Posted by Imre RAD on Apr 17

MTP path traversal vulnerability in Android 4.4
———————————————–

doSendObjectInfo() method of the MtpServer class implemented in
frameworks/av/media/mtp/MtpServer.cpp does not validate the name
parameter of the incoming MTP packet at all.

It is possible to upload files outside of the sdcard using a specially
crafted MTP request:

root () testpc:~/mtp-test# ./mtp-mysend sdf.txt …