Insecure read of file in using ContentProvider in ApptentiveAttachmentFileProvider #245
Description
In ApptentiveAttachmentFileProvider, it was observed that the code uses getLastPathSegment method to retrieve the last portion of the URL path.
public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
String str = CLASS_NAME + " - openFile";
Log.v(str, "Called with uri: '" + uri + "'." + uri.getLastPathSegment());
if (this.uriMatcher.match(uri) == 1) {
return ParcelFileDescriptor.open(new File(ApptentiveLog.getLogsDirectory(getContext()) + File.separator + uri.getLastPathSegment()), 268435456); // <--- ACCESS THE FILE***
}
}
In essence, if the URI is https://example.com/pathA/pathB , getLastPathSegment would extract pathB as the last segment in the path. However, if the URI is constructed with encoded / - https://example.com/pathA%2fpathB, getLastPathSegment wound extract pathA/pathB as the last segment in the path.
Honed with this knowledge, an attacker is able to create a traversal exploit by writing the content scheme URL as such:
content://com.test.ApptentiveAttachmentFileProvider/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fdata%2fdata%2fcom.test%2fapp_webview%2fDefault%2fCookies
to steal the internal cookie from the victim user.
You can read more about this exploit here: https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/