InTouch Contacts & Caller ID App Arbitrary File Overwrite Vulnerability Allowing Code Execution

A vulnerability allowing arbitrary file overwriting has been identified in InTouch Contacts & Caller ID App version 6.38.1. This issue arises from inadequate security validation during the file import process, enabling attackers to overwrite critical internal files. The vulnerability could lead to unauthorized code execution, exposure of sensitive information, denial of service, and other serious security consequences.

Impact

Exploitation of this vulnerability could result in arbitrary code execution or unauthorized modification of critical application files, potentially causing the app to malfunction or fail to launch.

Reproduction

The vulnerability can be reproduced by importing files through the application's file import process. A malicious app can be used to control the filename and content, leveraging path traversal techniques to overwrite sensitive files in the app's internal storage. Once the victim opens the malicious app, the overwriting occurs automatically, without requiring complex user interaction.