Symantec PGP Viewer for Android (184.108.40.206) was found to temporarily store attachments decrypted from a PGP archived email with world-readable file permissions. The attachments are stored as soon as the user opens a PGP Archived Email is opened but deleted when the application is closed. It was also observed that upon application crash or non graceful exit of the application, the decrypted attachment files in the
files/tmp directory are not deleted.
Tanoy Bose - xen1thlabs
Any attachment that has been decrypted by Symantec PGP viewer is stored in the
[/data/user/0/]com.symantec.pgpviewer/files/tmp/ in unencrypted and world readable state. This allows an attacker or malicious application with minimal access to the device would be able to read from the decrypted attachments.
Even though the
[…]/tmp/ directory was emptied after every message read, we noticed that upon an unsuccessful exit of the application (like a crash or forced stop) the decrypted data persisted (with world readable permissions) in the
The application can also be launched from a different application with the help of the exported
android.intent.action.Viewer action in
The vulnerability was tested and found on Symantec PGP Viewer android application version 220.127.116.11 on Android 8.1
For our test, we use an encrypted email called Message.pgp
-----BEGIN PGP MESSAGE-----
We can lauch the application using activity manager or any many malicious application using the following
$ am start -n com.symantec.pgpviewersymantec/.AppSplashActivity -d file:///data/local/tmp/Message.pgp -a android.intent.action.Viewer
The following evidence is provided to illustrate weak file permissions and the existence of decrypted files.
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ pwd
Extraction of the decrypted files (docx file):
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ cp /data/user/0/com.symantec.pgpviewersymantec/files/tmp/xen1thLabs_advisory_-_SymantecPGPViewer-WorldReadableFiles.docx /data/local/tmp/test.docx
Extraction of the decrypted files (pdf file):
bullhead:/data/user/0/com.symantec.pgpviewersymantec/files/tmp $ cp /data/user/0/com.symantec.pgpviewersymantec/files/tmp/xen1thLabs_advisory_-_SymantecPGPViewer-WorldReadableFiles.pdf /data/local/tmp/test.pdf
- 22 Aug, 2019 - Reported to Symantec; Won’t Fix
- 23 Jul, 2019 - Reported to Mitre; No response