CVE-2020-5764

MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in "Receive" mode. An attacker can exploit this by connecting to the MX Transfer session as a "sender" and sending a MessageType of "FILE_LIST" with a "name" field containing directory traversal characters (../). This will result in the file being transferred to the victim's phone, but being saved outside of the intended "/sdcard/MXshare" directory. In some instances, an attacker can achieve remote code execution by writing ".odex" and ".vdex" files in the "oat" directory of the MX Player application.

CVSS v3 8.8 HIGH
CVSS v2.0 5.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 6.5 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.tenable.com/security/research/tra-2020-41	Exploit Third Party Advisory
https://www.tenable.com/security/research/tra-2020-41	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mxplayer:mx_player:*:*:*:*:*:android:*:*

History

21 Nov 2024, 05:34

Type	Values Removed	Values Added
References	~~() https://www.tenable.com/security/research/tra-2020-41 - Exploit, Third Party Advisory~~	() https://www.tenable.com/security/research/tra-2020-41 - Exploit, Third Party Advisory

Information

Published : 2020-07-08 14:15

Updated : 2024-11-21 05:34

NVD link : CVE-2020-5764

Mitre link : CVE-2020-5764

CVE.ORG link : CVE-2020-5764

JSON object : View

Products Affected

mxplayer

mx_player

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2020-5764", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-07-08T14:15:10.477", "references": [{"url": "https://www.tenable.com/security/research/tra-2020-41", "tags": ["Exploit", "Third Party Advisory"], "source": "vulnreport@tenable.com"}, {"url": "https://www.tenable.com/security/research/tra-2020-41", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "MX Player Android App versions prior to v1.24.5, are vulnerable to a directory traversal vulnerability when user is using the MX Transfer feature in \"Receive\" mode. An attacker can exploit this by connecting to the MX Transfer session as a \"sender\" and sending a MessageType of \"FILE_LIST\" with a \"name\" field containing directory traversal characters (../). This will result in the file being transferred to the victim's phone, but being saved outside of the intended \"/sdcard/MXshare\" directory. In some instances, an attacker can achieve remote code execution by writing \".odex\" and \".vdex\" files in the \"oat\" directory of the MX Player application."}, {"lang": "es", "value": "Las versiones de MX Player Android App anteriores a v1.24.5, son susceptibles a una vulnerabilidad de salto de directorio cuando un usuario est\u00e1 usando la funcionalidad MX Transfer en modo \"Receive\". Un atacante puede explotar esto al conectarse a la sesi\u00f3n de MX Transfer como \"sender\" y enviando un MessageType de \"FILE_LIST\" con un campo \"name\" que contiene caracteres de salto de directorio (../). Esto resultar\u00e1 en que el archivo es transferido hacia el tel\u00e9fono de la v\u00edctima, pero siendo guardado fuera del directorio previsto \"/sdcard /MXshare\". En algunas instancias, un atacante puede lograr una ejecuci\u00f3n de c\u00f3digo remota al escribir archivos \".odex\" y \".vdex\" en el directorio \"oat\" de la aplicaci\u00f3n MX Player"}], "lastModified": "2024-11-21T05:34:33.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mxplayer:mx_player:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "C8E9A810-2BAB-4A92-A231-121D804C88C2", "versionEndExcluding": "1.24.5"}], "operator": "OR"}]}], "sourceIdentifier": "vulnreport@tenable.com"}