Coto Tarot, Astro & Healing App Arbitrary File Overwrite Vulnerability

An arbitrary file overwrite vulnerability has been identified in the Coto Tarot, Astro & Healing app, specifically in version 11.4.0. This vulnerability allows attackers to overwrite critical internal files through the file import process. The issue arises from inadequate security validation when handling imported files, enabling a malicious app to manipulate filenames and contents using path traversal to overwrite sensitive files in the app's internal storage. Such modifications to essential configuration or executable files could disrupt the app's functionality, cause it to fail to launch, or facilitate arbitrary code execution.

Impact

Exploitation of this vulnerability could lead to overwriting of critical internal files, potentially allowing for arbitrary code execution, exposure of sensitive information, or causing the app to malfunction or fail to launch.

Reproduction

The vulnerability can be reproduced by sending an intent from a malicious app to the Coto Tarot, Astro & Healing app's main activity. The intent must include a file stream that uses path traversal to target a sensitive file in the app's internal storage, such as a shared preferences file. Once the intent is received, the specified file will be overwritten with the attacker's chosen content.