ALEAPP NQ Vault Path Traversal Vulnerability Allowing Arbitrary File Writes

A path traversal vulnerability has been identified in ALEAPP (Android Logs Events And Protobuf Parser) versions through 3.4.0. The issue resides in the NQ_Vault.py artifact parser, which directly uses attacker-controlled file_name_from values from a database as output filenames. This vulnerability allows arbitrary file writes outside the designated report output directory. An attacker could exploit this by embedding a path traversal payload, such as '../../../outside_written.bin', into the database, potentially leading to code execution by overwriting executable files or configuration.

Impact

Exploitation of this vulnerability allows for path traversal, enabling arbitrary file writes outside the intended directory. This could be leveraged to execute malicious code by overwriting certain files.

Reproduction

The vulnerability can be reproduced by embedding a path traversal payload into the database that ALEAPP reads from. When the NQ_Vault.py parser processes this data, it will write a file to the location specified by the traversal payload, bypassing normal directory restrictions. This can be automated with a script that interacts with the ALEAPP tool, using the 'file_decryption' function to process the crafted database entry.

Remediation

Users can update to ALEAPP version 3.4.0 or later, where this vulnerability has been fixed.