Android Security Development zip file directory traversal

1. zip file directory Traversal introduction

Because the ZIP archive is allowed to exist in the package file ". /"string, an attacker could take advantage of multiple". /"Change the location of a file in the ZIP package when extracting, overwriting the application's original file." If the overwritten file is a dynamically linked so, Dex, or Odex file, the light generates a local denial of service vulnerability that affects the usability of the application, which can cause arbitrary code execution vulnerabilities that compromise the user's device security and information security. For example, the recent discovery of the "parasitic Beast" vulnerability, Dolphin Browser remote command execution vulnerability, samsung default Input Method remote code execution vulnerability, etc. are related to the zip file directory traversal.

Ali Poly Security Application Vulnerability scanning service, can detect the application of the zip file directory traversal risk. In addition, we found that the Japanese Computer Emergency Response Team (Jpcert) The repair solution is flawed. If used improperly (the sample document it provides uses errors), it may not be possible to prevent the zip file directory traversal, and there is a domestic repair program reference this scenario.

2. Vulnerability principles and risk examples 2.1 Vulnerability Principle

In the Linux/unix system ".. /"represents the jump to the parent directory, some programs in the current working directory are processed to such as". /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /etc/hosts "represents a file that jumps out of the current working directory and jumps to a different directory.
When extracting a zip file, Java code uses the GetName () method of the ZipEntry class, if the zip file contains ".. /"String, the method returns the value inside as-is, if not filtered out of the GetName () return value in the". /"String to continue the unzip operation, the extracted file is created in the other directory.

As in the zip file we constructed, we have the following files:

The code for the decompression is as follows, and GetName is not filtered:

When extracting the operation log:

This zip file is stored in the SD card, you want to extract all the files also exist in the SD card, but the A_poc.txt file exists in the Application Data directory:

2.2 Risk Examples

Take the Dolphin Browser Remote Code execution vulnerability as an example.
Dolphin Browser Theme settings allow users to download new themes from the network to replace, the theme file is actually a zip compressed file. This zip file can be replaced by a man-in-the-middle attack. The replaced zip file has a recompiled libdolphin.so. This so file overrides the Jni_onload () function:

This so file is ". /.. /.. /.. /.. /.. /.. /.. /.. /.. /data/data/mobi.mgeek.tunnybrowser/files/libdolphin.so "form exists in a malicious zip file. After the Dolphin browser extracts the malicious zip file, the re-libdolphin.so will overwrite the original so file, re-run the Dolphin browser will pop up the toast prompt box:

You can also execute other code if you can eject the toast description.

The reasons for this vulnerability are analyzed here:
1, the theme file is actually a zip compressed package, extracted from the server after the decompression, but the decompression is not filtered getname () The string returned whether there is ". /”：

2, dynamic link library file libdolphin.so, and is not placed in the Application Data Lib directory, but placed in the files directory:

The place where the load is used is the searchredirector in the Com.dolphin.browser.search.redirect package:

The app uses System.load () to load libdolphin.so instead of system.loadlibrary (), in Android, System.loadlibrary () is to load the. So file from the application's Lib directory, and System.load () is loaded with an absolute path to a. so file, the. So file may not be in the application's Lib directory, it can be in an SD card, or in the files directory of the app, as long as the Read permission directory is applied.

In the files directory, the application has write permission, through the network man-in-the-middle attack, while using the zip file directory Traversal vulnerability, replace the file libdolphin.so, to achieve the purpose of remote command execution.

The application of the Lib directory is a soft link to the/data/app-lib/application directory, if the libdolphin.so file is not overwritten in the Lib directory, the third-party application does not write to the/data/app-lib directory permissions:

3. Study on the Jpcert repair scheme

in the study, we found that the repair solution provided by Jpcert was flawed. It uses the Getcanonicalpath () method provided by the file class of Java to filter out the "." contained in the string returned by Zipentry.getname (). /"And then check if this string starts with the target directory string to extract to, and if it is, returns the string that Getcanonicalpath () gets to, and throws an exception if it is not:

However, in the sample code given by Jpcert, the call to Validatefilename () will not be for the app to prevent any directory traversal:

It uses "." As the destination directory to extract to, "." Represents the current directory, the current working directory of the tested app process is the root directory "/":

View the status of the process, get the current working directory of the app process CWD is linked to the root directory:

As shown under demo, if using the Jpcert example in Validatefilename (Entry.genname (), ".") , or it will generate a directory traversal read to the system configuration file:

Read the contents of the Hosts file:

The correct invocation of the Validatefilename () Form is the destination directory to extract to, do not use ".", but specify an absolute path.

4, Ali gather security for developers to recommend

1 The important ZIP archive file for digital signature verification, verify the pass before extracting.
2 Check that the file name in the ZIP archive using zipentry.getname () contains ". /"or": ", check": /"does not need to be URI Decode (in case of URI encoding). %2f "to bypass), the test found Zipentry.getname () for the zip package has". %2f "file path is not processed.
3 Use the security scanning service of Alibaba gather security before the application goes online, discover the security risk of the application as early as possible.

Ali Poly Security Scanner recommended Repair solution:
When using the Zipinputstream class in the Java.util.zip package for decompression operations, the sample is examined as follows:

You can also use the ZipFile class in the Java.util.zip package to read all the entries in the ZIP package directly, and then check whether the return value of GetName () contains ". /”：

5. Reference

[1] https://www.jpcert.or.jp/present/2014/20140910android-sc.pdf

[2] "Dolphin Browser and mercury browser Remote Code execution vulnerability detailed"http://drops.wooyun.org/mobile/8293 
[3] technology analysis of the "parasitic Beast" of the Android app that affects the tens of millions of apphttp://drops.wooyun.org/mobile/6910 
[4] "Samsung default input Method remote code Execution"http://drops.wooyun.org/papers/6632 
[5]http://www.oracle.com/technetwork/articles/java/compress-1565076.html 
[6]http://stackoverflow.com/questions/1099300/ Whats-the-difference-between-getpath-getabsolutepath-and-getcanonicalpath 

[7] http://stackoverflow.com/questions/7016391/ Difference-between-system-load-and-system-loadlibrary-in-java

6. Android Security Development Series

?

Directory

Provider component security for Android security development
On the security development of Android key hard-coded

On Android Security Development Web page open app

On the security development of Android application pit of encryption algorithm

Ishin, Hang Fox, boat Sea @ Ali Poly Security, more security technical articles, please visit the security blog Ali Poly

Android Security Development zip file directory traversal