Lack of data validation - Path Traversal In github.com/mvt-project/androidqf
Description
androidqf: APK download Path Traversal in device APK paths
Summary
During device acquisition, getPathToLocalCopy() constructs local filesystem paths for downloaded APKs using a filename component extracted by extractFileName(). The extraction splits on ==/ and takes the remainder without sanitization. If a compromised device returns a crafted APK path containing traversal sequences, filepath.Join resolves them, allowing the file to be written outside the intended apks/ directory.
Practical exploitability is limited because Android enforces strict package path formats under /data/app/ and does not allow apps to register paths containing traversal sequences. Rated Informational as a defense-in-depth concern.
Impact
An attacker with control of the connected device could potentially write files outside the expected output directory on the acquisition workstation, leading to arbitrary file overwrite with attacker-controlled content.
Patched version
Credits
This issue was identified during a security assessment conducted by 0xche.
An additional vulnerability was independently identified by @0x0v1
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 1.8.3 |
Aliases
References