Apktool Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Apktool versions 3.0.0 and 3.0.1. The issue arises in the file 'ResFileDecoder.java', where the removal of a path sanitization function allows maliciously crafted APKs to write arbitrary files to the filesystem during the decoding process. This vulnerability can be exploited by embedding '../' sequences in the 'resources.arsc' Type String Pool, enabling the crafted APK to escape the designated output directory and write files to sensitive locations, such as SSH configuration or startup folders, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential to overwrite sensitive files such as SSH configurations or startup scripts, escalating to remote code execution.

Reproduction

To reproduce this vulnerability, use Apktool versions 3.0.0 or 3.0.1 to decode an APK file that has been crafted to include '../' sequences in the 'resources.arsc' Type String Pool. This will cause Apktool to write files to arbitrary locations on the filesystem, such as '~/.ssh/config' or Windows Startup folders.

Remediation

Users can upgrade to Apktool version 3.0.2, which restores the path sanitization function to 'ResFileDecoder.java' before file write operations, effectively mitigating the vulnerability.