Rareprob HD Video Player All Formats Path Traversal Vulnerability

A path traversal vulnerability has been identified in the Rareprob HD Video Player All Formats app, version 12.1.372, for Android. The issue arises in the component com.rocks.music.videoplayer, where the application fails to implement adequate security measures during the file import process. This oversight allows unauthorized apps to manipulate file names and contents, exploiting path traversal to overwrite arbitrary files within the app's internal storage. Such exploitation could lead to arbitrary code execution, unauthorized access to sensitive information, denial-of-service conditions, and other security-related issues.

Impact

Exploitation of this vulnerability allows for path traversal, enabling the overwriting of arbitrary files in the app's internal storage. This could result in arbitrary code execution, exposure of sensitive information, denial-of-service conditions, and other unspecified security impacts.

Reproduction

To reproduce this vulnerability, an unauthorized app can be created to send an intent to the HD Video Player All Formats app. The intent should target the DeeplinkActivity component and include a URI that traverses the file system to overwrite a specific shared preference file, such as FBAdPrefs.xml. The malicious app must be able to control the file name and content through a content provider.