Path traversal allows tricking the Talk Android app into writing files into it's root directory

Vulnerability

Nextcloud Talk Android versions prior to 17.0.0 contain an unprotected intent that allows a malicious third-party application to trick the Talk app into writing files outside its intended cache directory. This path traversal vulnerability can be exploited by crafting an intent with a file URI that points to an arbitrary location on the device's filesystem. The issue is documented in the security advisory [1] and fixed in pull request [2].

Exploitation

An attacker must have a malicious third-party app installed on the same Android device. No additional permissions are required because the vulnerable intent is exported and does not enforce any access controls. The attacker sends a crafted intent to the Talk app, specifying a file URI that traverses out of the cache directory (e.g., using ../ sequences). The Talk app then writes the file to the attacker-specified location, bypassing the intended cache boundary.

Impact

Successful exploitation allows the attacker to write arbitrary files to the Talk app's root directory or other writable locations on the device. This could lead to overwriting critical application files, potentially resulting in code execution, data corruption, or denial of service. The integrity and availability of the Talk app are compromised, and the scope may extend to other components if the written files are used by the system.

Mitigation

The vulnerability is fixed in Nextcloud Talk Android version 17.0.0, released on or around June 1, 2023 [2]. Users should update to this version immediately. No known workarounds are available [1].