Document Title: =============== Super File Explorer 1.0.1 - Arbitrary File Upload Vulnerability References (Source): ==================== http://ift.tt/2maxSxz Release Date: ============= 2017-02-23 Vulnerability Laboratory ID (VL-ID): ==================================== 2034 Common Vulnerability Scoring System: ==================================== 7 Product & Service Introduction: =============================== This app is a file manager and viewer. For iPhone, iPod touch, and iPad. Copy, paste, rename, and move files. Integrates with AttachmentSaver, Safari Download Manager. Dynamic file sharing folder of iTunes. Manage files in your Dropbox, SugarSync, etc. Send files as email attachments. View and download email attachments. Full screen file viewer. (COpy of the Homepage: http://ift.tt/2p830vN ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a vulnerability in the Super File Explorer v1.0.1 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2017-02-23: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== LZX Apps Product: Super File Explorer - File Viewer & File Manager (Wifi UI & FTP) 1.0.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Super File Explorer v1.0.1 iOS mobile application. The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service. The vulnerability is located in the developer path that is accessable and hidden within next to the root path. Remote attackers are able to upload malicious files like webshells to the developer path to access within a next step the `/etc/passwd` file of the ftp service. Thus allows the attacker to gain finally access to the root access credentials of the ftp application to compromise the service or mobile device. The permission rights within the developer path allows an attacker to gain access to the passwd files and other sensitive data. By default there is no password setup for the ftp or web ui account. Attackers can for example access the ftp via console to upload a local file to the developer path. After that the attacker can remotly access the at same time activated ftp web ui service to execute the file. Then the attacker downloads the passwd file and can login with the ftp root credentials to the service. The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0. Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction. Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise. Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attackers without privilege application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the vulnerable mobile ios application to your test idevice (iphone) 2. Start the mobile device software 3. Start the ftp and web-server via remote manager button push 4. Open the ftp via console and login as random user with any credentials 5. Move to the developer path in the upper folder 6. Upload of a remote system or the local system path via network a webshell 7. Open ftp web ui url (http://localhost) and move to the developer path 8. Open the webshell and request via GET the "/etc/passwd" file that is accessable 9. Login again to the ftp server using the root:smx7MYTQIi2M 10. Successful root access to compromise the ftp server and mobile via arbitrary file upload vulnerability! FTP WEB UI URL: http://localhost FTP SERVER URL: locahost:2121
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment