Microsoft came out with a report on the 1st of May 2024 identifying a critical vulnerability in several applications on the google play store with an aggregate 4 billion installs.
This novel, path traversal related, security flaw in android applications dubbed “Dirty Stream” can enable the use of vulnerable applications for arbitrary code execution and data exfiltration.
The structure of the android operating system is heavily sandboxed with each application being allotted it’s own isolated data and memory space. When required, data and file sharing are enabled securely by the use of a component called a Content Provider. A subclass of this Content Provider class called File Provider is what is responsible for enabling file sharing among installed applications.
Every File Provider has a property called an authority, which defines it and can be used by anyone who wishes to access shared files as a form of address. Armed with the authority of the provider and a pseudo path to the file, consumers (apps that want file access) can request access to the shared file. The File Provider on receiving the request resolves the actual path of the file and makes the provision.
Although this Content Provider based model provides a seamless and secure means of file sharing when implemented correctly, incorrect implementations of it can be exploited in many ways.
In the case of the “Dirty Stream” attack pattern, incorrect implementations of the model enable malicious actors to cause target applications to execute or store malicious files by manipulating file names and paths using custom implementations of the File Provider. And in this way, a simple OS function gets turned into a weaponised tool enabling attackers to achieve command execution, data exfiltration and many other malicious outcomes.
This case highlights the importance of correctly implementing functionality. Every hole in your implementation logic is an entry-point for an attacker, Every misconfiguration an opportunity. Stay safe.
Until next time.
