title: Multiple vulnerabilities product: Rhythm Software File Manager Rhythm Software File Manager HD
vulnerable version: File Manager 1.16.6 File Manager HD 1.11.5 fixed version: - CVE number: - impact: critical homepage: http://rhmsoft.com/ found: 2013-12-01 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================
"Full featured file manager on Android, fresh UI design and user friendly functions!"
"Best tablet optimized file manager on Honeycomb! High definition (1280*800) with fresh UI design and user friendly functions! Special optimization for tablets and certified on Honeycomb! Enjoy it!"
1) Local File Disclosure When streaming from the network (e.g. when a video from an SMB share is opened in a video player) the App opens a HTTP server on port 37564. This web server allows anyone on the same network to retrieve arbitrary local files the App has access to. If the App is configured to use root permissions, local files can be read as the local superuser.
2) Privilege Escalation Any local App can open directories in the File Manager. As the File Manager does not properly escape special characters in the file path when used with root privileges, any local App can inject arbitrary commands that are executed as the user root.
This vulnerability can also be exploited with crafted directory names. An attacker could e.g. provide an archive file. When the victim unpacks the archive and opens the unpacked directory in the File Manager, commands contained in the directory name are executed as the user root.
3) Unauthenticated Remote Command Injection If the File Manager is configured to browse with root privileges, the file path from vulnerability 1 (Local File Disclosure) is not being escaped properly before being passed to the "su" command. This allows users on the same network to execute arbitrary commands as the user root.
No proof of concepts are provided as the vendor did not provide a patch.
These vulnerabilities were verified with the following versions: * File Manager 1.16.6 * File Manager HD 1.11.5
2014-02-05: Contacting vendor through email@example.com 2014-02-06: Initial vendor response 2014-02-10: Sending advisory information 2014-02-19: Sending public release schedule as the vendor did not acknowledge the retrieval of the preliminary security advisory 2014-02-19: Vendor acknowledges the vulnerabilities and states that he will try to fix them before the public disclosure date 2014-03-26: Asked vendor whether the vulnerabilities have been fixed/will be fixed before public release date. 2014-03-30: Vendor states that the vulnerabilities will be fixed in "near future". 2014-03-31: Informed vendor that the advisory will be released as planned. 2014-04-02: Public release of the advisory.
The vendor did not fix the vulnerabilities. The vendor states that the vulnerabilities will be fixed in near future.
There is no workaround known other than to uninstall the App until a patch is available.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab
SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult? Write to firstname.lastname@example.org
EOF Wolfgang Ettlinger / @2014