One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8492016 |
| Date de publication | 2024-05-01 19:46:49 (vue: 2024-05-01 20:08:08) |
| Titre | Attaque "Stream Dirty": découvrir et atténuer un modèle de vulnérabilité commun dans les applications Android “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps |
| Texte | ## Snapshot Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application\'s home directory. The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application\'s implementation. Arbitrary code execution can provide a threat actor with full control over an application\'s behavior. Meanwhile, token theft can provide a threat actor with access to the user\'s accounts and sensitive data. We identified several vulnerable applications in the Google Play Store that represented over four billion installations. We anticipate that the vulnerability pattern could be found in other applications. We\'re sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases. As threats across all platforms continue to evolve, industry collaboration among security researchers, security vendors, and the broader security community is essential in improving security for all. Microsoft remains committed to working with the security community to share vulnerability discoveries and threat intelligence to protect users across platforms. After discovering this issue, we identified several vulnerable applications. As part of our responsible disclosure policy, we notified application developers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) and worked with them to address the issue. We would like to thank the Xiaomi, Inc. and WPS Office security teams for investigating and fixing the issue. As of February 2024, fixes have been deployed for the aforementioned apps, and users are advised to keep their device and installed applications up to date. Recognizing that more applications could be affected, we acted to increase developer awareness of the issue by collaborating with Google to publish an article on the Android Developers website, providing guidance in a high-visibility location to help developers avoid introducing this vulnerability pattern into their applications. We also wish to thank Google\'s Android Application Security Research team for their partnership in resolving this issue. In this post, we continue to raise developer and user awareness by giving a general overview of the vulnerability pattern, and then focusing on Android share targets, as they are the most prone to these types of attacks. We go through an actual code execution case study where we demonstrate impact that extends beyond the mobile device\'s scope and could even affect a local network. Finally, we provide guidance to users and application developers and illustrate the importance of collaboration to improve security for all. ## Activity Overview ### Data and file sharing on Android The Android operating system enforces isolation by assigning each application its own dedicated data and memory space. To facilitate data and file sharing, Android provides a component called a content provider, which acts as an interface for managing and exposing data to the rest of the installed applications in a secure manner. When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application\'s home directory. The Android software development kit (SDK) includes the [FileProvider](https://developer.android.com/reference/androidx/core/content/FileProvider) class, a subclass of ContentProvider that enables file sharing between installed applications. An application that needs to share its files with other applications can declare a FileProvider in its app manifest and declare the specific paths to share. Every file provider has a property called authority, which identifies it system-wide, and can b |
| Envoyé | Oui |
| Condensat | ### **case *figure /data/app /data/data/com /files/lib /files/lib/libixiaomifileu /sdcard/android/data/com /shared 002a673a76c7 00de 0634 08:00 0e450f28fedc 0e8c 1b+ 1bfd0006bd3f 1e94 1f6f 2024 210567 210593 23/briefings/schedule/index 24ca1734a2b0 2939ab1e0b3b 2bd2bdc9b225 30234 387f1bba447a 3e8f2aa461bd 3f16f74c278a 3fce76d48f50 40da970b0cbc 4298 4356 435c 4451 447f 4570 465e8a0fc5d2 48e9 496b 4ada 4af2 4beb 4c73 4cbc 4d6b 4da45f56f1f9 4e66 4ef7 4f59 4fb6 4ff7 500 500m+ 50bb 55fa 5f14cdcc4518 827f 8d16 90c9 9196 9a4d 9ad6 a0fe a4fb a60d a715 a72b a765 a79e a826 a995 aa9b ability able above above above * ac9a access accessed according accounts acde across acted action actions activity actor acts actual acute additional address addressed addressing advised affect affected affiliated aforementioned after again against alert alias all allowing along already also alternatively always among analysts android androidrank android anomalous another anticipate any api app application applications applications: approach approaches appropriate approval apps arbitrary are area argument article ascertain asking assessment assigned assigning assuming attached attaches attaching attack attack: attacker attacks attack * attempt attempts attribute authentication author authority avoid awareness azureedge b190 b75c b7d8954dd99d bak based bc28 bears because been before behavior below below: below: besides between beyond billion black blackhat blindly broader browser browsers but bypassing c6ae cache cached caching calculate call called calling calls can cannot canonical capabilities capability case cases categories cause causing change characters check checks checkvalid choose chose class class: clean cleaner clear clicks client clients code codeql collaborated collaborating collaboration columns com com/android/platform/superproject/+/master:frameworks/base/core/java/android/app/sharedpreferencesimpl com/asia com/codeql com/google/android com/guide/components/intents com/guide/topics/manifest/provider com/privacy com/reference/androidx/core/content/fileprovider com/store/apps/details com/studio/write/lint#gradle combination committed common commonly communicate community compare comparing completely component concerning configure connect connected connecting consequences constructor consumer consumers consuming contain content content:// contentprovider continue control controlled controls coordinated copy copyfileactivity copyfileactivity * correctly corresponding corresponds could craft create created creates credentials critical current custom cvd d22a d502a0bef1a6 data date declare declared declares decoded dedicated default defender define defined delete delve demonstrate demonstrated depending depicted deployed described descriptor designed destination details determine developer developers development device devices dialog dialog * directly directory directory: directory dirty disclosed disclosure discovered discoveries discovering display documentation does doesn don during dynamically each easiest editor editors element#gprmsn enable enables enabling encoded encountered end endpoint enforces eng ensure ensuring enterprises entry essential essentially even every evolve exactly example excellent executed execution execution exist existing exists exiting expected explicit exploit exploitation exported exports exposing extend extends extension external extra extract f5e7 f7e9 facilitate fail familiarize fc0b70f8027e feasible february fetched fetches fields figure file file:///data/data/com file: fileactivity fileexplorer filename fileprovider files files: filtering filters#types finally findings findings fine first fix fixes fixing flags flow focus focused focusing folder folder follow followed following follows force forces form found four frequently from ftp full further general generated get getcanonicalpath getlastpathsegment gets getsharedpreferences getting github given gives giving globalfileexplorer globalfileexplorer&pli=1 globalfileexplorer/files/rmt globalfileexplorer/files/usbtemp/ |
| Tags | Tool Vulnerability Threat Studies Mobile Technical |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.