SEC Consult SA-20140402-0 :: Multiple vulnerabilities in Rhythm File Manager

2014-04-07T00:00:00
ID SECURITYVULNS:DOC:30456
Type securityvulns
Reporter Securityvulns
Modified 2014-04-07T00:00:00

Description

SEC Consult Vulnerability Lab Security Advisory < 20140402-0 >

          title: Multiple vulnerabilities
        product: Rhythm Software File Manager
                 Rhythm Software File Manager HD

vulnerable version: File Manager 1.16.6 File Manager HD 1.11.5 fixed version: - CVE number: - impact: critical homepage: http://rhmsoft.com/ found: 2013-12-01 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================

Vendor description:

"Full featured file manager on Android, fresh UI design and user friendly functions!"

URL: http://rhmsoft.com/?p=78

"Best tablet optimized file manager on Honeycomb! High definition (1280*800) with fresh UI design and user friendly functions! Special optimization for tablets and certified on Honeycomb! Enjoy it!"

URL: http://rhmsoft.com/?p=4

Vulnerability overview/description:

1) Local File Disclosure When streaming from the network (e.g. when a video from an SMB share is opened in a video player) the App opens a HTTP server on port 37564. This web server allows anyone on the same network to retrieve arbitrary local files the App has access to. If the App is configured to use root permissions, local files can be read as the local superuser.

2) Privilege Escalation Any local App can open directories in the File Manager. As the File Manager does not properly escape special characters in the file path when used with root privileges, any local App can inject arbitrary commands that are executed as the user root.

This vulnerability can also be exploited with crafted directory names. An attacker could e.g. provide an archive file. When the victim unpacks the archive and opens the unpacked directory in the File Manager, commands contained in the directory name are executed as the user root.

3) Unauthenticated Remote Command Injection If the File Manager is configured to browse with root privileges, the file path from vulnerability 1 (Local File Disclosure) is not being escaped properly before being passed to the "su" command. This allows users on the same network to execute arbitrary commands as the user root.

Proof of concept:

No proof of concepts are provided as the vendor did not provide a patch.

Vulnerable / tested versions:

These vulnerabilities were verified with the following versions: * File Manager 1.16.6 * File Manager HD 1.11.5

Vendor contact timeline:

2014-02-05: Contacting vendor through support@rhmsoft.com 2014-02-06: Initial vendor response 2014-02-10: Sending advisory information 2014-02-19: Sending public release schedule as the vendor did not acknowledge the retrieval of the preliminary security advisory 2014-02-19: Vendor acknowledges the vulnerabilities and states that he will try to fix them before the public disclosure date 2014-03-26: Asked vendor whether the vulnerabilities have been fixed/will be fixed before public release date. 2014-03-30: Vendor states that the vulnerabilities will be fixed in "near future". 2014-03-31: Informed vendor that the advisory will be released as planned. 2014-04-02: Public release of the advisory.

Solution:

The vendor did not fix the vulnerabilities. The vendor states that the vulnerabilities will be fixed in near future.

Workaround:

There is no workaround known other than to uninstall the App until a patch is available.

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab

SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15

Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult? Write to career@sec-consult.com

EOF Wolfgang Ettlinger / @2014