversal Vulnerability in 'com.smartwho.SmartFileManager' 3.1.2 for Android


# Disclosure Date: 30/01/2014
# Author: Keith Makan
# Vendor or Software Link: com.smartwho.SmartFileManager 
# Version: 3.1.2
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash



 

 

 Description


com.smartwho.SmartFileManager (aka Android File Manager) suffers from a Path Traversal Vulnerability, which grants unauthorized applications read access to a victims device file system.

This vulnerability stems from a lack of permissions inforcement in a file supporting content provider, namely:

 <provider android:name="com.smartwho.SmartFileManager.FileManagerProvider" android:authorities="com.smartwho.SmartFileManager" />

The code above does not make use of the android:permission , android:readPermission or android:writePermission xml elements which   allows applications to leak the android.permission.READ_EXTERNAL_STORAGE permission.

Impact


The mentioned vulnerability allows applications with to enumerate the contents--within the access writes of the affected application--of a victims local file system without requiring the android.permission.READ_EXTERNAL_STORAGE permission.

Currently an estimated 1,000,000 - 5,000,000 installs are affected.


PoC




Timeline


1. Original Disclosure (30/01/2014)
2. -- No Response from Developer/Vendor
3. Public Advisory Publication (09/02/2014)