############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Amaze File Manager [1] # Vendor: Team Amaze # CSNC ID: CSNC-2020-030 # Subject: Privilege Escalation # Risk: High # Effect: Locally exploitable # Author: Lukasz D. (advisories@compass-security.com) # Date: 12.12.2020 # ############################################################# Introduction: ------------- Amaze File Manager is a popular open source, light and smooth file manager for Android. It also features root explorer for advanced users. However, the application does not always properly handle files on the file system. A vulnerability was found that would enable other applications without root privileges to execute arbitrary commands in the context of the root user. Affected: --------- The following Amaze File Manager versions are vulnerable: - 3.1.1 - 3.5.0 Technical Description: ---------------------- Amaze File Manager checks whether symbolic links found on the file system point to a file or to a directory. While performing this check within directories browsable only with root rights, the name of the parent directory of the object pointed by the link is simply concatenated with 'ls -l' command. Since another application running on the same Android device without root privileges can create arbitrary symbolic links in its own application's directory, this careless handling of symbolic links by Amaze may be abused to execute arbitrary commands with root privileges. For example, a malicious application could create an evil symbolic link: ln -s '/`log $(whoami)`/x' evil Once the directory containing this evil link is opened in Amaze, the 'whoami' command is executed in the root context and the output can be seen in the logs. Workaround / Fix: ----------------- Do not grant root access to Amaze File Manager if a vulnerable version is used. Timeline: --------- 2020-10-20: Vulnerability discovered 2020-10-20: Initial vendor notification 2020-10-21: Initial vendor response 2020-11-29: Patched version released [2] 2020-12-08: Public disclosure References: ----------- [1]: https://github.com/TeamAmaze/AmazeFileManager [2]: https://github.com/TeamAmaze/AmazeFileManager/releases/tag/v3.5.1