CVE CyberSecurity Database News

CVE-2023-39957 - Nextcloud Talk Android Path Traversal Vulnerability Exploit and Analysis

Poster -

CVE-2023-39957 is a security vulnerability that was discovered in the Nextcloud Talk Android app prior to version 17... This issue allowed malicious apps to trick the Talk app into writing files outside of its protected cache directory. In this post, I'll break down how this vulnerability worked, walk through how it can be exploited, and show you code sniplets illustrating the risk. We'll also talk about the fix and link out to the main resources for deeper research.

---

What is Nextcloud Talk Android?

Nextcloud Talk is an open-source video and audio calling solution for Nextcloud, and it’s widely used for secure, self-hosted communications on Android devices.

How Does the Vulnerability Happen?

The problem lies in how the Talk Android app processed certain "intents." Android “intents” are messages or actions that one app can send to another app. For example, sending a photo from your gallery to your messenger — that’s done via intents.

In Nextcloud Talk Android (before version 17..), there was an exported intent that let any other app ask Nextcloud Talk to write a file to disk. The app didn't properly validate where the file was being saved. That means a malicious app could ask Nextcloud Talk to save files where it shouldn’t, such as system directories or over important data files.

This is called a path traversal vulnerability — meaning, something lets you break out of the expected directory and go somewhere dangerous.

Here’s a breakdown of how an attacker could have abused CVE-2023-39957

1. A malicious app crafts a special intent with a file path like ../../../../data/data/com.victim.app/files.

That malicious app sends the intent to the Nextcloud Talk Android app.

3. Nextcloud Talk Android receives the intent, and — because it doesn’t properly check the path — writes the file wherever the intent says.

Below is a simple example of what a malicious app might use to exploit this bug

Intent exploitIntent = new Intent();
exploitIntent.setAction("com.nextcloud.talk.WRITE_FILE");
exploitIntent.setPackage("com.nextcloud.talk");

String maliciousPath = "../../../../data/data/com.victim.app/files/evil.txt";
exploitIntent.putExtra("file_path", maliciousPath);
exploitIntent.putExtra("file_contents", "You have been hacked!");

// Launch the malicious intent
context.sendBroadcast(exploitIntent);

What does this do?
The app tells Nextcloud Talk to write a text file called “evil.txt” into another app’s files directory. If Nextcloud Talk processes this intent, that file is created in a place it should never access.

Note: This is a basic illustration! Actual exploitation could be more sophisticated.

Real World Impact

- Data Overwrite or Destruction: Attackers could overwrite important files, causing apps to crash or lose data.

Data Leakage: Sensitive info could be written out to locations readable by other apps.

- Denial of Service: Overwriting or corrupting cache or config files could break Nextcloud Talk or even other apps using shared storage.

No workaround is available if you’re on an old version—the only fix is upgrading!

The Patch

Nextcloud patched this vulnerability in version 17.. of their Talk Android app. The patch ensures that all incoming file paths from intents are:

- Checked for path traversal sequences (like ../)

Validated to make sure they stay inside the safe cache directory

This prevents attackers from breaking out of the expected storage location.

Example of patched code logic (pseudocode)

File cacheDir = context.getCacheDir();
File targetFile = new File(cacheDir, inputFileName);

// Canonicalize the path to eliminate ../ tricks
if (!targetFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) {
    throw new SecurityException("Invalid file path!");
}

// Now safe to write to the file

- GitHub Security Advisory (GHSA-96f6-c63p-6mhr)
- NVD Listing (CVE-2023-39957)
- Nextcloud Talk Android App Source

How to Stay Safe

If you use Nextcloud Talk on Android, make sure you’re using version 17.. or newer. No good workarounds exist for this flaw! Old versions are vulnerable to malicious apps installed on the same device.

Summary

CVE-2023-39957 is a path traversal bug in Nextcloud Talk Android that lets bad actors write files anywhere on your device, BEFORE version 17... Exploitation is easy if you install a compromised app. The Nextcloud team fixed it in September 2023. Always patch your apps, and watch out for unexpected permissions or activities from other apps on your phone.


If you want more details or have questions about this vulnerability, check out the advisory links above or reach out to the [Nextcloud security team](mailto:support@nextcloud.com). Stay safe!

Timeline

Published on: 08/10/2023 16:15:00 UTC
Last modified on: 08/16/2023 19:57:00 UTC