Vulnerabilities discovered in the Android Open Source Project by SEARCH-LAB

SEARCH-LAB discovered several vulnerabilities in the Android Open Source Project end of last summer. They were responsible disclosed to the Android security team and now that the fixes are deployed, will be revelead for the public:

1. Android backup agent arbitrary code execution
The bindBackupAgent() method of the Android backup agent implementation was bound to an improper privilege, meaning shell user could call this function.
Combining this problem with a TOCTOU issue existing between PackageManager and ActivityManagerService, we successfully ran arbitrary code as the system user.

2. ADB backup archive path traversal file overwrite
The adb client can be used to create and restore backup archives. The archives are internally based on the TAR format popular in the Unix world.
SEARCH-LAB discovered that the restore implementation did not properly sanitize the filename fields coming from the TAR headers. By restoring a specially crafted ADB backup archive one could traverse the directory limitation and overwrite system files.
See the complete advisory for other requirements of this vulnerability.

3. MTP path traversal vulnerability in Android 4.4
The sever side implementation of MTP protocol running on the Android devices did not properly sanitize the filename field received in the MTP request.
By sending specially crafted MTP requests to the target Android device, one could traverse the intended directory restricion (eg. /sdcard) and upload files outside of it.

We also have one more vulnerability in this area, which we are going to publish on July 1, 2015 since Google still has not addressed it.