Microsoft researchers uncovered a path traversal–related vulnerability pattern in multiple popular Android apps that could allow a malicious app to overwrite files in a vulnerable app’s home directory, enabling arbitrary code execution and token theft. The study spotlights the Dirty Stream Attack and demonstrates impacts in Xiaomi File Manager and WPS Office, urging developers and users to update and apply mitigations. #DirtyStreamAttack #XiaomiFileManager
Keypoints
- A path traversal–affiliated vulnerability pattern was found in multiple popular Android apps, enabling a malicious app to overwrite files in the vulnerable app’s home directory.
- The pattern can lead to arbitrary code execution and token theft, potentially giving a threat actor full control over an app and access to user data.
- Several vulnerable apps were identified in Google Play Store with hundreds of millions of installs, indicating widespread impact—and fixes were deployed in some cases as of early 2024.
- The attack chain involves tricking share targets by delivering a malicious filename via explicit intents, then abusing the FileProvider/Content URI flow to influence file handling.
- In a case study, Xiaomi File Manager demonstrated arbitrary code execution by manipulating native libraries loaded from the app’s data, revealing how local privileges can be leveraged beyond the device.
- The guidance emphasizes secure handling of files from external apps, sanitizing filenames, and validating canonical paths to prevent traversal and code execution, plus user guidance to stay updated.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The vulnerability allows a malicious app to cause arbitrary code execution within the target app by abusing a path traversal and file-overwrite flow. “The vulnerability pattern can lead to arbitrary code execution and token theft…”
- [T1552.001] Credentials in Files – The study notes credentials (e.g., SMB/FTP credentials) stored in clear text within local files, enabling credential access if exploited. “the user credentials are saved in clear text in the /data/data/com.mi.android.globalFileexplorer/files/rmt_i.properties”
- [T1574.001] Hijack Execution Flow – The research shows replacing a native library (libixiaomifileuext.so) and loading it to achieve code execution, illustrating a library-hijacking approach. “The easiest way to get code execution is to replace the libixiaomifileuext.so with a malicious one.”
Indicators of Compromise
- [File] context – libixiaomifileu.so, libixiaomifileuext.so, com.mi.android.globalFileexprorer_preferences.xml, and com.mi.android.globalFileexprorer_preferences.xml.bak
- [Directory] context – /data/app, /files/lib, /sdcard/Android/data/com.mi.android.globalFileexplorer/files/usbTemp/
- [URI] context – content://[authority]/shared_images/[sub-path]/[filename]
- [Package] context – com.mi.android.globalFileexplorer (Xiaomi File Manager), cn.wps.moffice_eng (WPS Office)
- [URL] context – https://play.google.com/store/apps/details?id=com.mi.android.globalFileexplorer
- [Credential] context – /data/data/com.mi.android.globalFileexplorer/files/rmt_i.properties (cleartext SMB/FTP credentials)