A new directory transversal vulnerability has been discovered in MX Player that can lead to arbitrary code execution in the victim’s device. The vulnerability was present in the sharing feature that is a direct phone-to-phone file sharing feature.
MX Player is a video player app that has over 500M+ downloads on the Play Store and has a rating of 4.4. It is available on iOS, Android, and the web.
MX Player Directory Transversal to RCE
The vulnerability can be tracked as CVE-2020–5764 and the vulnerability was present in the video-sharing feature that is a direct phone-to-phone file sharing feature.
The vulnerability was a directory transversal vulnerability through which an attacker can achieve remote code execution. An attacker can exploit this by connecting to the MX Transfer session as a “sender” and sending a MessageType of “FILE_LIST” with a “name” field containing directory traversal characters (../). This will result in the file being transferred to the victim’s phone, but being saved outside of the intended “/sdcard/MXshare” directory.
And, in some cases, an attacker can achieve remote code execution by writing “.odex” and “.vdex” files in the “oat” directory of the MX Player application.
A PoC for the MX Player Remote Code Execution vulnerability has been made available on Github for a detail explanation about the vulnerability read here.
Patch for the MX Player Vulnerability
After the discovery of the vulnerability of the security, the researcher has mailed the company about the vulnerability and the company has patched the vulnerability with the v1.24.5 release.
