Skip to content

Write to arbitrary files while decoding on Windows

High
iBotPeaches published GHSA-vgwr-4w3p-xmjv Jan 20, 2024

Package

Apktool (Windows)

Affected versions

<=2.9.2

Patched versions

2.9.3

Description

Summary

I did some research on 0x33c0unt - GHSA-2hqv-2xv4-5h5w and found that the latest version of apktool still has directory traversal on windows on windows.

Because there is path compatibility in windows and this is ignored in the code filtering

so,apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the windows Apktool runs on

Details

  • Apktool infers resource files' output path according to their resource names ([output-dir]/res/[type]/[resource-name]+[ext of (resource-file)] )

  • E.g. a resource named "foo" with path of "res/raw/bar", is extracted to res/raw/foo

The previous security guard code was

public static boolean detectPossibleDirectoryTraversal(String entry) {
      if (OSDetection.isWindows()) {
          return entry.contains("..\\") || entry.contains("\\..");
      }
      return entry.contains("../") || entry.contains("/..");
  }

We start by constructing an APK that creates the corresponding /res/raw/aaaaaaaaaaaaa

Generate the APK and then modify it to ../../../poc

image

Interesting chemistry on top of windows

PoC

use apktool 2.9.2
use windows 11

The poc file escaped because of the path characteristics of windows , the apktool problem still exists!

image

Impact

As before, exploitation on windows requires an attacker's imagination.

other

A ../../../poc constructed on windows won't go into BrutIO.detectPossibleDirectoryTraversal func

image

and the filtering rules that I feel need to be tightened up in this section

return entry.contains("../") || entry.contains("/..") || entry.contains("..\\") || entry.contains("\\..");

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVE ID

No known CVE

Weaknesses

Credits