cyclic scanner

after i opened an app i realized that it has a switch to scan files and it asks for a permission to manage/access all files on the device's external storage.

let’s take a look on the java code of the activity

In the oncreat() method the handlePermissions() method is called

it checks if the app has the permission to access the external storage if yes, it calls the setupSwitch() method

if the switch is checked it will start a scan service

let’s take a look at the service class

in the message handlerMethod()

it loops over all files in the external storage and scans it for safety using scanFile method

the scanFiles method scans the file using this shell command

 Process process = new ProcessBuilder(new String[0]).command("sh", "-c", command).directory(Environment.getExternalStorageDirectory()).redirectErrorStream(true).start();

which will look like

sh -c toybox sha1sum /<file_path>/<file_name>

this command is supposed to get a sha1 hash of the file and check it against a list of malware hashes, but we don’t really care about this.

what can we control in this command?

yes, the file name for sure we can create any file in the external storage to leverage command injection

let’s create a file

davinci:/sdcard # touch "; touch exploit"

open the app an run scanner

the command executed and we the file is created

PreviousIOT Connect Nextstrings

Last updated 8 months ago