GHSA-hvp5-5x4f-33fq

Suggest an improvement
Source
https://github.com/advisories/GHSA-hvp5-5x4f-33fq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hvp5-5x4f-33fq/GHSA-hvp5-5x4f-33fq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hvp5-5x4f-33fq
Published
2024-04-22T15:56:04Z
Modified
2024-12-05T05:41:43.523801Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
JADX file override vulnerability
Details

Summary

when jadx parses a resource file, there is an escape problem with the style file, which can overwrite other files in the directory when saving the decompile result.

Although I don't think this vulnerability realizes path traversal in the true sense of the word , I reported it anyway

Details

I see that getResAlias does something with the filename.

private String getResAlias(int resRef, String origKeyName, @Nullable FieldNode constField) {

but type style will return the original filename directly.

img so our goal is to take a malicious file that was originally of type raw, modify its type to style, trick jadx into

step1

create an android project using androidstudio and create a raw folder with the name attackfilesayhiiiiiiiiiiiii, it doesn't matter what the content is!

img generate an initial APK

step2

extract this initial APK using ZIP software to get resources.arsc

img drop resources.arsc into 010editor

step3

search for the previous filename attackfilesayhiiiiiiiiiiiii , two will appear here, we choose the second one

img let's change the name of the file here. I'll change it to ../../filesayhiiiiiiiiiiiii

note that you can only overwrite files in the folder where the decompile was saved.

img

step4

change the type of this file to style

img modified to 0E

img

step5

After saving, re-compress the whole folder into a zip, then change the extension to APK.

open it with JADX and you can see that it has been changed to a style type.

img click save all

img you can see the file escaping.

img so we can also construct a

img so the classes.dex file is also replaced here

img

PoC

the details above have been written

Impact

latest version

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T15:56:04Z"
}
References

Affected packages

Maven / io.github.skylot:jadx-core

Package

Name
io.github.skylot:jadx-core
View open source insights on deps.dev
Purl
pkg:maven/io.github.skylot/jadx-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.0

Affected versions

1.*

1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7